In-Depth
Retiring Windows Server 2003: Lessons from Windows XP's End-of-Life
It's been one year since Microsoft pulled the support plug on Windows XP, a workhorse of an OS that, at its peak, had a worldwide market share of about 80 percent. Now, enterprises are approaching another major support cliff with Windows Server 2003. The 12-year-old server OS loses extended support on July 14 of this year, meaning Microsoft will effectively stop issuing security patches or updates for the product after that date.
Like Windows XP's end-of-life did last April, the upcoming Windows Server 2003 support deadline presents a major liability for the organizations that still run it, as well as a potentially lucrative opportunity for partners. At the 2014 Worldwide Partner Conference (WPC), Microsoft Office Corporate Vice President John Case said that there were still 22 million instances of Windows Server 2003 running worldwide, amounting to an estimated $6 billion in potential partner revenue.
For partners looking for ways to tap that well, the instinct to compare the Windows Server 2003 end-of-life process to that of Windows XP can be unavoidable. For starters, both platforms benefit from -- or suffer under, depending on whom you ask -- a reputation for being very stable, which may have deterred organizations from undertaking migrations until very late in the game, if at all. Despite years of increasingly dire warnings from Microsoft, Windows XP maintained a persistently solid market share in the months nearing the end of its support lifecycle (nearly 30 percent by the end of February 2014, according to Net Applications) and in the months after (greater than 25 percent by the end of June 2014).
Now, with its own end-of-life date fast approaching, Windows Server 2003 also looks like it's having a hard time giving up the ghost.
"Server 2003 was very stable, very capable, especially for the kinds of workloads for which it's currently deployed. So there's an 'if it's not broken, there's no reason to fix it' mentality," says David Mayer, practice director of Microsoft solutions for Insight Enterprises, a Microsoft licensing solution provider.
That observation is echoed nearly word-for-word by Andrew Avanessian, executive vice president of consultancy and technology services at Avecto Ltd., a software security vendor and Microsoft ISV partner.
"You do get an element of, 'It's not broke, don't fix it,'" says Avanessian, who notes that every organization that Avecto has spoken to still has "a reasonably sizeable proportion" of Windows Server 2003 instances.
"For most of the compliance specifications out there, we have to be on a patched server. Well, that goes right out the window the day you stay on [Windows Server] 2003."
Andrew Hertenstein, Manager, Microsoft Datacenter Solutions, En Pointe Technologies
Photo credit: Andy Snow
Same Old Problems, but More Complicated
There are other roadblocks keeping organizations on Windows Server 2003. Partners who have gone through the Windows XP migration gauntlet with their clients might find the challenges familiar, if heightened.
"What we are seeing as hurdles [to migrating customers away from Windows Server 2003] are probably the traditional ones, but exacerbated, because you're dealing with an audience that...loathes to spend money," says Bill Hersh, solutions coordinator at Microsoft distribution partner D&H Distributing Co.
Hersh, who estimates that less than half of the organizations D&H has spoken to have even begun to consider migrating off of Windows Server 2003, says the problem generally comes down to a lack of budget and poor communication with partners -- and that the two issues tend to go hand in hand. Organizations that invest the money to have and maintain close relationships with VAR partners likely have already moved off Windows Server 2003 well before the support deadline, he contends. On the other hand, organizations that are unwilling, or perhaps unable, to make that kind of investment in partner relationships are often kept out of the loop.
"Most of those customers that do have a VAR partner that they work with on a regular basis have been upgrated to [Windows Server] 2008, 2012 or 2012 R2 in the past three years," Hersh says.
Insight's Mayer also says that poor or nonexistent budgeting was an issue that caught some organizations flat-footed during the run-up to the Windows XP end-of-life, and is once again rearing its head with Windows Server 2003.
"Yet again, I don't know that our customers, as a generalized statement, really correctly anticipated and budgeted both resources and dollars to this project," he says. "Most organizations that we talked to do not have anything set aside specifically for getting off of Server 2003."
