Windows Server 2003 goes out of support in July 2015; that's only about eight months from now, so the end is drawing near quickly.
You have certainly heard a lot about Windows XP, but its server brother does not get nearly as much attention -- and that is primarily because these servers just tend to run and run. The operating system was solid, there are not many patches being released today, and the software running on these platforms is typically older and no longer requires much active maintenance.
As you begin to move in earnest away from Windows Server 2003, here are some guiding principles and considerations to help you organize your thoughts and determine a starting point for the project.
Which servers need to be migrated away from Windows Server 2003?
This sort of exercise requires a bit of triage, as you want to use the potential attack surface areas and threat profiles to order your migration away from Windows Server 2003 to another operating system against all of your other dependencies -- workloads, clusters, software compatibility and so on. Consider the following elements:
Will I need additional hardware capacity? Windows Server 2012 and R2 are beefier than Windows Server 2003, though not by a huge margin. However, the hardware platform support is different. Your servers with suitable migration target hardware should be the first to begin migrating. Storage can also be a limiting factor here.
Do I want to consolidate servers? Windows Server 2003 came out before the era of virtualization really hit the mainstream. If you have a bunch of 2003 machines that are running individualized medium load services, like file and print or distributed file system workloads, then you might be able to achieve a 4:1 or 5:1 savings by putting those workloads on virtual machines on a beefy host running Windows Server 2012 R2. Using this migration opportunity to also reap some hardware savings can lower the overall cost of the migration and leave you much better off than you were before.
Do I want to move to the cloud? But if you are still running, say, Exchange 2003, then you could save money and administrative headache by moving to a hosted Exchange provider or Office 365, and get rid of a soon-to-be unsupported operating system at the same time.
What happens if there is a software dependency on Windows Server 2003 that cannot be avoided?
This is the pickle many companies running heavy duty industrial equipment find themselves in, because the hardware that controls big equipment like CNC machines, lathes and other specialized devices runs a locked-down version of Windows that is supported only in a defined state by a manufacturer. In this case, the primary threat for these machines that you need to mitigate is the connection to the Internet. In most cases, simply installing an air gap -- either physically or virtually -- between the machine and the edge of your network will mitigate 90% or more of the attack surface for Windows Server 2003 because it will make it impossible to get Internet-based malware installed on the machine as well as making the machine much less vulnerable to internal infections run amok. This does increase the manual labor required to administer the machines you configure in this way, but the tradeoff is certainly worth it.
Have you thought about new hardware requirements?
Though Windows Server 2003 is 11 years old, you may have been deploying it on servers purchased as late as 2006. However, Windows Server 2003 was one of the last two releases to support 32-bit hardware, so if you are planning on repurposing machines bought in 2005 and 2006 for light duty service on a later version of the operating system, you will need to think again. Windows Server 2008 R2 and later, including Windows Server 2012 and R2, only run on 64-bit hardware. Points for trying to eke out new life from old hardware, but you should find a different way to do that: perhaps Windows Server 2008 (the original one) or Linux, to name a couple of options. Or you may need to simply bite the bullet and buy some new hardware. It may not cost as much as you think, however, especially if you consider consolidating workloads as previously mentioned.
Windows Server 2003 end-of-life prep