Windows is not updating
There are several options to consider today: 2008, 2008R2, 2012, or 2012R2 operating systems.
However, no matter which newer OS you move your DC’s to, coming from 2003, the krbtgt account will reset its’ password when you update the Domain Functional Level (DFL), which is the concern that could break Exchange.
To update without taking precautions is simply negligent on the part of the user.
If you are using a new installation of XP, eventually a balloon will appear by the Notification Area asking if you want to enable Automatic Updates.
The first item to consider is which Windows Server Operating System (OS) you will be moving to for your DC’s.
This is where the user has to make a decision whether or not the update is proper for the system.
Just because an update is available doesn't mean it's needed or even necessary in all situations.
Since raising functional levels is an irreversible operation (in many situations, but not always anymore), it should be planned with care and only after having verified that it will not impact any applications that rely heavily on Directory Services.
Mostly any in-house written and/or third party products are the main concern.