How To: Upgrade from Windows 2008R2 to Windows 2012R2 running IIS and Windows Services
We’ve been tasked with upgrading all our 2008R2 Windows Servers to Windows 2012R2. This is due to Microsoft removing support for Windows 2008R2 in January 2020. We’ve performed this upgrade on all our non prod servers first to iron out the issues with 2008 upgrades. I’ll post the errors I ran into when I gather them up but once you go through the steps, it’s VERY easy to upgrade if you follow these simple steps:
Read through this multiple times before you start. There are verification steps you should follow before you start.
2012R2 Upgrade Procedures:
- Verify your backup of your server. In a perfect world (which I live in), your 2008R2 will be a virtual machine running on VMware and the backups are automatic the evening before.
- Create a local administrator. This is to ensure that if your 2008 upgrade to 2012 doesn’t go well, or it gets removed from the domain, you still have a local user that you’re confident works to get you into the server
- Check the C: drive size of the computer. You will need to expand it to have somewhere like 40GB of free space for the upgrade
- Check the system log and app logs for errors. You want to have a baseline of any errors occuring on your system so you’re aware of what errors are due to the upgrade to Windows 2012 and what was existing. Please don’t skip this step
- Take a snapshot of your server. Yes, you have a backup but a snapshot will ensure that if you need to roll back from Windows 2012R2 back to Windows 2008R2, you can do it immediately. You also won’t have to bother your backup administrator either 🙂
- If your servers are part of a load balanced system, Remove it from traffic. Drain and halt the server and verify no traffic is going to it. You should also verify that you can hit the servers websites prior to doing the upgrade as well. We use HOSTS files for this and it works fairly well. Also, if you terminate SSL/TLS at the load balancer, you should also add a VIP with the same SSL/TLS certificate on it so you can mimic your traffic like production. Many people try and hit their server directly and if you’re terminating traffic in front of your server and pass traffic back on port 80, chances are, your browser won’t allow you to do this due to HSTS implemented by your developers. Here is a document explaining HSTS of you need to know more:Â https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
- Perform the upgrade to 2012R2. Depending on the server’s power (CPU’s and Memory) along with how much data is on it. This upgrade will take around 2 – 5 hours to complete Also, do this from VMware console and NOT from RDP. I repeat… Do this from VMware console and NOT from RDP. If you don’t understand this, you need to before you start this upgrade.
- Once the upgrade is complete. Run updates over and over and over until all updates are installed. At this point, if .NET 4.8 isn’t installed, you will get lots of errors running Server Manager and IIS. Things just won’t work correctly. This is to be expected
- Perform POST installations of required software. These include:
- .NET 4.8 (Download from here:Â https://docs.microsoft.com/en-us/dotnet/framework/deployment/deployment-guide-for-developers)
- HTTP Platform Handler (Download from here:Â https://www.iis.net/downloads/microsoft/httpplatformhandler)
- .net-hosting 2.2.7 (If your sites use this) (Download from here:Â https://dotnet.microsoft.com/download/dotnet-core/2.2)
- URL Rewrite (Download from here:Â https://www.iis.net/downloads/microsoft/url-rewrite)
- Enable the SchUseStrongCrypto property in the Windows registry: If your server does TLS SSL connections outbound to API’s like UPS, Paypal, Braintree or any other site, you will need to force your .NET software to connect using TLS 1.1 or TLS 1.2. To do this, there is a simple registry entry that needs to be added.
- Start Regedit and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319 - Right click in the right pane and create a new DWORD (32-bit) value and name it SchUseStrongCrypto
- Enter the Value in the data field of 1 and it should be Hexadecimal. Click on OK
- Repeat steps 1-3 for the following WOW6432Node located here:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319
- Start Regedit and navigate to:
- Reboot the server
- Check system logs for new errors
- Check Application logs for new errors
- Verify IIS and Windows services are running
- Verify Domain membership is valid. If it isn’t, re-add it to the domain
- Perform smoke testing to your server. Again, if you’re load balanced, you would have created smoke vips on your load balancer to point to the new server. Use the HOSTS file entries to smoke test your server.
- Request end to end testing from your Software Quality Engineers or Test Engineers
- Check the size of your C: drive again. Make sure you’re not out of space
- If there are any servers that connect to this server via UNC or via API’s, you should consider rebooting them now. Also, check these servers for connection errors. We’ve seen our servers that connect via \\server\share can’t connect until you reboot them. Do this now!
- Once your verification is complete, swap in your new server in your load balancer and pull out the others that haven’t been upgraded. Run and test. A few days.
- Remove snapshots when you’re comfortable
- Remove the Temporary Admin account that you created
- Rinse and Repeat
Conclusion:
I’ve performed this upgrade process for Windows 2008R2 to Windows 2012 many times and these are the gold standard for upgrading a server that is running IIS and Windows Services. Make sure you have a roll back plan and perform that roll back on your development servers FIRST. So, upgrade, test, roll back. Then Upgrade again.