In this article:
Want us to find IT vendors for you?
Share your vendor requirements with one of our account managers, then we build a vetted shortlist and arrange introductory calls with each vendor.
Book a call

How to Plan a Windows Server Upgrade or Move to Azure

Windows Server 2016/2019 end-of-support dates, ESU pricing, in-place upgrade paths, and how to migrate to Azure with Azure Migrate. A technical guide for IT leaders.

Author:
Date
Summary:
Windows Server upgrade planning is governed by fixed end-of-support dates: Extended Security Updates for Server 2012/2012 R2 end October 13, 2026, and Server 2016 loses all support January 12, 2027.
Organizations can upgrade in place, migrate roles to fresh hardware, rehost to Azure IaaS, or replatform to a managed Azure service, and each workload can take a different path depending on its constraints and existing Microsoft licensing.

A Windows Server upgrade rarely starts with a strategy document. It starts with a date. An end-of-support notice lands in your inbox, a vulnerability scan flags an unsupported OS, or a new line-of-business application refuses to install on Server 2012 R2.

The server nobody wanted to touch becomes the one thing standing between the business and its next project.

The decision in front of you has four real destinations: upgrade the operating system in place, rebuild on fresh hardware and migrate the roles across, rehost the workload in Azure, or replatform it onto a managed Azure service.

Each path has different mechanics, different failure modes, and a different bill. The right one depends on the workload, the deadline, and what you already pay Microsoft.

The Support Timeline That Sets Your Deadline

Everything downstream is governed by one thing: the date your version stops receiving security updates. When a version reaches end of support, Microsoft stops shipping security patches, bug fixes, and technical assistance. The OS keeps running. Every new vulnerability discovered after that date stays open forever, new agent and application versions stop certifying against it, and the next audit or cyber-insurance review flags it on sight.

Here is where each version stands, drawn from Microsoft's lifecycle and Extended Security Updates documentation.

Windows Server version Mainstream support ended Extended support ends Where it stands now
2012 / 2012 R2 Oct 9, 2018 Oct 10, 2023 Paid ESU ends Oct 13, 2026
2016 Jan 11, 2022 Jan 12, 2027 Under 12 months left
2019 Jan 9, 2024 Jan 9, 2029 Security-only, plan the move
2022 Oct 13, 2026 Oct 14, 2031 Supported
2025 ~2029 Into 2034 Current release

Two of these deadlines are close enough to reshape your roadmap this quarter. Windows Server 2012 and 2012 R2 are in the final year of paid Extended Security Updates, which end for good on October 13, 2026.

Windows Server 2016 loses all support on January 12, 2027, and it still runs a large share of production estates: telemetry from asset-discovery vendor Lansweeper, reported in early 2026, put Server 2016 at roughly a fifth of the Windows Servers it monitors. That figure is vendor telemetry rather than a census, so read it as direction, not gospel, but the direction is clear enough.

The distinction between mainstream and extended support matters for planning. A version in mainstream support gets features, bug fixes, and security patches. Once it crosses into extended support, it receives security fixes only.

Server 2019 sits there today, and Server 2022 moves into that phase in October 2026 with no functional impact for most workloads. Running past the extended date is the line you cannot cross safely.

The stakes are not theoretical. The Verizon 2025 Data Breach Investigations Report found that exploiting a known vulnerability was the initial access vector in 20% of breaches, a 34% jump over the prior year, closing in on stolen credentials at 22%.

Ransomware appeared in 44% of breaches, up from 32%. An unpatched, out-of-support server is precisely the kind of exposure that shows up in those numbers, and it is one of the few you can close entirely by choosing to act.

If your ransomware plan leans on backups alone, the harder question of what happens when there's nothing left to restore is worth sitting with before, not after, an incident.

Haven't fixed your migration timeline?

Windows Server upgrade and Azure migration projects routinely run longer than the runway a support cutoff leaves you. If one of your versions is already on the wrong side of that table, the vendor search is the part you can start today. Find the right ones from a list pre-vetted vendors on a curated marketplace. It's free and private.

Find migration partners

Extended Security Updates Are a Bridge, Not a Destination

When the calendar runs out before your migration does, ESU buys time. It delivers Critical and Important security patches for a maximum of three years past end of support, and nothing else. No features, no non-security fixes, no design changes.

Two facts about ESU are worth getting right, because plenty of guidance gets them wrong.

