Exchange

Exchange Cumulative Update

Install Exchange Security Update

Another month another Exchange Cumulative Update. Microsoft Exchange team releases Exchange Server Security Updates (SUs) when vulnerabilities are discovered.

Keep in mind that it can take time before it finishes. If you have only one Exchange Server, mail flow will not work at that time, whilst the update is been applied The following guide shows how to update Exchange in a DAG but can be followed if using a single server and the steps for the DAG skipped

Please Note

After you upgrade Exchange to a newer CU, you can’t uninstall the new version to revert to the previous version. Uninstalling the new version completely removes Exchange from the server.
Any customized Exchange or Internet Information Server (IIS) settings you made in Exchange XML application configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will overwrite when you install an Exchange CU. Be sure to save this information so you can easily re-apply the settings after the install.

Install Exchange Security Update best practice

 Before the Security Update

  • Ensure the patch schedule is to patch the passive node first then normal primary node several days after
  • Check steps to update your Exchange Server to the latest available cumulative and security updates on the Microsoft tool as this may add or remove additional steps in the below guide Exchange Update Planner
  • Ensure any additional software required for the CU is available for this example of installing CU22 IIS URL Rewrite Module is installed
  • Verify that you have confirmed, working backups of your Active Directory.
  • Verify that you have confirmed, working backups of your Exchange servers and databases.
  • Verify that you have documented any customizations to your Exchange server that will need to be re-applied, such as custom OWA login pages, web.config changes, registry changes, or third party add-ons
  • Save all customized Exchange and Internet Information Services (IIS) settings you’ve made, as they might be overwritten by the upgrade. These could be anything you didn’t use PowerShell to modify, like custom registry entries and Outlook on the web (OWA) customizations.
  • Verify that the PowerShell execution policy is set to Unrestricted as per KB981474
  • Place the server in maintenance mode in the monitoring systems, for example SCOM
  • Add yourself into Organization Management group in AD to allow patching and running of Exchange cmdlets as applicable.
  • Add yourself into Enterprise Admins and Schema Admins groups in AD to allow the schema upgrade & Domain Upgrades etc if applicable.
  • Check for Windows Updates and install the updates
  • Restart the server
  • Put the server in maintenance mode
  • Temporarily disable any anti-virus software (Avoid where possible)
  • Temporarily disable any backup software (Avoid where possible)
  • Use an elevated command prompt to run the Security Update

    After the Security Update
    Restart the server
  • Check the event logs by filtering for errors and warnings
  • Take the server out of maintenance mode
  • Enable backup software (If disabled above)
  • Enable anti-virus (If disabled above)
  • Take the server out of maintenance mode in the monitoring systems, for example SCOM

    Find Exchange Server version

Find out the current Exchange version installed on both servers in the DAG. Browse to Control Panel > Programs and Features and check which Exchange Server version is installed.

  • Check build version matches via shell. Start Exchange Management Shell as administrator and run the command
Get-ExchangeServer | Format-Table Name, Edition, AdminDisplayVersion

Name                Edition AdminDisplayVersion
----                -------       -------------------
EXCHANGE01 Coexistence Version 15.1 (Build 2242.4)
EXCHANGE02 Coexistence Version 15.1 (Build 2242.4)
  • Place the Exchange Security Update on the Exchange Server C:\install\exchange folder on both servers. If you don’t have an install folder, create one

Backup Exchange Customizations

Backup the below files manually to an area not affected by the CU as this will overwrite all settings made in here. Additional files may be required also.

