In Place Upgrade of Window Server

 In Place Upgrade KB ID 0001895

Problem

An in-place upgrade of a Windows Server, where you update an existing server installation to a newer version without reinstalling from scratch, can be a powerful way to bring older infrastructure up to date without the lengthy process of rebuilding a system and restoring data. The allure of this method lies in its simplicity and time efficiency; theoretically, you can go from, say, Windows Server 2016 to Windows Server 2022 with much less downtime, keeping configurations, applications, and user data intact. This can be especially appealing in scenarios where budget or time constraints make a full migration impractical, or for environments where a server holds critical roles that are complex to reconfigure from scratch.

However, while in-place upgrades have their perks, they aren’t without pitfalls. For starters, there’s always a risk of compatibility issues, especially if the server runs legacy software that might not play nicely with the new OS version. Performance problems can also arise, as remnants of old files and configurations may lead to a less than optimised system, compared to a clean installation. Additionally, any existing issues on the server, such as misconfigurations, registry bloat, or malware, can carry over to the new version, potentially causing instability. Therefore, before deciding on an in-place upgrade, it’s essential to weigh these pros and cons carefully, considering both the potential gains and risks based on your environment and long-term plans.

As I’ve previously stated, I prefer to do in place upgrades, If you have less than 50 servers and an IT support team, you may want to plan a clean install and data migration, but there comes a point where that’s simply not practical. My firm looks after more than 10 thousand Windows servers, and when a ‘wave’ of them goes outside of supportability – We either stop supporting them or offer and in-place upgrade.

Windows Server In Place Upgrade Paths

Current OS Upgrade Path to Windows Server 2022 Upgrade Path to Windows Server 2025
Windows Server 2008 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2008 R2 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 R2 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2016 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2019 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2022 NA Direct upgrade to Windows Server 2025

Note: Server 2025 information is not official at time of writing, information was provided my Microsoft Copilot.

Solution : In Place Upgrade

In Place Upgrade Planning and Pre Upgrade Steps

As well as making sure you have the compute and storage requirements (of the OS that you are upgrading to), make sure your hardware and/or Hypervisor supports the target OS. Then you have things to consider.

  • Roles And Features.
  • Microsoft Applications.
  • Third Party Applications.

Roles and Features: these are add-on components to the OS that you can enable (add) or disable (remove). Some common ones like DNS server or DHCP server, we just accept and don’t even worry about, but what about roles like certificate services? or a feature like NDES? What if the server is a domain controller? I’ll attempt to answer SOME of those questions below, but this is another reason why you should check, research, and test before upgrading

Show all Roles and Features With PowerShell

[box]

Get-WindowsFeature

[/box]

Microsoft Applications: Here I’m talking about things like Microsoft Exchange, Microsoft SQL, Microsoft Teams etc. Each one of those have their own dependancies OS requirements an upgrade paths that you may need to take into consideration. My personal preference is to migrate these applications onto new clean servers rather than in-place upgrade. I’ve done two in place upgrades of Exchange on the test bench and both of those were 100% successful, I’d be less happy doing them in production, and I’ve got a lot of articles showing you how to upgrade and migrate Exchange, I suggest you look there first! 

Third Party Applications: This will vary from use case to use case, but consider your AV and security products, do they support the new OS? Does you backup and replication software support the new OS. That’s before you look at you line of business or back office applications like print management software, or the software that controls your building access for example.

Show all Installed Software With PowerShell

[box]

Get-WmiObject -Class Win32_Product

[/box]

In Place Upgrade ‘Pre-flight checks’

Most servers these days are virtualised, and time spent on reconnaissance is seldom wasted, If you are considering in place upgrading anything, I would urge you to clone those machines, sandbox them, and perform the in place upgrade in isolation, this will give you a change to do some functional (post upgrade) testing of both the server OS, its installed roles and any third pert applications.

As with all things infrastructure, you’re only as good as your last backup, before doing anything MAKE SURE you have a reliable (tested!) backup. Not just for the server you intend to upgrade but for any server that has a service or software dependency on the server you intend to upgrade.

