You know it well by now: Windows Server 2003 support is ending July 14, 2015. If you're one of the (far too) many still running WS2003, it's time to arm yourself with your action plan because what you don't know can hurt you.
With help from the IDG Answers community, we collected some of most burning questions enterprises and individuals have about WS2003 end of support -- how it will affect them, how to prepare, what the options are. If you have advice you'd like to share, or lingering questions, add a comment below or join the discussion on IDG Answers.
Yes, you really need to get off WS2003
Microsoft will not issue any more patches or fixes. If a zero-day is found, Server 2003 won't be patched. You are on your own.
The name gives the impression that the OS will stop working and die, but really it just means no more fixes.
Microsoft estimated there were 10 million servers deployed at the beginning of the year, but migrations are accelerating. Estimates from Microsoft and analysts like Gartner and migration specialists have estimated there will be two to three million Server 2003 machines still running once we pass EOL on July 14.
PCI compliance requires you have a fully up to date server with all patches applied. Once 2003 goes past EOL, you will be out of PCI compliance and likely blocked by any partners or customers. Likewise, you will be considered out of security compliance with other standards for using an out-of-date server that is not being patched.
Surveys of people not making the move have found a few reasons:
1) They just plain didn't know. Bit9 did a survey where it found 57% of respondents didn't know it was coming in July.
2) Many who heard didn't believe it. Server 2003's EOL had been pushed back once and like with XP, a lot of folks said "eh, they won't do it."
3) No money. Some companies had their IT budgets already set for the year and if they learned late about the EOL they couldn't do anything about it because their budget for 2015 was already allocated.
4) App dependencies. Maybe they had an app that was really tied to Server 2003 services and was not easily ported. Maybe they had 16-bit apps, which won't run on Server 2008/2012. Both of these scenarios will handcuff you to Server 2003.
5) Assessment. Many firms aren't just replacing their old Server 2003 boxes, they are taking the time to do a complete assessment of their IT infrastructure and deciding what else to replace/update. That's taking time because a lot of firms are finding stuff and having "oh, we have that?" moments. So it's taking longer to go through everything than planned/expected.
Yes, but it's not cheap. Microsoft is talking $600 per incident per server. It will add up fast.
Third parties will continue to support it with things like security, intrusion detection and firewalls, but you have to think that as the WS2003 population dwindles, so will their support.
The exact number of companies isn't known, but security firm Bit9 estimates about 2.7 million servers will still be deployed post-EOL and 3 in 10 enterprises plan to keep running the servers.
Looking to a more secure future
Server 2008 had the following:
- New firewall with port filters and rules sets, full integration with Active Directory users and groups
- BitLocker drive encryption
- Network Access Protection, to control computer network access
- Address Space Layout Randomization, which helps fight buffer overrun exploits
In Server 2012:
- Dynamic Access Control to control unwanted access to the server.
- Improvements to BitLocker
- UEFI and Secure Boot. UEFI is the replacement for BIOS and Secure Boot prevents your system from booting or loading unknown OSes, firmware and drivers.
There's more to it than that but that's the basics.
If you are running WS2003 servers they are likely very old and not very power efficient. So new servers will be more modern and use less power, and likely will be much more powerful.
WS2003 is a 32-bit OS while Server 2008 and 2012 are 64-bit, so you can run a server with more than 4GB of memory, which means a much higher load can be put on the server. You can virtualize, consolidating many single-purpose physical Server 2003 machines into one physical machine.
The security in Server 2008 and 2012 is also considerably improved. In Server 2003, once someone breaks through your security they have pretty much free reign to run amok in the server. WS2008 and 2012 are more walled off internally, so a break in to one area won't necessarily grant them access anywhere else.
When Microsoft began its push to get people to migrate in 2014, it noted that there had been 37 bug fixes in the prior year (2013). I don't have 2014 numbers, but if Microsoft was issuing fixes at a rate of three per month a decade after the OS was released, it's safe to assume it's not bulletproof and that more holes will be found. After July 14, they won't be fixed.
Getting your migration on
It depends on a variety of things. AppZero, which specializes in WS2003 migration and has a custom tool for it, says the average time per server is 200 days. Some can take longer, others take less time.
If you are migrating an app that is still on the market and has a newer version, that could shorten the time. It could also lengthen it if the app has been through radical changes. If your WS2003 app makes kernel calls, that could increase time, as the kernel has changed significantly between Server 2003, 2008 and 2012. If you use an app no longer on the market, you will need time to find a replacement. If your server is just a file and print server, that should be a relatively smooth adjustment.
Much of the data you need to collect can be automatically gathered by System Center. But you will need a lot of information.
- All servers running WS2003
- All non-WS2003 servers that touch the old servers in one way or another
- Network and storage connections to 2003
- All of the apps running on them. Then you need to check if those apps have new, current versions or if they are abandoned or no longer supported and make contingency plans for that.