  • The pricing does not escalate for Server 2012 / 2012 R2. It is a flat 100% of the full license price per year, every year. The widely repeated "75% then 100% then 125%" schedule applied to the older Windows Server 2008 program. You also cannot skip years: buying Year 3 requires having bought Years 1 and 2, and late enrollment back-bills the months you missed.
  • ESU is free when the workload runs in Azure. VMs on Azure, Azure Dedicated Host, Azure VMware Solution, and the Azure Local (Azure Stack HCI) portfolio receive ESU at no cost beyond running the VM, with no Software Assurance requirement. That single detail changes the math on whether to lift a stubborn legacy workload into Azure rather than pay for on-prem ESU.

Delivery has modernized too. You can still activate ESU with a MAK key from Volume Licensing, or you can enable it through Azure Arc, which delivers the updates keyless on a pay-as-you-go monthly basis and, in the same motion, projects the server into Azure for governance. Treat ESU as a runway to finish a migration cleanly, not a way to avoid one.

Your Four Paths, and How to Choose Between Them

Before the mechanics, the shape of the decision:

Path What it is Best when Main risk
In-place upgrade Run setup on the existing OS, keep roles and data Hardware is fine, roles are simple, downtime window exists Failed upgrade, app incompatibility, no clean rollback
Clean install + migrate roles Stand up a fresh OS, move roles and workloads across Old source version, fragile roles, domain controllers More labor, careful cutover sequencing
Rehost to Azure (IaaS) Lift the VM to an Azure virtual machine, largely as-is Workload stays as-is for a year or more, exit from aging hardware or VMware Right-sizing errors, run-rate cost if left unoptimized
Replatform to Azure (PaaS) Move to a managed service such as Azure SQL Managed Instance Workload can tolerate managed-service constraints, want less admin Compatibility gaps, refactoring effort

You do not have to pick one path for the whole estate. Most environments end up with a mix: a few servers upgraded in place, the domain controllers rebuilt clean, a database rehosted to Azure, and a legacy app retained on ESU while its replacement is built. The value is in matching each workload to the path that fits it.

In-Place Upgrade Mechanics

The in-place upgrade got materially better with Windows Server 2025. Earlier releases allowed only a two-version jump. Server 2025 supports a four-version jump on non-clustered systems, so a box running 2012 R2, 2016, 2019, or 2022 can go straight to 2025 without intermediate hops. Clustered systems still advance one version at a time through a rolling upgrade.

There are two ways to run it. You can boot the Server 2025 media and run setup, or, for servers on 2019 and 2022, you can take the upgrade through Windows Update. The Windows Update route is opt-in. You set a registry value to allow it and install the required cumulative update first.

Value:  AllowWindowsServerFeatureUpdate
Type:   REG_DWORD
Data:   1
(under the Windows Update UX settings key)
Prerequisite cumulative update:  
	Windows Server 2022  ->  KB5078766  
	Windows Server 2019  ->  KB5078752

Confirm the exact current KB against Microsoft's documentation before you deploy, because these roll forward. Each upgraded server needs a new Server 2025 product key, and the single most common cause of a failed upgrade is insufficient free space on the system drive, so clear 30 to 40 GB before you start and budget roughly two hours per server.

A few hard limits apply to any in-place upgrade:

  • No change of architecture (32-bit to 64-bit), installation language, or between Server Core and Desktop Experience.
  • No upgrade onto an evaluation build, and no downgrade of edition. You can move Standard to Datacenter, but not the reverse.
  • Windows Server 2008 and 2008 R2 have no supported in-place path to any modern version. Those workloads move to new hardware or into Azure.

One rule sits above the rest: do not upgrade a domain controller in place. Microsoft's own guidance is to promote a fresh DC and demote the old one. An in-place DC upgrade keeps the Active Directory database locked to its legacy 8 KB page size and forfeits the 32 KB format that Server 2025 introduces. Domain controllers get the clean-install treatment, always.

Migrating Roles the Right Way

When you rebuild rather than upgrade, each role has its own migration mechanics.

Active Directory Domain Services

To add a Server 2025 domain controller, your domain and forest must already sit at least at the Windows Server 2016 functional level. The workflow is well-trodden:

  • Prepare the schema. Server 2025 media runs adprep /forestprep and adprep /domainprep automatically when you add the AD DS role, provided the account has Schema Admins and Enterprise Admins rights and can reach the schema and infrastructure masters.
  • Promote the new DC through Server Manager, then move the five FSMO roles across and confirm placement.
  • Verify replication and SYSVOL health before you demote anything.
  • Demote the legacy DCs, then raise the domain and forest functional levels once every DC is on 2025.