As a result, what often ends up happening is that those organizations simply forgo any help from partners and instead assign the task of migrating their entire company to their in-house IT staff, "most of which already have a day job," Mayer says. "This process is a full-time job for upper midmarket and enterprise-type organizations, especially if you have any plans to get close to the deadline. There wasn't a specific budgeting and allocation process for most organizations around this topic, unfortunately. That's kind of the same thing that occurred in the world of XP migration."
Another issue with Windows Server 2003 migrations that might give partners flashbacks is that of application compatibility -- more accurately, the lack thereof. Many third-party, custom applications that organizations run on Windows Server 2003 are 32-bit, but Windows Server 2012 R2 -- the Microsoft-recommended migration path for Windows Server 2003 refugees -- only supports 64-bit applications. Such apps also tend to have poor documentation or be prohibitively expensive to update.
"What we have found in our Windows XP migrations is that there is a class of applications that, no matter what you do, cannot be made compatible without some recompiling at a minimum," noted Microsoft MVP Colin Smith in a blog post last October. "These same issues will present themselves with Server 2003/R2 migrations. ... Applications that are susceptible to these compatibility issues need [t]o be dealt with in a different manner. Perhaps a small pool of 32-bit Windows Server 2008 servers."
In its guidance for partners whose clients are still on Windows Server 2003, Microsoft suggests a number of other workarounds for incompatible apps, including replacing the old app with a shim that works on Windows Server 2012, replacing the app with a Software as a Service (SaaS)-based app that does the same job, or -- if all else fails -- virtualizing the app. Microsoft also recently launched an "ISV Upgrade Campaign" through which organizations can check whether the software vendor that originally architected the app is eligible to update it for Windows Server 2012 R2. Of course, this option assumes that the software vendor is still in business, which might be assuming a lot.
"We've actually found organizations where they're using a piece of software and the software development company has gone defunct. They're out of business. So they can't really upgrade it," says Andrew Hertenstein, manager of Microsoft datacenter solutions for En Pointe Technologies, a Microsoft systems integrator. "So they have to do a lot of market research to find a suitable, compatible product that accomplishes the same business tasks, and then find a way to migrate onto it."
'That Fear Factor'
The specter of an "endless zero-day" (in Microsoft's words) was fodder for numerous headlines in the years and months leading up to the Windows XP support deadline, as well as made for a pithy description for the risks of ignoring it. By comparison, the Windows Server 2003 end of life has not received nearly the same level of exposure, even though it has the potential to do significantly more damage. Microsoft made a few concessions for Windows XP stragglers last year, issuing an emergency patch for the OS one month after its support deadline and promising to extend some anti-malware support until this July. However, Microsoft does not intend to cut Windows Server 2003 -- for which it issued 37 "critical" patches in 2013 alone -- any slack.
Given the complexity of the architecture, the breadth of the security damage caused by an unprotected server can be disastrous to an organization's bottom line. Additionally, falling out of compliance with government and industry regulatory standards -- namely HIPAA, Sarbanes-Oxley and PCI DSS -- is a very real threat for businesses that continue to use Windows Server 2003 past its support deadline, even more so than with Windows XP.
"If you're an organization that's under any regulatory-type scenario, most, if not all, of those regulations make some type of a statement to the effect that your computer systems have to run under a maintained environment," Mayer says. "So, obviously, anybody that deals with any type of financial transactions, anybody that deals with any type of health care transactions, anybody that deals directly with a government entity -- I would struggle to find an organization that wouldn't fall under some type of scenario whereby this was an absolute requirement for them."
En Pointe's Hertenstein also counts compliance as one of the biggest issues with the Windows Server 2003 end of life. "For most of the compliance specifications out there, we have to be on a patched server. Well, that goes right out the window the day you stay on [Windows Server] 2003 because you won't be patched. You won't be up-to-date. Your security vulnerabilities are still there. They still have that to deal with," he says.