- All data stored on them
- Who accesses the WS2003 servers via Active Directory
Not really because PowerShell came along in 2006 and it only gained those migration tools with Server 2008. The most popular tool for migration, endorsed by Microsoft, is from AppZero.
Things to consider include:
- Kernel hooks in your app: any calls made to the Windows Server 2003 kernel will likely break, as Microsoft made changes to the kernel in Server 2008 and again in Server 2012.
- 32-bit apps. Microsoft retained 32-bit compatibility in Server 2008 with the WOW64 add-on layer. Server 2008 is innately a 64-bit operating system, so you have to add the WoW64 execution layer. Server 2012 supports WoW64 but has many restrictions on 32-bit apps, such as locking it out of the Registry.
- Obsolete/abandoned apps: It's one thing if you have SQL Server 2005 running on a Server 2003 machine. Microsoft can help with that migration. But if the company that built your app has gone out of business or no longer develops that app, you have to find an alternative and migrate data to that.
- 16-bit dependencies: You can get 32-bit app support on Server 2008 and Server 2012 but there is no backwards compatibility with 16-bit apps.
Where to migrate to
There are several major changes I've seen discussed:
- Container support. With containers all the rage, Microsoft is building it into the OS. There will also be a number of enhanced cloud features like improved OneDrive, SharePoint integration and other tweaks.
- SharePoint enhancements, including a new way of patching.
- Improved Hyper-V, including server resilliancy and a new micro-server that loads the bare minimum of the OS needed to deploy extremely small footprint servers.
- Storage enhancements that include VM storage performance, support for Storage Spaces across multiple servers and synchronous replication.
- New security and management features for tighter management of the server and intrusion detection.
No it would be a mistake. First, that new OS is at least a year away. Can you afford to leave vulnerable servers in production for another year? Second, you are talking about a 13-14 year gap in technologies, which would guarantee incompatibilities with old apps. For every generation of Server you get away from 2003, the migration becomes that much harder. It's best to start now and get the process going. Server 2012 has almost a decade of life left in it.
Many people are doing just that. When they deploy Server 2012, with its native hypervisor and built-in virtualization, they set up a lot of virtual machines for old WS2003 workloads. Say you have an old Server 2003 machine running file and print services, or a low-use database. A modern server can run that in a VM with little effort.
Microsoft added some time to mainstream support, lengthening that period to January 15, 2015 before moving to extended support. Extended support lasts for 5 years, so that would mean extended support for MS2008 should continue to January 15, 2020.
Microsoft has posted a full list of end-of-life dates.
Well, you can go to a cloud provider like IBM Softlayer or Amazon, but that would mean putting everything in the public cloud.
The other choice is Linux. That would depend entirely on what you are doing on the WS2003 boxes. If it's file and print or simple database, you can do it fairly easily. If you are using a highly vertical Windows app not found on Linux, things become more challenging. You ability to move will depend on the degree of Windows apps you use and if there are Linux equivalents. If you have a lot of home grown apps, you will have a real challenge ahead of you.
WoW64 is still there to run 32-bit apps but they will be severely limited in what they can do. Clustering, for example, is gone, and they won't have access to many services.
Well, Server 2008 has Hyper-V, albeit an older version. Assuming you used it on 64-bit hardware with lots of memory, then you can virtualize many of your old, underutilized WS2003 servers onto less hardware.
Server 2003 is a 32-bit OS while Server 2008 is 64-bit. That means WS2003 is limited to 4GB while Ws2008 can handle a terabyte of memory (2012 handles 16TB). So that's a lot more room for databases and web servers, the ability to handle many more users, etc.
The most common reason is consistency. If you started a migration and/or have a lot of Server 2008 already internally, then going for 2008 will keep things consistent within the company. Server 2012 was a huge leap and it might take your admins a little while to learn it, so sticking with Server 2008 if you already have it is the least disruptive solution. Server 2008 has five more years of support so you can run it for a while without concern.
Also, 2012 has the Windows 8 UI, and no one likes that.
No they have the same basic overhead requirements for a minimal install. The difference is Windows Server 2012 scales way, way up, far more than 2008.
Your life will be a lot easier than someone moving a custom app, that's for sure. Microsoft has migration tools for old versions of SQL Server to new. There's some complexity in that you have to "demote" the old version, say, SQL Server 2005, and "promote" the new version. This way your data all goes through the new version. That all involves deploying the new SQL Server, which migrates over your data and apps. The good news is it's all done inside SQL Server itself.
It depends on the apps being used on that server. Server 2012 is a fairly comprehensive OS. You're talking about an operating system with virtualization and the cloud built into the design and the PowerShell often referred to as an OS within an OS. So I think learning 2012 will be the greatest challenge, unless the 2003 server is running a lot of old, out of date apps.
This story, "FAQ: 25 burning questions about Windows Server 2003 end of support" was originally published by ITworld.