# Move all five FSMO roles to the new DC
Move-ADDirectoryServerOperationMasterRole -Identity "NEW-DC01" `  
	-OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster

netdom query fsmo            # confirm role placement
dfsrmig /getglobalstate      # SYSVOL should report "Eliminated" (running on DFSR)
repadmin /replsummary        # replication health
dcdiag /v                    # domain controller diagnostics

Raising the functional level with Set-ADDomainMode and Set-ADForestMode is a one-way operation, and Server 2025 brings the first new functional level since 2016. Confirm replication is clean and SYSVOL runs on DFSR before you commit. If this migration is happening alongside a broader identity shift, the mechanics of moving from on-prem Active Directory to Microsoft Entra ID deserve their own plan rather than being bolted onto the server work.

File servers

The Storage Migration Service, driven from Windows Admin Center, inventories a source server, transfers its files and shares, and can optionally cut over by taking on the source's identity and IP address so clients never notice the swap. It reads sources as old as Windows Server 2003, along with Linux Samba servers and NetApp CIFS, and a 2019 or 2022 destination roughly doubles transfer performance over older targets.

DHCP, DNS, and other roles

The older Windows Server Migration Tools still handle role, setting, and share moves through Export-SmigServerSetting and Import-SmigServerSetting, with data moving over TCP and UDP port 7000. The source and destination need to run the same UI language.

Moving to Azure: The Mechanics

If the destination is Azure, the first decision is how much of the workload you intend to change. Microsoft's Cloud Adoption Framework frames this as a set of options often called the Rs:

  • Rehost lifts the VM to an Azure IaaS virtual machine with no code change. It is the fastest path and the right one when the workload will stay as it is for a year or more.
  • Replatform makes minimal changes to land on a managed service, trading a little effort for lower ongoing administration.
  • Refactor and rearchitect change the code to reduce technical debt or adopt cloud-native design.
  • Rebuild and replace rewrite the workload or swap it for SaaS.
  • Retain and retire keep it where it is or switch it off. Both are legitimate outcomes of an honest assessment.

Azure Migrate is the assessment and move engine

Azure Migrate is the hub for the whole exercise. You deploy an appliance that discovers your estate agentlessly: VMware through vCenter, Hyper-V and physical or other-cloud servers through direct connections.

It reads inventory, running software, and SQL and web-app details using credentials but no installed agents. Its agentless dependency mapping runs across up to 1,000 servers per appliance, polling TCP connections every five minutes with no Log Analytics ingestion cost, which lets you build accurate migration groups so nothing gets stranded behind an undiscovered dependency.

The assessment returns Azure readiness, right-sized VM and SQL recommendations, and projected cost. The migration tool then performs the move. Agentless VMware migration is native to Azure Migrate; agent-based VMware, Hyper-V, and physical migrations run on the Azure Site Recovery replication engine underneath. If you are weighing tooling across clouds, the comparison of AWS Migration Hub, Azure Migrate, and Google Cloud is a useful companion read.

One point of confusion worth clearing: Azure Migrate and Azure Site Recovery share an engine but serve different jobs. Microsoft's guidance is to use Azure Migrate for migration and Azure Site Recovery for disaster recovery.

Migration is a one-way journey with a test-migration step before you commit and a final Complete Migration action; there is no built-in failback. If you need failback capability, that lives on the DR side.

SQL Server has three landing spots

Databases are where the rehost-versus-replatform choice gets concrete.

Target Model Compatibility Best fit
SQL Server on Azure VM IaaS Full OS-level control, legacy features, SSIS/SSRS/SSAS, self-managed Always On
Azure SQL Managed Instance PaaS Near-full Lift-and-shift to PaaS: SQL Agent, cross-database queries, linked servers, VNet isolation
Azure SQL Database PaaS Cloud-native subset New or multi-tenant apps, elastic pools, serverless, lowest admin overhead

The Azure Database Migration Service handles both online moves with minimal downtime and offline moves. Managed Instance is the usual home for an existing SQL Server estate that wants out of patching and backups without a rewrite.

Azure Hybrid Benefit is the licensing lever

If your Windows Server or SQL Server licenses carry active Software Assurance, Azure Hybrid Benefit lets you apply them to Azure compute and pay only for the base infrastructure.

