Bekker's Blog

Blog archive

Q&A: Getting Customers Ready for the Windows Server 2003 Deadline

Although it's gotten far less attention than the recent Windows XP deadline, the retirement of support for Windows Server 2003 will be one of the most important of the predictable security issues of 2015.

Microsoft officially ends support for Windows Server 2003 on July 14, 2015. The deadline has some of the same ramifications that the Windows XP deadline had: Microsoft will no longer patch Windows Server 2003 for new security vulnerabilities. Presumably, Microsoft will offer expensive Custom Support Agreements for enterprises to continue getting patch support after that date, but there's been no official announcement yet. In the meantime, new security vulnerabilities keep cropping up for the aging OS. During the last full year, 2013, Microsoft released 37 critical updates for Windows Server 2003.

The total installed base of Windows Server 2003 remains massive, making migrations an important security issue for the entire industry. As of July, Microsoft reported that globally there are 24 million instances -- half physical, half virtual -- of Windows Server 2003 running on 12 million physical servers. There are 9.4 million Windows Server 2003 instances in North America. Worldwide, Windows Server 2003 accounted for 39 percent of the Windows Server installed base, according to Microsoft data.

Among the many Microsoft partners focused on initiating conversations with customers about preparing for the deadline and migrating servers off Windows Server 2003 is Insight Enterprises, a $5.1 billion technology sales company that is also a Microsoft Licensing Solutions Provider with a large Microsoft systems integration practice.

On Wednesday, Insight publicly announced a Windows Server 2003 migration practice that's been up and running since June. RCP caught up with David Mayer, practice director of Microsoft Solutions for Insight Enterprises, in a phone interview. (Questions and answers have been edited for clarity and flow.)

RCP: How prepared are your customers for Windows Server 2003 end of support compared with the end of support for Windows XP?

Mayer: They are aware of the situation. They understand the deadline that's approaching. They have a good sense of what they're up against in terms of how many servers they have and the major workloads that they're running on it. What they don't have is a sense of is how complicated this is, and they're underestimating what they're up against. Of a couple dozen customers we're working with, none have a migration timeline that will get every single server migrated by July 14.

What are some of the problems that have hit customers who used Windows XP past the end of support that might also be an issue for Windows Server 2003 users?
The biggest piece of the puzzle that organizations don't account for is the increase in support costs. A PC is one thing. You can harden a PC by just unplugging it from the network. That's a little bit harder to do in the server world. The big lesson learned is all the additional steps, such as adding intrusion detection systems, more advanced firewalls and network segmentation. They're going to have to take extra steps if they're planning to keep that server after support goes away. Gartner put out a brief a few months back and they said that organizations that plan to continue to run [Windows Server] 2003 past the deadline should budget $1,500 per year per server. That would be kind of a catch-all budgetary number.

With Windows XP, a lot of the organizations still using the out-of-support OS were smaller or less technically sophisticated customers. Is that the case with Windows Server 2003?
It's an inverse correlation. You actually see more Server 2003 as a percentage within very large, higher-end customers than we do at the lower end. The people who are actually in a better position to remediate the problem are the ones who have it. There are a lot of valid reasons -- application dependency, where an industry-specific application hasn't been updated, or an ISV went out of business, or some of it is that the thing works well and has been cheap to maintain and manage.

Your process for customers includes discovery and analysis followed by migrations -- software, hardware and cloud. What's the comparative size of each of those opportunities for Insight?
The majority are doing either a virtual-to virtual or a physical-to-virtual scenario, which we really think is the best first step. Once we've got them virtualized, then we can get them deployed in the cloud. Some customers are going straight to the cloud -- with one, we took the entire infrastructure over to the Azure IaaS environment. Some of them are doing a component of physical-to-physical because the application migration is not going to happen. They can still upgrade to Windows Server 2008, which will support a 32-bit application.

Ideally, we'll get the application up to either Server 2008 R2 or 2012. In doing so, we'll take that stack and we'll virtualize that. Instead of one physical server for one 2003 OS, we'll move to four or eight. You could look at it as a server consolidation project along with a server migration project -- those are happening in tandem.

Where are most customers in their migration process?
Right now, it's a lot of initial planning and initial discovery. I think the peak in terms of when the work is really going to start to hit is in the Q1 timeframe. A lot of the preliminary work is happening right now. There's still a lot of pipeline-building happening right now.

How long are the migrations expected to take?
For a customer with 100 or more servers, we're looking at a project that will go anywhere from a minimum of three months to some that will be in the 18-month timeframe. For those that aren't going to make the deadline, we start to segregate their server environment -- these are the high-risk servers, then medium and below.

Posted by Scott Bekker on September 17, 2014


Featured