Ensure the upgrade server is FULLY UPDATED before proceeding.

If the server is virtual, we also have the advantage, to take a snapshot prior to upgrade. (You can even clone a copy and keep it on standby) .

In Place Upgrade Process

Well it’s 95& preparation and 5% execution, the actual upgrade process is alarmingly simple. Present the installation media ISO to the source server, (or copy the files to the server and run setup.exe)

At the welcome screen > Next > At this point the system may take some down getting update’s > Enter the Windows activation code for the new server OS > Next > Select the version you want to install, remember if you want a server with a GUI interface, select the Desktop Experience option > Next.

At the EULA screen > Accept > Select “Keep files settings and apps” > Next > Install.

At this point the upgrade will take place, the server may reboot, but the upgrade process will continue.

When complete, you will be looking at a login screen, simply authenticate with the same credentials as before.

In Place Upgrade of Domain Controllers

Yes it’s possible, yes I’ve done it multiple times, if all the server is doing is performing Active Directory domain services and other common roles like DNS and DHCP, then I would not bother in place upgrading a domain controller, I’d simply build a fresh one, then decommission the old one (possibly needing to migrate FSMO roles)

But I’ve said its possible, just beware you may come across this error during the upgrade.

Active Directory on this domain controller does not contain Windows Server {version} ADPREP / FORESTPREP updates

This one is pretty much self-explanatory, and makes complete sense if you’ve spent any time deploying domains controllers! Well of course it doesn’t! Think about it if this is the first domain controller with the new OS in the domain, the schema has not been updated for that version of domain controller, which would happen if you were installing a DC from scratch. Here there’s only one server in the domain, and I’m on it. DON’T CLOSE THE UPGRADE WINDOW.

Open a administrative command window and change to the D:\Support\Adprep directory, run adprep.exe /forestprep and when prompted press C {Enter} to continue.

I prefer to also perform a adprep.exe /domainprep  also, but you can progress in the upgrade without doing this, below I’m performing the command within PowerShell so I’m using ./adprep.exe /domainprep.

In Place Upgrade of Servers Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here I’ve personally done this twice (Server 2016 > Server 2022 and Server 2019 > Server 2022) and both were 100% successful. You can of course perform a traditional migration of Certificate Services to another server.

In Place Upgrade of Servers Running DHCP

I would not even worry about this, if you wanted to migrate a DHCP scope to another server it’s easy as peas. But in place upgrade of a DHCP server is not a concern. Even if they are performing DHCP HA

In Place Upgrade of Servers Running NPS (Network Policy Server)

I’ve done this successfully, if you wanted to migrate this role manually then simply see the following article Migrate NPS Server.

In Place Upgrade of Servers Running RDS (Remote Desktop  Services)

Whilst supported be aware that if you upgrade you RDS licensing server, ensure you have CALs/Licenses (or SALS if you’re SPLA licensed) that support the new version of Windows. e.g. 2016 RDS CALs will work with Server 2019 but will not with Server 2022. If you have problems ‘post upgrade‘ delete the following folder “\windows\system32\lserver ” then relicense correctly with new CALs/SALs.

Invitation

If you’re reading this and considering an in place upgrade there may be a role or feature, or piece of software your server is running I’ve not covered. If so please bookmark this article, and return later, then post below what OS you upgraded from and to, and what Role/Feature/Software you were running. Was it a seamless procedure, or did you encounter a problem, error message, of complete failure? Please post your follow ups below to help the next person.

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Upgrade Server 2012 (In Place)

Windows Server 2025 Domain Join

Server 2025 Domain Join KB ID 0001883

Problem

To perform a  Windows Server 2025 Domain Join (Local Domain). The end process is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).

 

Solution: Windows Server 2025 Domain Join

Before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related). Whilst logged in as a (local) administrative user, click the Windows button > Windows PowerShell.

Ensure you can ‘ping’ the domain name (see below), Also here I verify that the IP address that responds in my domain controller (Note: this will only work if your DNS zone has a correctly setup reverse DNS zone!)

