Share via

In-place upgrade/ repair upgrade of Windows Server 2016 Datacenter running Domain Controller

Apurva Pathak 845 Reputation points
2025-09-29T11:30:56.73+00:00

Hello all,

We're running one of our DCs on (Azure hosted) Windows Server 2016 Datacenter. Recently, our SCCM team notified that this VM is unable to receive monthly security patches.

Upon running preliminary checks, we learned that the OS has corrupted, and no installed patches are being shown.

Tried repairing it with sfc/ dism command but no luck.

Can we try In-place upgrade/ repair upgrade on this DC as outlined here by selecting the option to 'Keep Files'.

Is it safe to do in a DC? What are the things we should be careful about?

Thanks in advance!

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments
Answer accepted by question author
  1. HarryPhan-2691 7,850 Reputation points Independent Advisor
    2025-09-29T13:28:17.15+00:00

    To answer your question directly: yes, you can technically perform an in-place upgrade on a DC, but from my experience, I get very nervous about that path when we already know the OS is corrupted. It's like trying to fix a crack in a building's foundation by repainting the walls—it might work, but if it fails, the situation is often much worse.

    The "gold standard" here, and what I'd recommend for maximum safety, is to build a new, clean server and promote it to a domain controller. This isolates the problem and gives you a known-good server to fall back on. Once the new DC is healthy and replicating, you can then safely decommission the corrupted one.

    If you're absolutely forced down the in-place upgrade path due to time, your checklist is critical:

    First and foremost, make sure you have at least one other fully healthy DC running elsewhere (and ideally, a solid system state backup of this one).

    Move all the FSMO roles off this box and over to that healthy DC before you even think about starting the upgrade.

    The "Keep Files" option is the one you'd want, but have a rollback plan ready.

    It's a high-stress operation, so please proceed with an abundance of caution. Let me know if you need a second pair of eyes on your backup and role status before you pull the trigger.

    If this helps clarify the path forward, would you mind hitting "Accept Answer"? 🙂 It lets others know what worked.

    All the best.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 63,720 Reputation points MVP Volunteer Moderator
    2025-09-29T12:00:48.91+00:00

    Yep — you can perform an in-place (repair) upgrade on a domain controller. In general, Azure VMs do support an in-place upgrade from Windows Server 2016 as per https://free.blessedness.top/en-us/azure/virtual-machines/windows-in-place-upgrade. As per that article, make sure that the VM is using managed disks. You should also take a snapshot of the OS disk before doing the upgrade. In addition, Microsoft supports in-place upgrades of domain controllers (for repair or version upgrades), but they explicitly recommend that you reduce risk by relying on AD replication and treating DCs as disposable. If something goes wrong, you can always remove the broken DC from the domain and promote a new one instead of trying to salvage it.

    Here are the risks to consider:

    1. Replication impact – During the repair/upgrade, AD services will be offline on that DC. Ensure you have at least one healthy DC online in the same site (and preferably a GC as well).
    2. SYSVOL/DFS Replication – If SYSVOL replication is broken, you risk introducing replication inconsistencies. Verify that DFS-R (or FRS if still in use) is healthy before you begin.
    3. FSMO roles – If this DC holds any FSMO roles, consider moving them temporarily to another healthy DC to reduce risk.
    4. Antivirus/agents – Some security/monitoring agents interfere with in-place upgrades. Temporarily disable or uninstall them.
    5. Rollback – In-place upgrades cannot be rolled back. If it corrupts further, the only recovery is restoring from snapshot/backup or demoting/rebuilding.

    Effectively, before you start:

    • Confirm you have at least one more healthy DC in the environment. If this is the only DC, do not attempt an in-place upgrade—build a second DC first.
    • Move FSMO roles off this DC (if any).
    • Check AD replication health (repadmin /replsummary).
    • Check SYSVOL/NETLOGON shares exist and DFSR health (dfsrdiag pollad).
    • Take a full VM snapshot/backup in Azure.
    • Record the DC's IP, site, and replication partners in case you need to rebuild it.

    Alternatively, instead of repairing in-place:

    1. Stand up a new Server 2016/2019/2022 DC in Azure.
    2. Let it replicate.
    3. Demote the broken DC and rebuild it clean.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.