Don't panic as Server 2003 rushes towards end of life

Website challenge

When the application you need to migrate is a website, things can get pretty complicated. This is usually because there is a lot more to worry about during migration than just the operating system.

Believe it or not, there aren't a whole lot of Win32 or Win64 applications that will give administrators trouble when migrating from Server 2003 to one of the newer operating systems.

Over the 20 or so years I have been a practising systems administrator I have migrated thousands of applications between different versions of Windows. While the 9.X branch was a pain, NT branch migrations tend to be (mostly) smooth.

The same can't be said for web applications, which have all sorts of bizarre dependencies. They can require specific versions of the web server because the application relies on some bit of security no-no that future versions simply won't allow.

Web applications often rely on just-in-time interpreted languages with their own binaries, such as PHP or Python, and these languages change often enough that moving from one version to the next would break the web application, even if the operating system and web server don't change.

Unfortunately, it might not be possible to install older versions of interpreters on newer operating systems. They will have different security restrictions from Server 2003's IIS, creating another source of potential problems.

Post-Server 2003 systems have different approaches to security. File system security defaults are tighter. The user context for applications matters. This can affect IIS modules and applications, but it can also affect Apache.

To migrate your web application successfully first make sure it will work with the version of the language interpreter you plan to install on the new system. Then do a test migration and spend some time working out the security issues. (Usually, getting everything running under the same user context solves everything.) After that, things should be good.

If you use IIS do try to upgrade to Server 2012 R2. It is rather a lot better than its predecessors, and it finally has an FTP server that doesn't suck. Your users will thank you for it.

Giant leap

If you have successfully migrated your applications to a post-Server 2003 operating system there are a few things to consider. The first and most important is training: there is a big gap between Server 2003 and its successors, especially if you are jumping all the way from Server 2003 to Server 2012 R2.

Migrations are stressful. They entail a lot of late nights with caffeinated beverages and levelling up the sysadmin Google-fu. It helps to plan a post-migration refresher course to cement the newly learned skills. You need to ensure that administrators are comfortable not only with the bare bones of running their applications, but with all the features of the new operating system.

The goal is to move beyond good enough towards best practice. Include a full review of backup and disaster recovery plans as many of these involve only backing up application data or configurations, and call for a rebuild of the operating system and application followed by a reinjection of the data and configuration files. Systems administrators should practice this enough to know the procedure cold on the new operating systems.

Documentation is critical. So is an outside eye. Even after a successful migration, if your company is covered by any regulations, or holds any IT-related certifications or compliances (such as HIPPA, PCI and so on) you will need to schedule a new audit. Migrating away from Server 2003 is big enough to invalidate your last audit.

Last but not least: scan your network. Don't let a rogue box rot in the back and risk getting you in trouble with auditors, lawyers or malware. Be 100 per cent sure you have found everything that needs to be migrated, and then check it again.

Spend to defend

We don't all get the option to upgrade business-critical Windows applications. For some companies there are viable ways to defend your ageing estate. The bigger you are, however, the less likely it is that this will apply to you.

If you can't migrate, have IT lock down and defend your unsupported systems. It will cost money to get it done, but not nearly as much as handling the non-IT portions of the equation properly.

Letting operating systems or applications exit support is an issue that probably needs oversight from lawyers, relevant regulators and external auditors who can check that every reasonable measure has been taken.

Most importantly a plan should be in place to get towards a supported state. The more regulated your industry, the more critical this is.

Server 2003 exits support on July 14, 2015. Good luck! ®