File UseFiles / Folder location
ActiveSync%ExchangeInstallPath%FrontEnd\HttpProxy\Sync\web.config
%ExchangeInstallPath%ClientAccess\Sync\web.config
EWS%ExchangeInstallPath%FrontEnd\HttpProxy\ews\web.config
%ExchangeInstallPath%ClientAccess\exchweb\ews\web.config
OWA%ExchangeInstallPath%FrontEnd\HttpProxy\owa\web.config
%ExchangeInstallPath%ClientAccess\Owa\web.config
Other Files%ExchangeInstallPath%Bin\MsExchangeMailboxReplication.exe.config
%ExchangeInstallPath%Bin\Microsoft.Exchange.Notifications.Broker.exe.config
%ExchangeInstallPath%Bin\MSExchangeHMRecovery.exe.config
%ExchangeInstallPath%Bin\MSExchangeMailboxAssistants.exe.config.template
%ExchangeInstallPath%Bin\MSExchangeHMWorker.exe.config
%ExchangeInstallPath%Bin\EdgeTransport.exe.config
%ExchangeInstallPath%Bin\Microsoft.Exchange.AddressBook.Service.dll.config
Backup Folder%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\Current\themes\resources
%ExchangeInstallPath%ClientAccess\Owa\prem\Current\resources\styles

Place Exchange 2016 into maintenance mode prior to patching

Run Exchange Management Shell as administrator. Set the Hub Transport Service to draining. It will stop accepting any more message

Set-ServerComponentState -Identity "EXCHANGE01" -Component HubTransport -State Draining -Requester Maintenance

Redirect any queued messages to EXCHANGE02. The target Server value has to be the target server’s FQDN. The target server shouldn’t be in maintenance mode.

Redirect-Message -Server "EXCHANGE01" -Target "EXCHANGE02.thetechevolution.com"

Confirm
Are you sure you want to perform this action?
Redirecting messages to "EXCHANGE02.thetechevolution.com".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Pause the cluster node. Suspend Server EXCHANGE01 from the DAG.

Suspend-ClusterNode "EXCHANGE01"

Name                            ID State
----                                 -- -----
EXCHANGE01             1 Paused

Disable database copy automatic activation. This command will also move any active database copies to other DAG members. Assuming there are other healthy DAG members available. This is not instantaneous, and it can take several minutes for the moves to occur

Set-MailboxServer "EXCHANGE01" -DatabaseCopyActivationDisabledAndMoveNow $true

Make a note of the database copy automatic activation policy on the server. You can set it back to this value at the end of maintenance. The default setting is Unrestricted

Get-MailboxServer "EXCHANGE01" | Select DatabaseCopyAutoActivationPolicy

DatabaseCopyAutoActivationPolicy
--------------------------------
                    Unrestricted

Set it to Blocked to prevent any of the databases from becoming Active

Set-MailboxServer "EXCHANGE01" -DatabaseCopyAutoActivationPolicy Blocked

Check for any database copies that are still mounted on the server. It may take a while for the Active databases to move. This command should return no results. If any database copies are still active on the server and other DAG members host copies of the database, this can be completed by running for following PowerShell Command “Move-ActiveMailboxDatabase -Server EXCHANGE01 -ActivateOnServer EXCHANGE02”

Get-MailboxDatabaseCopyStatus -Server "EXCHANGE01" | Where {$_.Status -eq "Mounted"}

Once the active databases have been moved, we will check the transport queue. Queues should be empty or almost empty, as we will be disabling all server components. Any emails still pending in the queues will have a delay in delivery until the server is taken out from maintenance mode.

Identity                                               DeliveryType   Status   MessageCount   Velocity   RiskLevel   OutboundIPPool    NextHopDomain
EXCHANGE01\Submission   Undefined       Ready   0                          0             Normal       0                            Submission
Set-ServerComponentState "EXCHANGE01" -Component ServerWideOffline -State Inactive -Requester Maintenance 

Put the Server EXCHANGE01 into maintenance mode.

How to verify Exchange Server is in maintenance mode

Verify if the Exchange Server EXCHANGE01 has been placed into maintenance mode. All components should show Inactive except for Monitoring and RecoveryActionsEnabled.