Without the benefit of the splashy headlines that accompanied the Windows XP end-of-life, how can partners galvanize their customers to finally migrate off of Windows Server 2003? One way is to translate those security risks into the language that everyone in upper management can understand: money.
"'You're facing days, potentially weeks, of outages or trying to troubleshoot things and figure things out,'" Hertenstein says as an example of a hypothetical conversation with a CFO. Said CFO's company, in this scenario, has ignored the July 14 deadline and its Windows Server 2003 servers have recently developed problems due to being unsupported. "'How much revenue will that lose you as an organization?' That's where everybody kind of takes a step back. ... And 99 percent of the time, that fear factor of [financial loss] is what really gets an organization to say, 'Hey, you know what? We really need to take this pretty seriously.'"
Microsoft, for its part, is fairly adamant that not migrating off of Windows Server 2003 will only cost organizations more in the long-run. The company does provide a "Custom Support Agreement" (CSA) option for organizations that have no choice but to maintain Windows Server 2003 beyond the support deadline, but it's more of a last-ditch resort than a panacea for actual migration. According to Microsoft's guidance for partners, a CSA would provide organizations only with "critical" security patches, and only for a period of three to four years. Eligibility for a CSA is also subject to approval by Microsoft, and carries a high entry fee that doubles every year.
The Opportunity for Partners
As big of a headache Windows Server 2003 migration can be, especially for organizations that are only just starting the journey, it's also for that reason that it could present a greater business opportunity for partners compared to the Windows XP end of life.
"There's a painful amount of XP still out there. But this [Windows Server 2003] is going to turn into a slightly bigger issue because people aren't as aware of it and it's not as simple. We're not just buying a new PC and throwing it in place and taking the old one out of service," says D&H's Hersh.
"I think there's more services revenue to be had from migrating a server platform because there's a lot more complexity around it," Avanessian says. "There's definite scope there from a consultancy perspective to come in, understand the server landscape that's there and come up with a recommended migration plan. Especially if [a customer] leaves it until the last minute. Organizations don't have the bandwidth to do that, so they'll rely on the partners to come in."
Microsoft's primary recommendation for customers migrating from Windows Server 2003 is Windows Server 2012 R2, the latest server version, but it also touts Microsoft Azure and Office 365 as options, depending on the customers' needs. In general, partners should assess those needs on a workload-by-workload basis and, given enough time and planning, their customers would probably end up with a mixed on-premises and cloud-based environment. However, as it was with Windows XP, time is a luxury that many partners don't have when it comes to helping clients migrate from Windows Server 2003. In their rush to beat the support deadline, most organizations will probably be better served by moving right to Windows Server 2012 R2.
"In my experience, the later you leave it toward the drop-dead date, the likelihood of just moving to Server 2012 on hardware in your environment is increased," Avanessian says. "[But] if you've got more time as an organization, if you've been planning for the past 12 months, you will have probably looked at all the solutions in the marketplace."
If partners have learned anything from the Windows XP protracted retirement, it should be that planning is king. "Probably the biggest thing that was an indicator of success relative to the Windows XP deployment that can be directly applied to the server deployment -- and I would say is actually more important in the world of servers -- is the planning and project-management aspect," says Insight's Mayer. "The whole planning, logistics, change management, process control and all of those things associated with the more business-process aspect of it, I think, were some hard lessons learned in XP that we certainly have applied to our service offering and we would hope that other partners and customers are doing the same."
And whatever the final endgame is in a migration project, Hersh advises partners to come out of the gate prepared, informed and ready to talk about the customer's livelihood -- not their technology. "Research, first and foremost," he says. "Understand the network you're going into. Understand what the customer has in place right now and what's important in their business. ... Understand so you can talk to the customer about their business. Not about the application, not about a server, but about their business."