I have now received several emails with questions about the Exchange 2016 update process. There are also always various questions in the comments to articles that refer to updates. So here is a short how-to on how to install Exchange updates.
What is a Cumulative Update for Exchange?
Updates for Exchange are published as Cumulative Updates (CU), i.e. all updates up to the time of publication of the CU are included in the update package. This is always the complete ISO for Exchange. Existing Exchange installations can be updated with the CU, as can new installations. Exceptions to this rule are security updates which are published as required. The next regular CU will then contain the previously published security updates, if there have been any.
As a CU always includes the complete installation files, it is not necessary to install CUs in a sequential manner. For example, if the Exchange organization runs with CU2, it is not necessary to install CU3, CU4 and then CU5. CU3 can be updated directly after CU5.
Sequence
For a larger Exchange organization, the Exchange 2016 servers are updated in the following order:
- Exchange Server providing services on the Internet (Internet-facing), internal and external URLs are configured
- if available: Exchange Server providing services in the local network (non-Internet-facing), only internal URLs are configured
- if available: Exchange Transport Server
Plan update
Depending on the Exchange environment, a few things need to be planned or taken into account.
- Active Directory schema update required?
- Maintenance window / Exit strategy
- Known problems
- Reports from other users
Many of the Exchange CUs require an update of the AD schema. In larger environments, the schema update of the Active Directory should be carried out independently of the installation of the CU. The actual CU should only be installed once all domain controllers have been replicated, which can take some time in environments with multiple domains and multiple sites.
In environments with only one Exchange server, a corresponding maintenance window must be scheduled. During the time in which the CU is installed, no connection to the respective Exchange server is possible (SMTP, as well as Outlook and ActiveSync). You should also think about an exit strategy, how long you can search for a solution in the event of a problem and what to do if no solution is found (how do I get back to the last functional status?).
In a highly available environment, the different versions of the Exchange servers are supported, but the aim should be to have all Exchange servers at the same patch level.
As a rule, known problems are also published for the CUs. Knowing these problems in advance can save a lot of trouble, and you should also check the reports of other users to see whether any problems have occurred.
Preparations
- Before installing updates for Exchange, the preparations should be completed:
- Download the CU
- If the schema update was carried out in advance: Check replication of DCs and schema version
- Check backups (Exchange and Active Directory)
- Backup of special settings (changes in the registry for Exchange services, login templates, etc.)
- Verification of the certificates
As the CUs contain all Exchange installation files, CUs are relatively large and take time to download depending on the bandwidth. If you only have a limited maintenance window, you don't have to waste unnecessary time on the download.
Since Exchange CUs can also contain updates for the Active Directory schema, but do not necessarily have to, it is important that backups are available for Exchange and also for the Active Directory. If something should go wrong, you don't just want to have an 8-week-old backup to hand.
Special settings for Exchange, i.e. changes in the IIS web.config, changes to the OWA login mask or settings in the registry may be overwritten by the update process. If such changes are made, they should therefore be documented and saved beforehand.
Expired certificates can cause the update process to stop. The certificates should therefore be checked beforehand.
Before installation
If the CU requires a schema update, it should be installed separately from the CU in environments with multiple domains or domain controllers. Although the Exchange Setup also updates the schema during the installation, this can lead to problems in larger environments. The schema can be updated as follows:
setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms
The last command only needs to be executed if there are several Active Directory domains; if there is only one domain in which Exchange is installed, it is sufficient to execute the first and second command. If there are several AD domains, the last command must be executed in all domains that contain mailboxes or Exchange servers.
After the schema has been updated, the Active Directory replication must be waited for or carried out manually.
Before starting the installation, all third-party software services (backup tools, spam filters installed on Exchange servers, VIRENSCANNER) should be stopped. In many cases, virus scanners cause problems during the update or sometimes significantly prolong the update process, so be sure to disable them for the duration of the update and do not forget Windows Defender. Windows Defender can be deactivated with the following command:
Set-MpPreference -DisableRealtimeMonitoring $true
If the server has yet to be restarted, this must be carried out before the update, otherwise the setup will not start the update process.