Click the Windows button > System.

System > About.

Advanced System Settings.

   

Computer Name.

Change.

Select ‘Domain’ and enter the domain name > OK > enter credentials that have the rights to join a machine to the domain* > OK

*Note: All domain users have the right to join x10 machines to the domain.

OK > OK.

OK > Restart Now > The server will reboot.

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Solution: PowerShell Windows Server 2025 Domain Join

Windows button > Open an administrative PowerShell window.

As above, before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related).

Use the following syntax.
[box]

Add-Computer -DomainName {your-domain-name}

[/box]

When prompted, provide credentials that have rights to add computer object to the domain.

When successfully joined, you will be asked to reboot.

[box]

Restart-Computer

[/box]

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Leave a Windows Domain Using PowerShell

Firstly I’m making sure I am correctly domain joined by using the following command.

[box]

Get-WmiObject win32_computerSystem | Select-Object -ExpandProperty domain

[/box]

Then to ‘leave’ the domain use the following command.

[box]

Remove-Computer

[/box]

When prompted reply to Y for yes then to complete the process reboot the server with the following command.

[box]

Restart-Computer

[/box]

Leave a Windows Domain Using GUI

To do the same graphically, it’s just the reverse of a domain join, use the instructions above you get you to the following dialog then select workgroup, and enter the workgroup name.

OK > OK.

Close > Restart Now.

Related Articles, References, Credits, or External Links

How to Join a Windows Domain

Windows: Join Azure AD (AAD)

Windows Server 2022 Domain Join

How to Join Windows 11 to a Domain

Windows Server Evaluation Extending & Converting

Server Evaluation Extending & Converting KB ID 0001879

Problem

If you download and install Windows Server evaluation, you get 180 days grace to upgrade it to a full licensed version. Now the internet is awash with articles telling you how you can extend that – In fact you can extend it by 180 days a further SIX TIMES. But what they fail to tell you, is this only works if you DONT LET IT EXPIRE. Once you’ve breached the 180 days you cannot extend it by 180 days (If you try you only get 10 days grace!)

Day 1

After 180 Days

Solution: Server Evaluation Extending

When the server is first deployed you will have 180 days and SIX REARMS available, which you can see with the following command.

[box]

slmgr -dlv

[/box]

Assuming you are within the 180 day period you can simply extend by 180 days with the following command.

[box]

slmgr -rearm

[/box]

Once rebooted you can check status with the same command we used above (slmgr -dlv).

Solution: Server Evaluation Extending (If Expired)

If you have been on the server it would have warned you with prompts like this.

What Happens If The Windows Server Evaluation License Expires?

The server will shut itself down, 1 hour after it has been powered on, (after logging Event ID 1074).

Event ID 1074
The License period for this installation of Windows has expired. the operating system is shutting down.

As mentioned above you can give yourself some breathing room (assuming you have a rearm count of 1 or more) by using the same command to extend (slmgr – rearm). But you will only get 10 days grace to enter a valid key/activation code.

Converting Windows Server Evaluation To Full Version

The other option, and of course what Microsoft want you to do, is convert the evaluation version to a full version. You can see what versions are available by running the following command.

[box]

DISM /Online /Get-TargetEditions

[/box]

My only option is ServerDatacenter – so I can convert to that version and enter a valid Windows Key to licence the server at the same time.

[box]

DISM /Online /Set-Edition:ServerDatacenter /ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

[/box]

Then (when asked) reboot the server to complete the procedure.

Note: Before you email me to point out there’s a Windows licence key in that screenshot (above) that’s the Windows Server 2022 KMS Key.

Related Articles, References, Credits, or External Links

NA

Windows File Server Migration (Maintain Share & NTFS Permissions)

KB ID 0001201

Problem

When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly deployed’ user profiles mean you can’t open them.

How about a tool, that migrates all the files, folders and profiles while maintaining all the NTFS permissions, AND Share permissions!