Get-ServerComponentState "EXCHANGE01" | Select Component, State
Component                     State
---------                     -----
ServerWideOffline          Inactive
HubTransport               Inactive
FrontendTransport          Inactive
Monitoring                   Active
RecoveryActionsEnabled       Active
AutoDiscoverProxy          Inactive
ActiveSyncProxy            Inactive
EcpProxy                   Inactive
EwsProxy                   Inactive
ImapProxy                  Inactive
OabProxy                   Inactive
OwaProxy                   Inactive
PopProxy                   Inactive
PushNotificationsProxy     Inactive
RpsProxy                   Inactive
RwsProxy                   Inactive
RpcProxy                   Inactive
UMCallRouter               Inactive
XropProxy                  Inactive
HttpProxyAvailabilityGroup Inactive
ForwardSyncDaemon          Inactive
ProvisioningRps            Inactive
MapiProxy                  Inactive
EdgeTransport              Inactive
HighAvailability           Inactive
SharedCache                Inactive
MailboxDeliveryProxy       Inactive
RoutingUpdates             Inactive
RestProxy                  Inactive
DefaultProxy               Inactive
Lsass                      Inactive
RoutingService             Inactive
E4EProxy                   Inactive
CafeLAMv2                  Inactive
LogExportProvider          Inactive

Before starting with the updates, It is recommended to reboot the Exchange Server first. This will free up resources and clear any pending updates. After the reboot, you can start installing the updates

.NET Framework and Exchange Server Cumulative Update

When upgrading Exchange Server from an unsupported CU to the current CU and no intermediate CUs are available, you should first upgrade to the latest version of .NET that’s supported by your version of Exchange Server and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest supported CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services.
Please check the following link to see if the .Net version installed works as required with the latest Cumulative Update that you are installing. .Net Exchange 2016 Matrix

Prepare Schema and Domain Updates

Confirm the Exchange Active Directory versions are applicable to the cumulative update that you are installing his step can either be run in advance or run at the time of the upgrade either way the account you run the install / upgrade under will require the following permissions adding into your account Enterprise Admins and Schema Admins.
Run the below commands and note the version numbers
RangeUpper

Get-ADObject "CN=ms-Exch-Schema-Version-Pt,$((Get-ADRootDSE).schemaNamingContext)" -Property Rangeupper
Rangeupper        : 15333

Object Version (Default)

Get-ADObject "CN=Microsoft Exchange System Objects,$((Get-ADRootDSE).defaultNamingContext)" -Property objectVersion

objectVersion     : 13240

ObejectVersion (Configuration)

ObejectVersion (Configuration)
Get-ADObject (dir "AD:\CN=Microsoft Exchange,CN=Services,$((Get-ADRootDSE).configurationNamingContext)").DistinguishedName -Property objectVersion

objectVersion     : 16220

Check the latest version in the release notes and also check the following Microsoft link to double check if schema updates are required Exchange Schema Updates Matrix

EXCHANGEFOREST (RANGEUPPER)DOMAIN (OBJECTVERSION)FOREST (OBJECTVERSION)
2016 CU22153341324216222
2016 Current Versions153331324016220

Install Schema and Domain Updates

Run Command Prompt as administrator (not PowerShell) (Note: The setup paths will not be applicable and you will be required to browse to the drive letter hosting the ISO) Run the below command (requires Enterprise Admins and Schema Admins permissions, and must be performed in the same AD Site as the Schema Master on a server with the RSAT-ADDS-Tools feature installed – the Schema Master itself would meet these requirements)

setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
Prepare Schema
Prepare Schema
setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
Prepare Domain
Prepare Domain
setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

Run the above PowerShell command in each domain in your forest that contains Exchange servers or mailboxes. If you have a single domain, the previous step has already done this for you

Prepare Domain
Prepare Domain

Post Schema and Domain Checks

After the upgrade rerun the below commands and check that the new values match the applicable values of the update media been used for the cumulative update
RangeUpper

Get-ADObject "CN=ms-Exch-Schema-Version-Pt,$((Get-ADRootDSE).schemaNamingContext)" -Property Rangeupper