As various PowerShell scripts are executed during the update, the PowerShell Execution Policy must be set to "Unrestricted":
Get-ExecutionPolicy Set-ExecutionPolicy Unrestricted
The first command displays the current execution policy, the second command changes the execution policy to "Unrestricted". After successful installation, the original value can be set again.
Furthermore, the UM language packages must be uninstalled before installing a CU if UM language packages have been installed. After installation, the appropriate UM language packages for the CU can be reinstalled.
Installation
If there is only one Exchange Server, then in my opinion the update can now be started simply by double-clicking on setup.exe from the ISO.
In high-availability environments, it is a little more complex. First, the server that is to be updated is removed from the load balancing pool or deactivated so that the load balancer no longer sends connections to the Exchange server. Then the transport service is put into maintenance mode and mails from the queue are redirected to a remaining server:
Set-ServerComponentState FWEX1 -Component HubTransport -State Draining -Requester Maintenance Redirect-Message -Server FWEX1 -Target FWEX2.frankysweb.local
If the server is a member of a DAG, maintenance mode can now also be activated and active databases can be moved to another server:
Suspend-ClusterNode -Name FWEX1 Set-MailboxServer FWEX1 -DatabaseCopyActivationDisabledAndMoveNow $true Set-MailboxServer FWEX1 -DatabaseCopyAutoActivationPolicy Blocked
Now you can check whether there are no more active databases on the Exchange Server:
Get-MailboxDatabaseCopyStatus -Server FWEX1 | Where {$_.Status -eq "Mounted"}
If no more databases are displayed, the server can be switched offline:
Set-ServerComponentState FWEX1 -Component ServerWideOffline -State InActive -Requester Maintenance
As the server is now in maintenance mode, the update can now be started either by double-clicking on setup.exe or directly via the shell:
setup /m:upgrade /IAcceptExchangeServerLicenseTerms
Once the update is running, it's time for coffee. CU5 for Exchange 2016 took 90 minutes on my rather weak test Exchange with 12 GB RAM and 2 CPUs. However, you can always plan for half an hour.
After installation
Once the CU has been installed, virus scanners and other services can be restarted. The PowerShell Execution Policy can also be set to the default value "Restricted" (Windows Server 2016) or "RemoteSigned" (Windows Server 2012 R2) again. Windows Defender can also be switched on again:
Set-MpPreference -DisableRealtimeMonitoring $false
In high-availability environments, maintenance mode must of course be switched off again:
Set-ServerComponentState FWEX1 -Component ServerWideOffline -State Active -Requester Maintenance Resume-ClusterNode -Name FWEX1 Set-MailboxServer FWEX1 -DatabaseCopyAutoActivationPolicy Unrestricted Set-MailboxServer FWEX1 -DatabaseCopyActivationDisabledAndMoveNow $false Set-ServerComponentState FWEX1 -Component HubTransport -State Active -Requester Maintenance
Special settings such as registry values, web.config or adjustments to the OWA login template must be checked after installation. The functional tests are now also due, which essentially involve the following checks / tests:
- Check event display for errors / problems
- Check whether all Exchange services are started
- Check the status of the databases and the index
- Test Outlook / ActiveSync / OWA connection
- E-mail transmission (send / receive)
- if required: Reinstall UM language packs for the installed CU
In larger environments:
- Check the status of the DAG
- Distribute mailbox databases according to the activation preference (happens automatically with Exchange 2016 from CU2)
- Add server to the load balancing pool again
Tip
Create an update cookbook. At the next CU, you can document all the necessary commands that are executed before and after the installation. All services and programs that were stopped can also be documented in the cookbook, as well as any problems that occurred. For example, if there are programs that need to be restarted after the Exchange services were unavailable, these should also be documented. For future updates, the documentation can then simply be consulted and all the necessary steps can be carried out quickly and according to standard. This also results in significantly fewer problems.
Update 3/27/2017: Added information on disabling Windows Defender and checking databases.
Update 28.03.2017: Note on uninstalling the UM language packs added