The venerable Windows 2000 operating system is coming to the end of its extended support lifecycle next month on July 13, meaning no more fixes or security patches. At the 2010 TechEd conference in New Orleans, I sat down with Ward Ralston, Microsoft’s Group Product Manager for Windows Server, to talk about the implications for customers due to of the end of support, as well as Microsoft’s outreach efforts for this and future End-of-Life events.
Below is an edited transcription of the conversation.
eWEEK: Over the last few years, I’ve seen Windows 2000 the most often in health care, specifically running Windows 2000 Professional on hospital workstations. I don’t know what their server infrastructure is running, but I’m assuming it is the same.
Ralston: I see that a lot too, and it makes me nervous. We’ve been very vocal about the support policy we put in place 10 years ago - five years mainstream, five years extended - but we want to give (customers not ready to migrate) an option to stay supported. In a situation like health care, where for instance there is a breathing application certified for this OS and service pack level, and it’s approved by say the FDA, there’s a lot of regulations that go into the OS.
There’s a couple things that we’ve done at Microsoft to help customers like that. We have this notion of custom support agreements where the customer, based on the number of devices they have, can enter in a custom agreement with us, and we will provide them with patches and fixes for Windows 2000. We have a lot of customers who had custom support agreements for NT 4.0.
To help customers, we removed all the pricing tiers. You enter into a custom support agreement based on the number of devices you have - whether you have 10 or 10,000 devices - and you can get in on the lowest price level. That's an offer we have in place just for the first year. Then, every year you are on it, it gets more expensive. The reason why we do that is it’s very expensive to maintain a development team to write updates, and test and patch a product.
We also have a special program with our Microsoft consultant services. They'll come (to a customer) to do a Windows 2000 assessment, to tell the customer about their applications and workloads, then to recommend a path to upgrade, and leave them with a big report on what to do to get there. If they choose to implement MCS afterwards, then they can hire us to do that. And we're actually going to be extending that to partners in the future.
eWEEK:What are some of the things looked at as part of that assessment?
Ralston: The stickiest workload for Windows 2000 is the application. Domain Controller, file and print - all those are easy ones to migrate to another OS. But applications are the toughest.
We have Application Compatibility Factory (ACF) partners who know how to unravel these applications, like if the ISV is no longer there or no longer supports that version. We have a team of developers in India that help us unravel applications for customers that truly have a problem and can't move but really want to.
Windows 2000 is 10 years old. There is no direct upgrade option, especially if you are looking at a going to R2. You were in a 32-bit, non-virtualized, power hungry world and now you are going to 64-bit, so you have to re-platform, re-architect.
We have a support site we set up at http://support.microsoft.com/win2000 where we put all the how to guides - how to do a server migration, an Active Directory migration, or what to do for a rolling upgrade of your failover clusters. We have them all broken down by workload.
We want to make sure we give our customers and partners the resources they need. We've been emailing any customer who has opened a support call on Windows 2000 within the last 2 years, to make sure they aware they need to upgrade. We've been giving all of our partners templates that they can send to their customers to say, "Hey you coming to end of life, we're here if you need us."
Also, the next version of Microsoft Application and Planning toolkit (MAP) is in beta. It will flag any Windows 2000 boxes for in your organization for you and then point you to the resource to migrate them. It does the same thing for Server 2003.
My favorite customer story is about a bowling alley that had - and still does probably - a Windows 2000 box on a Pentium II computer. It’s not hooked up to the internet or anything, and it just resets the pins. Their mentality is, "Why should I upgrade? It does what it does."
But then when you think about it, hardware has a 100 percent failure rate eventually. So what are you going to do when that box does die and you buy that new box from Dell? If you put Windows 2000 on it, you don’t have device drivers and you won’t have security patches. You may think you are safe because it is not hooked up to the internet, but there will be no hardware support.
eWEEK: With the bowling example, is it a case where it will be easier to make his machine a VM to run atop a modern OS?