Windows File Server Migration Tools

Source Server Pre-requisites

  • Server 2003: .Net 2.0 (With SP1), and PowerShell 2.0, and 25MB free drive space.
  • Server 2008: PowerShell and 25Mb free drive space.
  • Server 2008 R2 and Newer: 25Mb free drive space.
  • All: UDP port 7000 needs to be open, from source to the destination server.

File Server Migration Server 2008 to Server 2019

File Server Migration from Server 2003!

  • Source Server: Windows Server 2003 Standard x64 (x86 supported as well)
  • Destination Server: Windows 2012 R2 Data Center 2012 

Source Server: Here you can see my user profiles, I’ll do the migration with them, as usually they are the most ‘challenging’.

You need to create a shared folder on the Source Server, I’ve just granted everyone full control, (this is just for the migration tools).

 

Destination  Server: Open a PowerShell windows and install the tools with the following command;

[box]

Install-WindowsFeature Migration –ComputerName {computer-name}

[/box]

Open an administrative command window > Now you need to deploy the migrations tools to the share on the destination server, to do that use the following command;

[box]

cd C:\Windows\System32\ServerMigrationTools

SmigDeploy.exe /package /architecture amd64 /os WS03 /path \\{Destination-Server}\{folder-name}

[/box]

Note: For x86 (32 bit) source servers use x86 instead of amd64. WS03 (Windows Server 2003), WS08 (Windows Server 2008), WS08R2 (Windows Server 2008 R2), and WS12 (Windows Server 2012).

Source Server: Open the folder you created earlier and within it you will find another folder that has the tools in. Open an administrative command window and change to this directory > then execute the following command;

[box]

.\smigdeploy

[/box]

Another PowerShell window will open, leave it open, and return to the destination server.

Destination Server: Here I’ve created a folder that I’m going to migrate into.

Destination Server: Open a PowerShell window and issue the following two commands;

[box]

add-pssnapin microsoft.windows.servermanager.migration

Receive-SmigServerData

[/box]

You will be asked to provide a password, (use what you want, but remember it, you will need it in a minute).

You now have a five minute window to get the migration running, or you will need to re-issie the last command again. 

Source Server: Return to your open PowerShell Window, and issue the following command;

[box]

Send-SmigServerData -ComputerName {destination-computer-name} -SourcePath {path-to-source-folder} -DestinationPath {path-to-destination-folder} -include all -recurse

[/box]

Supply the password, then go and put your feet up.

Destination Server: You can watch progress here.

Profiles migrated! And permissions intact.

Don’t forget to change the path to the user profile, on the user(s) user object(s) in Active Directory.

If you have a lot you can do them in bulk by multi-selecting the users.

 

Related Articles, References, Credits, or External Links

XCOPY – Insufficient Memory

Migrating – Folders and Share Permissions

The Web Site for the CA Must be Configured to use HTTPS

KB ID 0000838 

Problem

When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.

In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication

Solution

The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.

Make Internet Explorer Accept Your Certification Authority

Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.

1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.

 

2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.

3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.

4. Restart the browser and try again.

Set IIS to serve Certificate Services Securely (via https).

This assumes you have your CA and the web portal installed correctly.

1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.

Note: If https is missing simply add it!

2. Expand Default Web Site > Certsrv > SSL Settings.

 

3. Tick ‘Require SSL’ > Apply.

4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.

Related Articles, References, Credits, or External Links

NA

Windows Server – Disable ‘Defender’

KB ID 0001710

Problem

I got a call last night to help out a colleague, this involved using a ‘dubious’ piece of software that is very old, (I wont elaborate further). But to run it on a modern Windows Server is nearly impossible. The host detects the software as being infected (It may well be, but I’ve never suffered). So I need to keep the software in a password protected Zip file. And only extract it on a Virtual machine that I don’t mind sacrificing!

That’s great, but Defender was having none of this, so I needed to ‘temporarily‘ stop its real time protection.

Note: Standard warning, disabling Windows defender on a production machine is not a good idea, (without another 3rd party anti virus/anti malware product.)

Solution

To get defender stopped open an administrative PowerShell Window, and execute the following command;

[box]Set-MpPreference -DisableRealTimeMonitoring $true[/box]

I could then get up to my ‘black hatted shenanigans‘, to re-enable simply use;

[box]Set-MpPreference -DisableRealTimeMonitoring $false[/box]

Other Options To Disable Window Defender

You can disable Defender using the following group Policy;

[box]Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Turn off Windows Defender Antivirus > Set to Enabled[/box]

Or by setting the following registry key;

[box]HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender[/box]

Create a new DWORD (32 bit) called DisableAntiSpyware and set its value to ‘1’.

How To Remove Windows Defender

If you got here wanting to simply remove Windows Defender, then use the following command instead;

[box]Uninstall-WindowsFeature Windows-Defender[/box]

Related Articles, References, Credits, or External Links

NA

Windows Server: Stop Programs Auto Starting / Auto Running

KB ID 0001600

Problem

I like to learn the keyboard shortcuts for these sort of things, (because developers will change the way things are done in the GUI). So in the good old days I simply ran msconfig, and located the offending software on the startup list and disabled it. Then that got removed and put in ‘Task Manager’, then that got removed. So I’m pulling a frowny face at Microsoft Developers for their lack of continuity 🙁 (It’s not just them Cisco and VMware are just as bad!) 

I’ve got an administration server I use, (Server 2016,) and it’s got a load of software on there that usually would not be on a server, Skype Client, Citrix Client etc. So how do I stop them autoloading?

Solution

Well I could start digging around in the registry manually, but a much simpler option is to download and run AutoRuns;

Either untick the offender or right click and go to the source and manually disable it yourself.

Related Articles, References, Credits, or External Links

Massive thanks to Syinternals and Mark Russinovich, who has been bailing me out of the mire for many years!

HP Intelligent Provisioning Cant See USB Media?

KB ID 0001555

Problem

Life was simpler when we had DVD Drives and a wallet full of CD/DVDs! I was building an HP DL360 This morning and needed to install Windows. I created a bootable USB with Unetbootin and selected a Windows Server ISO, it wouldn’t boot. So I thought ‘Fine I’ll play the game” I pressed F10 for Intelligent Provisioning.

After selecting USB media – the system could not see my USB Drive? 

After a couple of seconds head scrathing the penny dropped, it wants the iso not a bootable drive, (doofus!) So I used a FAT formatted USB and that didn’t work either?

Option 1: Use iLO

Before you all start emailing me, you can install an operating system from virtual media WITHOUT and advanced iLO licence! Annoyingly I was building the server on the bench, so I had to connect my laptop into the iLO with a crossover cable but, here’s me proving it works.

Option 2: Use ExFAT

Format your USB drive using ExFAT, luckily I use macOS and Disk Utility will format a drive using ExFAT for me.

Note: Windows will also format as ExFAT 🙂

Then simply put your install .iSO file(s) on the media.

Now you can see your install media.

Option 3: Use the HP Media Creator

I didn’t try this option, but feel free to download it and give it a try, comment below to let me know how you get on.

HP USB Key Utility for Windows v3.0.0

Related Articles, References, Credits, or External Links

NA

Windows Adding Firewall Rules With PowerShell

KB ID 0001538

Problem

There was a question on Experts Exchange this morning, the asker wanted to be able to add a ‘Trusted’ network range to their Windows Server Firewall settings as a ‘allow all ports’ rule.

Solution

You can of course add this manually in the GUI, normally I’d simply Add a Firewall Rule with a Group Policy. but the problem with that is, that’s fine if you want to open a particular TCP/UDP/ICMP port, but NOT if you want to open ALL ports. But you CAN use PowerShell like so;

[box]

New-NetFirewallRule -RemoteAddress 192.168.100.0/24 -DisplayName "Trusted Subnet" -Direction inbound -Profile Any -Action Allow

[/box]

Then you can check the settings, just as if you had created the rule in the GUI.

 

Related Articles, References, Credits, or External Links

NA