Microsoft cites savings up to around 40% on Windows VMs, up to 85% on SQL against pay-as-you-go, and more when stacked with Reserved Instances. A one-time 180-day dual-use window covers the migration overlap, and an eight-core minimum per VM applies.

Model the realized number, not the headline. Independent analysis summarized by Trusted Tech Team found net savings closer to 23% once Windows Server 2025 licensing was accounted for. Run the calculator against your own inventory.

Cloud bills have a way of drifting, and keeping a handle on that from day one is easier than clawing it back later, a discipline covered in more depth in our look at cloud cost optimization.

Arc, Azure Local, and the VMware question

For servers that stay on-prem, Azure Arc projects them into Azure Resource Manager so they inherit Azure Policy, RBAC, Update Manager, Defender for Cloud, and keyless ESU. The Arc control plane is free; the add-on services bill per server.

Azure Local, formerly Azure Stack HCI, runs on-prem infrastructure that behaves like Azure, and under Hybrid Benefit its host and Windows Server subscription fees are waived along with ESU.

Azure VMware Solution runs a VMware estate in Azure with little to no refactoring. It has taken on new weight since Broadcom changed VMware Cloud Foundation licensing in November 2025 to bring-your-own-subscription on hyperscalers.

That shift has pushed some teams to reassess whether to stay on VMware at all. If that is the conversation in your organization, our breakdowns of Hyper-V versus VMware versus Nutanix and what happens to your backup strategy when you leave VMware go deeper than this guide can.

Patching changes on the way in

Microsoft deprecated WSUS in September 2024. It still ships in Server 2025 and stays supported through the OS lifecycle, but it receives no new features, and Server 2025 hardening blocks it from distributing ESU to end-of-life systems.

Azure Update Manager is the direction of travel: it governs update compliance across Azure, Arc-connected on-prem, and multicloud from one place, free for Azure VMs and free for Arc servers when you carry Defender for Servers Plan 2, Software Assurance, or Arc-enabled licensing.

If you are also rethinking device and endpoint management, the same pattern shows up in the SCCM to Intune migration work, and it is worth sequencing the two together.

Networking follows the same landing-zone logic either way. ExpressRoute gives you private, predictable bandwidth; a VPN gateway is faster to stand up over the internet. Build the landing zone, the networking, identity, and policy guardrails, in the Ready phase before any production workload moves.

On-Prem, Azure, or Hybrid: Deciding Per Workload

The destination question comes down to a handful of technical criteria rather than a blanket cloud-first or cloud-never stance.

If the deciding factor is... Lean toward
Sub-millisecond latency or heavy on-prem data gravity On-prem refresh or hybrid via Arc / Azure Local
Data residency or OS-level control requirements SQL on Azure VM, Azure Local, or AVS with VNet isolation
Existing SA-covered Windows and SQL licenses Azure via Hybrid Benefit
Stable legacy app you will not touch Rehost to IaaS, or retain on a supported OS
App that needs scale and lower admin overhead Replatform or refactor to PaaS

If a public-cloud rehost does not clear your cost hurdle once you run real numbers, an on-prem hardware refresh or Azure Local is a rational answer, and the framework for evaluating IaaS providers applies whether the infrastructure sits in Azure or your own rack.

A Phased Plan You Can Run

The sequence that keeps these projects out of trouble is consistent across estates.

  • Discover and inventory. Deploy the Azure Migrate appliance, catalog every OS version and role, and tag each server with its end-of-support date.
  • Map dependencies. Run dependency analysis for at least 24 hours, ideally several days, then validate the map with application owners and form migration groups.
  • Assess and right-size. Generate readiness, SKU, and cost with Hybrid Benefit applied.
  • Rationalize. Assign each workload a path: retain, retire, rehost, replatform, refactor, or rebuild.
  • Build the landing zone. Networking, identity, and policy first.
  • Pilot. Move one low-risk wave end to end and prove the runbook.
  • Plan the waves. Sequence by dependency and risk, and move the oldest, most-exposed operating systems first.
  • Test. Run a test migration or test failover and validate function, performance, security, and integration.
  • Cut over. Schedule the window, complete the migration, and repoint DNS and DHCP.
  • Hold a rollback. A validated backup and a tested restore before every cutover, with the source recoverable until validation passes.
  • Optimize. Re-check sizing and cost, then onboard everything to Update Manager, Defender for Cloud, and Arc.

The rollback step is the one teams shortchange. In-place upgrades attempt an automatic rollback on failure, and that rollback is not always successful, so a tested restore is the real safety net. Line up your backup and disaster recovery approach before the first cutover, not after the first surprise.

Risks Worth Naming Before Day One

Application compatibility is the risk that derails schedules, so test the actual applications on the target OS or service before you commit a wave. Drivers and third-party agents lag new OS releases and need version checks.

Licensing gets miscalculated when teams plan against headline savings instead of modeled ones. Downtime windows get underestimated.

And the security posture during a half-finished migration is its own exposure, because a partially migrated end-of-life server left reachable is exactly the gap a scanner, or an attacker, finds first. Continuous vulnerability management over the transition window is not optional if the estate includes anything past its support date.

The Deadline Decides. You Decide the Path.

The date on the calendar is fixed. Server 2012 R2's ESU runs out in October 2026, Server 2016 goes dark in January 2027, and no amount of planning moves those lines.

What you control is the path, and the path is a sequencing problem more than a technical one. Inventory first, map dependencies second, assign each workload its honest destination, and keep a tested rollback under every cutover.

Get the sequence right, and the tooling, Azure Migrate, Storage Migration Service, the Database Migration Service, does the heavy lifting on schedule. The servers that felt like liabilities become the projects you finished before the deadline made the decision for you.

If the estate is held together with more workarounds than you would like to admit, that is worth confronting directly, and our piece on infrastructure held together with digital duct tape is a candid place to start.

Also read: A Guide to the Best Cloud Migration Solutions

Looking for cloud migration or Windows Server partners?

We keep a catalog of pre-vetted vendors on our platform. Explore options based on your workloads, timeline, and budget, and reach out only when you are ready to talk. It is private and completely free for you.

Find Migration Vendors

FAQ

When does Windows Server 2016 reach end of life?

Windows Server 2016 reaches end of extended support on January 12, 2027. After that date it stops receiving security updates entirely. Mainstream support already ended on January 11, 2022, so the version has been in security-only mode for years. With under twelve months of support remaining, 2016 workloads should be in active migration planning now.

Can you upgrade Windows Server 2016 directly to Windows Server 2025?

Yes. Windows Server 2025 supports a four-version in-place jump on non-clustered systems, so 2012 R2, 2016, 2019, and 2022 can all upgrade directly to 2025 without intermediate steps. Earlier releases allowed only a two-version jump. Clustered systems still upgrade one version at a time through a rolling upgrade, and each server needs a new Server 2025 product key.

Is Windows Server ESU free in Azure?

Yes. Workloads running in Azure, Azure Dedicated Host, Azure VMware Solution, and the Azure Local portfolio receive Extended Security Updates at no cost beyond the price of running the VM, with no Software Assurance requirement. On-premises ESU for Server 2012 and 2012 R2 is paid, at a flat 100% of the full license price per year for up to three years.

What is the difference between Azure Migrate and Azure Site Recovery?

Azure Migrate is for migrating servers to Azure; Azure Site Recovery is for disaster recovery. They share a replication engine, which causes the confusion, but Microsoft's guidance is to keep the jobs separate. Migration through Azure Migrate is one-way, with a test-migration step and a final Complete Migration action and no built-in failback. Failback is a disaster-recovery capability.

How much does Azure Hybrid Benefit actually save?

Microsoft cites up to around 40% on Windows VMs and up to 85% on SQL against pay-as-you-go pricing, with more when combined with Reserved Instances. Realized savings run lower once current licensing is factored in; independent analysis has put the net figure closer to 23%. Run the Azure pricing calculator against your own inventory rather than planning against the headline percentage.

What replaced WSUS for patch management?

Microsoft deprecated WSUS in September 2024. It still ships in Server 2025 and remains supported through the OS lifecycle, but it gets no new features and cannot distribute ESU to end-of-life systems under Server 2025 hardening. Azure Update Manager is the strategic replacement, managing update compliance across Azure, Arc-connected on-premises servers, and multicloud from a single dashboard.

Should you upgrade a domain controller in place?

No. Microsoft recommends promoting a fresh domain controller on Windows Server 2025 and demoting the old one rather than upgrading in place. An in-place DC upgrade keeps the Active Directory database locked to the legacy 8 KB page size and forfeits the 32 KB format introduced in Server 2025. Move the FSMO roles to the new DC, verify replication, then demote the legacy controllers.

Read more about the topic
View all articles