Ralston: That is one way to mitigate the hardware issue. But if you have the next Nimda or Conficker worm, for these people out there without a patch, it could be potentially devastating. I just want customers to be aware what that really means not to be patched.
Another issue, pick your compliance flavor - credit card reporting act, HIPAA, Sarbannes-Oxley - I think there are 1600 of them around the world we have looked at. The vast majority of them require you to have a patch management strategy. If the vendor is not supplying patches, you are not compliant.
eWEEK: I’ve talked to many of your ISVs and heard the same story, that the bulk of their customers are still using Windows 2003.
Ralston:I want to say 2006 was the year when Windows 2003 overtook Windows 2000. If you look at the (adoption) curves, 2000 has been going down steadily over the last few years, while 2003 has been going up. And now we starting see 2008 R2 and 2008 spike within the last 2 years (Microsoft tracks 2008 and R2 together). Our server marketing intelligence team (SMIT) takes our sales data, IDC data, and do a magic math formula to say "This is the official install base.”
I know Windows 2000 is the one that is coming end of life eminently, but Windows 2003 is entering extended support at the same time, and that one has us concerned. 2003 is hands down the vast majority of our install base, and we've never had an install base this big before.
We did some awareness around Windows 2000 (going EOL), but the install base was very small and we had a relationship with a lot of those customers, so we feel really good about where the install base is and that (EOL) is not going to be a problem for customers. We just want to make sure that we get in a last little bit of awareness.
We want to make sure that five years from now, when Windows 2003 does go End-Of-Life, people have already migrated off it. That means they have to have a plan in place in three years. You will see us start to talk about it a lot more.
eWEEK: What have you learned from the way you handled the Windows 2000 EOL that can help your outreach for Windows 2003’s EOL?
Ralston: In hindsight, i would have loved to address the Windows 2000 End-Of-Life two years ago, and to make it a more integral part of our launch. We started last summer, and if you are talking lessons learned, that was too late. I also would have liked to have a more rich application compatibility toolkit in place.
We've done worldwide surveys - one of the things we use to track our install base and how customers are implementing it is something called our Server Tracker, a survey we do every quarter. We followed up with all our Windows 2000 customers from the last server tracker survey and asked how many had a plan in place, how many are moving, etc. It was a very small percentage of customers who feel they were still going to be on 2000 when it com end of life. But it’s really interesting in emerging markets - the awareness wasn't as high (in places) like in China or India - and we are hoping the MAP toolkit and (outreach to) press and blogs will raise awareness.
But you are right, we are taking all the lessons learned from Windows 2000, and we are going to be applying them to the 2003 issue. There’s lots of work to be done in the next few years.
eWEEK: One of the my favorite statistics thrown around this week was that the need for around 70 percent of patches goes away when using Server Core versus a standard Windows Server installation - a beautiful mark for reliability and server uptime. When customers upgrade, are a lot of them utilizing Server Core?
Ralston: It goes to the way Windows 2008 and R2 are laid out. You have Server Core, which is bare bones with just a few different roles, or you have a full install with 30 different roles that can be installed. The more roles there are, the more patches that are needed. With Core, there’s no Internet Explorer, no stuff that warrants more patches. You can probably take that same rationale that with a Windows Server, if all i have is web server role versus one with every role installed, there would probably by 70 percent less patches too.
We started with just 4 roles in Core, file and print, Active Directory, and DNS. We said these are the most critical infrastructure workloads, and we ripped out everything wasn’t needed to support those. Customers loved it even from beta, and from beta to RC, we added another 5 roles - things like web server and Hyper-V. We're taking that customer feedback into the next version as well.
I’d like to think customers would go to Server Core. It’s hard for us to tell what they did once they migrated. That’s not a bad question for another survey coming up.
eWEEK: How feasible will it be to bring additional applications to Server Core, like Exchange or SharePoint?
Ralston: I can’t wait to talk to you about the next version of Windows Server, where it all ends up. It’s way too early right now, though.