Rangeupper        : 15334
Object Version (Default)

Get-ADObject "CN=Microsoft Exchange System Objects,$((Get-ADRootDSE).defaultNamingContext)" -Property objectVersion

objectVersion     : 13242
ObejectVersion (Configuration)

Get-ADObject (dir "AD:\CN=Microsoft Exchange,CN=Services,$((Get-ADRootDSE).configurationNamingContext)").DistinguishedName -Property objectVersion

objectVersion     : 16222

EXCHANGEFOREST (RANGEUPPER)DOMAIN (OBJECTVERSION)FOREST (OBJECTVERSION)
2016 CU22153341324216222

Install Exchange Update

  • Perform a restart of the server to clear any pending reboot status that will stop Exchange setup from running.
  • After the restart, ensure you do not launch EMS as the install will fail prechecks and then launch an elevated CMD prompt, and run the following command from the folder where the Exchange setup files are located
setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

After the cumulative update has installed, restart the server. When the server has been restarted, perform a basic health check of the server:

  • Review event logs for new or excessive errors and warnings
  • Check that auto-start services on the server have started

Install the latest applicable security update (SU)

  • If applicable install the latest Security Update for the cumulative update steps to install the update are as below and more details can be found here Exchange Server build numbers and release dates
  • Select Start, and then enter cmd.
  • In the results, right-click Command prompt, and then select Run as administrator.
  • If the User Account Control box appears, verify that the default action is the action that you want, and then select Continue
  • Enter the full path of the .msp file, and then press Enter. IMPORTANT: When installing the security update manually you must run it from an elevated command prompt. If you don’t, the install might complete, but the server won’t be protected.
  • Reboot the server, even if you aren’t prompted to do so.

Restore Customizations

After you have completed updating your servers you will need to re-apply any customizations that you had documented during the preparation steps above. if replaced for example, web.config, sharedweb.config files or the EdgeTransport.exe.config file

Take Exchange Server out of maintenance mode

After the update, we want to get the Exchange Server ‘EXCHANGE01’ to be active again. Run Exchange Management Shell as administrator.

You can now remove the server from maintenance mode. Note: If the server is not a DAG member, only the first and last commands are necessary. If the server is a DAG member, you need to run all the commands. Use the database copy auto-activation policy value that was set on the server. The default is Unrestricted.

Set-ServerComponentState "EXCHANGE01" -Component ServerWideOffline -State Active -Requester Maintenance
Resume-ClusterNode -Name "EXCHANGE01"

Name                                  ID    State
EXCHANGE01                   1     Up
Set-MailboxServer "EXCHANGE01" -DatabaseCopyAutoActivationPolicy Unrestricted

Set-MailboxServer "EXCHANGE01" -DatabaseCopyActivationDisabledAndMoveNow $false

Set-ServerComponentState "EXCHANGE01" -Component HubTransport -State Active -Requester Maintenance

Rebalance Database Availability Groups

Throughout the update process, the database copies will move between DAG members. Return your active database copies to their most preferred DAG member. Use the PowerShell script supplied by Microsoft.

cd $exscripts
.\RedistributeActiveDatabases.ps1 -DagName "DAG-01" -BalanceDbsByActivationPreference -SkipMoveSuppressionChecks

Verify out of maintenance mode

Verify if the Exchange Server EXCHANGE01 is back up and running. Run the following commands.

The cluster node needs to have the state up.

Get-ClusterNode "EXCHANGE01"

Name                                   ID    State

EXCHANGE01                     1     Up
Get-ClusterNode

Name                                ID    State
EXCHANGE01                 1     Up
EXCHANGE02                 2     Up

Check that all the required services are running

Test-ServiceHealth "EXCHANGE01"

Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
                          MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
                          MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC,
                          MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
                          MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Check that the required services are running on all the Exchange Servers.

Get-ExchangeServer | Test-ServiceHealth


Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
                          MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
                          MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC,
                          MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
                          MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
                          MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
                          MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC,
                          MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
                          MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Test the MAPI Connectivity

Test-MAPIConnectivity -Server "EXCHANGE01"

MailboxServer                 Database                                  Result       Error
EXCHANGE01                MDB-01             Success   

Get the result of the DAG Copy Status Health on all the Exchange Servers.

Get-MailboxDatabaseCopyStatus * | Sort Name | Select Name, Status, Contentindexstate

Name                                     Status               ContentIndexState
MDB-01\EXCHANGE01       Mounted           Healthy
MDB-01\EXCHANGE01       Healthy             Healthy

Check the Replication Health

Test-ReplicationHealth -Server "EXCHANGE01"

Server                           Check                                Result                 Error
EXCHANGE01             ClusterService                   Passed
EXCHANGE01             ReplayService                   Passed
EXCHANGE01             ActiveManager                  Passed
EXCHANGE01             TasksRpcListener              Passed
EXCHANGE01             TcpListener                        Passed
EXCHANGE01             ServerLocatorService        Passed
EXCHANGE01             DagMembersUp                Passed
EXCHANGE01             MonitoringService             Passed
EXCHANGE01             ClusterNetwork                 Passed
EXCHANGE01             QuorumGroup                   Passed
EXCHANGE01             DatabaseRedundancy        Passed
EXCHANGE01             DatabaseAvailability           Passed

Check the Replication Health on all the Exchange Servers.

Get-DatabaseAvailabilityGroup | Select -ExpandProperty:Servers | Test-ReplicationHealth | Sort Name

Server          Check                      Result     Error
EXCHANGE01 ReplayService              Passed
EXCHANGE01 ActiveManager              Passed
EXCHANGE01 TasksRpcListener           Passed
EXCHANGE01 ClusterService             Passed
EXCHANGE02 DBDisconnected             Passed
EXCHANGE02 DBLogCopyKeepingUp         Passed
EXCHANGE02 DBLogReplayKeepingUp       Passed
EXCHANGE01 TcpListener                Passed
EXCHANGE01 QuorumGroup                Passed
EXCHANGE01 DatabaseRedundancy         Passed
EXCHANGE01 DatabaseAvailability       Passed
EXCHANGE01 ClusterNetwork             Passed
EXCHANGE01 ServerLocatorService       Passed
EXCHANGE01 DagMembersUp               Passed
EXCHANGE01 MonitoringService          Passed
EXCHANGE02 TcpListener                Passed
EXCHANGE02 ServerLocatorService       Passed
EXCHANGE02 DagMembersUp               Passed
EXCHANGE02 TasksRpcListener           Passed
EXCHANGE02 ClusterService             Passed
EXCHANGE02 ReplayService              Passed
EXCHANGE02 ActiveManager              Passed
EXCHANGE02 MonitoringService          Passed
EXCHANGE02 DBCopySuspended            Passed
EXCHANGE02 DBCopyFailed               Passed
EXCHANGE02 DBInitializing             Passed
EXCHANGE02 DatabaseAvailability       Passed
EXCHANGE02 ClusterNetwork             Passed
EXCHANGE02 QuorumGroup                Passed
EXCHANGE02 DatabaseRedundancy         Passed

Verify the Database Activation Policy is set to Unrestricted.

Get-MailboxServer "EXCHANGE01" | Select Name, DatabaseCopyAutoActivationPolicy

Name                                                DatabaseCopyAutoActivationPolicy
EXCHANGE01                     Unrestricted

Verify the Database Activation Policy is set to Unrestricted on all the Exchange Servers.

Get-MailboxServer | Select Name, DatabaseCopyAutoActivationPolicy

Name                                    DatabaseCopyAutoActivationPolicy
EXCHANGE01                     Unrestricted
EXCHANGE02                     Unrestricted

Checks to complete after update

  • Test the mail flow via the SMTP service is working
  • Test access to Exchange Management Shell from the updated Exchange server
  • Test that Exchange Admin Centre is working

Install Cumulative Update on all Exchange Servers

If more than one Exchange Server running in the organization then perform the same steps on all the Exchange Servers. The servers can have any of the below roles on them.


Exchange Mailbox server
Exchange Edge server
Exchange Hybrid server

Check that Exchange Server is up to date

Run the Exchange Health Checker script (make sure you download the latest version from GitHub).

Download and place the HealthChecker.ps1 PowerShell script on the Exchange Server C:\scripts folder.  Make sure to check if the file is unblocked to prevent any errors when running the script.

Create Exchange Servers report

Run Exchange Management Shell as administrator. Change the path to the scripts folder.

cd C:\scripts
C:\scripts>

#Verify the signature before running the script with the Get-AuthenticodeSignature cmdlet.
Get-AuthenticodeSignature -FilePath ".\HealthChecker.ps1" | ft -AutoSize


    Directory: C:\scripts


SignerCertificate                        Status Path
ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B Valid  HealthChecker.ps1

Run the cmdlet to create a report for all Exchange Servers. It will run the HTML report and open it automatically.

Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

If the report does not open automatically, you can find the report in the C:\scripts folder.

Check Exchange Servers report for vulnerabilities

The HTML Report will show as below screen. All should be ok as the environment has been patched with latest CU and SU on the Exchange Servers with the mailbox role.

Exchange Server Health Report
Exchange Server Health Report

If you’re not up to date or not patched, it will show you that you have vulnerabilities. If you see red or yellow warnings in the Exchange Server report these should be investigated and fixes where applicable. The vulnerabilities do not necessary related to patches as per the below example

Fault Finding

No guide would be complete without some fault finding steps so please see below for any of the most common issues seen when patching Microsoft Exchange Server

Check ECP Access
==== Check that ECP is accessible and can be logged in as a final check

https://webmail.thetechevolution.com/ecp(Check from Local Device and both EXCHANGE01 and 02)

https://127.0.0.1/ecp/(Check access from both EXCHANGE01 and 02)

If this shows an error please check Event Viewer to see if the below is visible prior to using the fix.

Event code: 3008
Event message: A configuration error has occurred.
Event time: 06/23/2022 3:18:28 PM
Event time (UTC): 06/23/2022 3:18:28 PM
Event ID: 7e35d47a79aa443fa8dc63d407ac27fa
Event sequence: 1
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/2/ROOT/ecp-1239-132890597087176142
Trust level: Full
Application Virtual Path: /ecp
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\
Machine name: EXCHANGE01

Process information:
Process ID: 13460
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM

Exception information:
Exception type: ConfigurationErrorsException
Exception message: Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.
at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)
at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, Boolean checkAptcaBit)
at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement)
at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement)
at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList)
at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.
at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type)
at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName)
at System.Type.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase)
at System.Web.Compilation.BuildManager.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase)
at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)

Request information:
Request URL: https://localhost:444/ecp/exhealth.check
Request path: /ecp/exhealth.check
User host address: 127.0.0.1
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM

Thread information:
Thread ID: 42
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)
at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, Boolean checkAptcaBit)
at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement)
at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement)
at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList)
at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

If the above event is visible then open PowerShell as Admin and run the below commands

cd " C:\Program Files\Microsoft\Exchange Server\V15\Bin"

C:\Program Files\Microsoft\Exchange Server\V15\Bin>.\UpdateCas.ps1

C:\Program Files\Microsoft\Exchange Server\V15\Bin>.\UpdateConfigFiles.ps1

Once the above has been completed please restart IIS (not by forcing the service) and retest this should resolve the issues and is due to customized features not been redeployed as required.

Remove Permissions

  • Remove any additional permissions linked to your admin account that have been added following the patching via the above blog post.

If the above has helped you in carry out an Exchange Cumulative Update then please let us know by leaving a comment or feel free to share the article below. If you have any errors or require more details on anything covered then please comment. Please ensure you check our other Exchange posts

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *