skip to Main Content

Install Cumulative Update Exchange 2016

You have to install a Cumulative Update in Exchange 2016. It’s good to keep the Exchange Server up to date. Plan the update before starting, and keep in mind that it can take time before it finishes. If you have only one Exchange Server, mail flow will not work at that time. Now, what is the best procedure to install Cumulative Update in Exchange 2016?

There are two options to upgrade Exchange Server 2016. Update Exchange with Graphic User Interface (GUI) or unattended mode (command line). The organization that I want to install the Cumulative Update for does have two Exchange Servers. I am going to install the Cumulative Update on the Exchange Server EX01-2016. The other Exchange Server is named EX02-2016. In this article, you will learn how to use unattended mode to install Cumulative Update in Exchange 2016.

Good to know before installing Cumulative Update

  • After you upgrade Exchange to a newer CU, you can’t uninstall the new version to revert to the previous version. Uninstalling the new version completely removes Exchange from the server.
  • Any customized Exchange or Internet Information Server (IIS) settings you made in Exchange XML application configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will overwrite when you install an Exchange CU. Be sure to save this information so you can easily re-apply the settings after the install.

Note: The previous /IAcceptExchangeServerLicenseTerms switch will not work starting with the September 2021 CUs. You now must use either /IAcceptExchangeServerLicenseTerms_DiagnosticDataON or /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF for unattended and scripted installs.

Install Cumulative Updates best practices

Before the Cumulative Update:

  • Place the server in maintenance mode in the monitoring systems (for example, SCOM)
  • Check for Windows Updates and install the updates
  • Restart the server
  • Put the server in maintenance mode
  • Temporarily disable any anti-virus software
  • Temporarily disable any backup software
  • Use an elevated command prompt to run the Cumulative Update

After the Cumulative Update:

  • Restart the server
  • Check the event logs by filtering for errors and warnings
  • Take the server out of maintenance mode
  • Enable backup software
  • Enable anti-virus
  • Take the server out of maintenance mode in the monitoring systems (for example, SCOM)

Put Exchange Server in maintenance mode

Read more in the article Put Exchange Server in maintenance mode.

Sign in to Exchange Server EX01-2016. Run Exchange Management Shell as administrator. Set the Hub Transport Service to draining. It will stop accepting any more messages.

[PS] C:\>Set-ServerComponentState -Identity "EX01-2016" -Component HubTransport -State Draining -Requester Maintenance

Redirect any queued messages to EX02-2016. The target Server value has to be the target server’s FQDN. The target server shouldn’t be in maintenance mode.

[PS] C:\>Redirect-Message -Server "EX01-2016" -Target "EX02-2016.exoip.local"

Confirm
Are you sure you want to perform this action?
Redirecting messages to "EX02-2016.exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

If the server is a DAG member, run the following commands. If your server is not a DAG member, skip to the command for setting ServerWideOffline.

Pause the cluster node. Suspend Server EX01-2016 from the DAG.

[PS] C:\>Suspend-ClusterNode "EX01-2016"

Name            ID    State
----            --    -----
EX01-2016       1     Paused

Disable database copy automatic activation. This command will also move any active database copies to other DAG members. Assuming there are other healthy DAG members available. This is not instantaneous, it can take several minutes for the moves to occur. We’ll check it in one of the following commands.

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyActivationDisabledAndMoveNow $true

Make a note of the database copy automatic activation policy on the server. You can set it back to this value at the end of maintenance. The default setting is Unrestricted.

[PS] C:\>Get-MailboxServer "EX01-2016" | Select DatabaseCopyAutoActivationPolicy

DatabaseCopyAutoActivationPolicy
--------------------------------
                    Unrestricted

Set it to Blocked to prevent any of the databases from becoming Active.

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyAutoActivationPolicy Blocked

Check for any database copies that are still mounted on the server. It may take a while for the Active databases to move. This command should return no results. If any database copies are still active on the server and other DAG members host copies of the database, perform a manual switchover.

[PS] C:\>Get-MailboxDatabaseCopyStatus -Server "EX01-2016" | Where {$_.Status -eq "Mounted"}

Once the active databases have been moved, we will check the transport queue. Queues should be empty or almost empty, as we will be disabling all server components. Any emails still pending in the queues will have a delay in delivery till the server is taken out from maintenance mode.

[PS] C:\>Get-Queue

Identity             DeliveryType               Status MessageCount Velocity RiskLevel OutboundIPPool NextHopDomain
--------             ------------               ------ ------------ -------- --------- -------------- -------------
EX01-2016\4          SmtpDeliveryToMailbox      Ready  0            0        Normal    0              db2
EX01-2016\8          SmtpDeliveryToMailbox      Ready  0            0        Normal    0              db4
EX01-2016\15         SmartHostConnectorDelivery Ready  0            0        Normal    0              mx1.spambull.com
EX01-2016\20         SmtpDeliveryToMailbox      Ready  0            0        Normal    0              db5
EX01-2016\22         SmartHostConnectorDelivery Ready  0            0        Normal    0              mx2.spambull.com
EX01-2016\Submission Undefined                  Ready  0            0        Normal    0              Submission
EX01-2016\Shadow\3   ShadowRedundancy           Ready  0            0        Normal    0              ex02-2016.exoip.local

Put the Server EX01-2016 into maintenance mode.

[PS] C:\>Set-ServerComponentState "EX01-2016" -Component ServerWideOffline -State Inactive -Requester Maintenance

Check the load balancer

Do you have the Exchange Server configured in a load balancer? Verify that the load balancer health checks have taken the server out of the pool or marked it as offline/inactive. If the load balancer does not automatically do this, manually mark the server as offline/inactive. Sign in to your load balancer and set any virtual services you have to disable any connections to Server EX01-2016. Typically there would be SMTP and HTTPS virtual services. This will force any future connections to Server EX01-2016.

How to verify Exchange Server is in maintenance mode

Verify if the Exchange Server EX01-2016 has been placed into maintenance mode. All components should show Inactive except for Monitoring and RecoveryActionsEnabled.

[PS] C:\>Get-ServerComponentState "EX01-2016" | Select Component, State

Component                     State
---------                     -----
ServerWideOffline          Inactive
HubTransport               Inactive
FrontendTransport          Inactive
Monitoring                   Active
RecoveryActionsEnabled       Active
AutoDiscoverProxy          Inactive
ActiveSyncProxy            Inactive
EcpProxy                   Inactive
EwsProxy                   Inactive
ImapProxy                  Inactive
OabProxy                   Inactive
OwaProxy                   Inactive
PopProxy                   Inactive
PushNotificationsProxy     Inactive
RpsProxy                   Inactive
RwsProxy                   Inactive
RpcProxy                   Inactive
UMCallRouter               Inactive
XropProxy                  Inactive
HttpProxyAvailabilityGroup Inactive
ForwardSyncDaemon          Inactive
ProvisioningRps            Inactive
MapiProxy                  Inactive
EdgeTransport              Inactive
HighAvailability           Inactive
SharedCache                Inactive
MailboxDeliveryProxy       Inactive
RoutingUpdates             Inactive
RestProxy                  Inactive
DefaultProxy               Inactive
Lsass                      Inactive
RoutingService             Inactive
E4EProxy                   Inactive
CafeLAMv2                  Inactive
LogExportProvider          Inactive

Which .NET Framework and Exchange Server Cumulative Update

Read more in the article Update .NET Framework in Exchange Server.

A lot of Exchange admins have seen Exchange Servers breaking and not working after a Cumulative Update. It’s important to know that .NET Framework is a must for Exchange Server. When installing Cumulative Updates on Exchange 2013/2016/2019, we sometimes have to update .NET Framework. That is not always the case. Sometimes you can run the Cumulative Update without updating .NET Framework. Yes, we can download .NET Framework for free.

What Microsoft is saying about .NET Framework:

When upgrading Exchange Server from an unsupported CU to the current CU and no intermediate CUs are available, you should first upgrade to the latest version of .NET that’s supported by your version of Exchange Server and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest supported CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services.

Keep .NET Framework and Exchange Server 2016 up to date

Keep your Exchange Server 2016 up to date so that you don’t have to carry out a longer update path. I recommend downloading the Exchange CU ISO when it’s available and save it to the hard disk. Microsoft does remove older Exchange CUs when newer versions are released. When saving the Exchange CU ISO, you can always carry out the upgrade path. You can use an unofficial website to download an older Exchange CU.

How to update .NET Framework and Exchange Server Cumulative Update

Don’t immediately update when a .NET Framework version or Exchange Server version is released. Always wait and check if bugs are rising. Don’t forget to always test the Exchange Server CU in a test environment before updating it in production.

I made a flowchart that will show the procedure on how to update .NET Framework and Exchange Server Cumulative Update.

Install Cumulative Update Exchange 2016 flowchart

To keep it simple, keep these two steps in mind when planning the update path:

  1. Update to the last Exchange version that is supported by the .NET Framework (blue arrow)
  2. Update to the last .NET Framework that is supported for the Exchange Server (green arrow)

Keep updating till you’re on the version that you want to be. It will most likely be the last released Exchange version. Use the given flowchart. It’s easy to follow the update path for Exchange Server Cumulative Update and .NET Framework.

Install .NET Framework

We are going to update from Exchange Server 2016 CU14 to Exchange Server 2016 CU16. Go to the download page of .NET Framework and download the appropriate version. In our case, it will be .NET Framework 4.8. If the download is finished, right-click the file and choose run as administrator. Install the .NET Framework on the Exchange Server. Restart when the installation is completed.

Prepare Active Directory and Domains

Read more in the article Prepare Active Directory and domains for Exchange Server.

Download Exchange Cumulative Update

Before we can prepare AD for Exchange 2016, we need to download the Exchange 2016 CU ISO. Go to the following page to get a list of the Exchange Server CU. The page will show you the Exchange Server build numbers and release dates. Scroll down for Exchange Server 2016. Download the Exchange Server 2016 Cumulative Update and place it in the C:\install folder. Create an install folder if you don’t have one.

In File Explorer, right-click on the Exchange Server 2016 CU16 ISO image file and select Mount. It will mount the ISO image to a drive. For example, the E:\ drive. The E:\ drive contains the Exchange installation files. Make sure to mount the Exchange ISO image before proceeding to the next step.

Install Cumulative Update Exchange 2016 mount ISO

Before extending the Active Directory schema, the following needs to be installed on the Exchange Server:

  • The RSAT-ADDS feature must be installed
  • Account needs to be added to the Schema Admins and Enterprise Admins security groups

You can extend the Active Directory Schema from the domain controller or any other server in the organization. The feature RSAT-ADDS is already installed on the domain controller. If you want to prepare the schema on the Domain Controller, you only need to install the .NET framework. Some organizations have different teams because of different administrative responsibilities in the environment.

Install RSAT-ADDS feature

RSAT-ADDS feature is already installed on the domain controller and Exchange Server. Install the RSAT-ADDS feature. Run PowerShell as administrator. Run the Install-WindowsFeature cmdlet including the RSAT-ADDS feature. If you are not sure if it’s installed on the system, run the command and it will tell you if there are no changes needed.

PS C:\>Install-WindowsFeature RSAT-ADDS

Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True    No             Success   {Remote Server Administration Tools, Activ...

Schema Admins and Enterprise Admins security groups

Before you can extend the schema, your account needs to be a member of the Schema Admins and Enterprise Admins security groups. Open Active Directory and add both groups to your account if it’s not set already. These are high privilege groups. I recommend you to remove your account from the groups when you’re done with this task.

Note: If you’ve just added yourself to these groups, you’ll need to log out and back into the server for the new group membership to take effect.

Install Cumulative Update Exchange 2016 security groups

Prepare Active Directory Schema

The first step in getting your organization ready for Exchange 2016 is to extend the Active Directory schema. Exchange stores a lot of information in Active Directory but before it can do that, it needs to add/update classes and attributes.

Run Command Prompt as administrator. Run the following command to extend/prepare the schema for Exchange 2016.

C:\>E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema

Microsoft Exchange Server 2016 Cumulative Update 16 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.


Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

    Extending Active Directory schema                                                                 COMPLETED

The Exchange Server setup operation completed successfully.

You will see the COMPLETED messages in the output. The extend/prepare schema for Exchange 2016 went successfully.

Prepare Active Directory

After the Active Directory schema has been extended, you can prepare other parts of Active Directory for Exchange 2016. During this step, Exchange will create containers, objects, and other items in Active Directory to store information. The collection of the Exchange containers, objects, attributes, and so on, is called the Exchange organization.

Run Command Prompt as administrator. Run the following command to prepare Active Directory for Exchange 2016.

C:\>E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD

Microsoft Exchange Server 2016 Cumulative Update 16 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.


Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

    Organization Preparation                                                                          COMPLETED

The Exchange Server setup operation completed successfully.

Prepare Active Directory domains

The final step to get Active Directory ready for Exchange is to prepare each of the Active Directory domains where Exchange will be installed. This step creates additional containers, security groups, and sets permissions so that Exchange can access them.

If you have more than one domain, you can run the following command to prepare all the domains for Exchange 2016.

If you have only one domain, you can skip this step because the /PrepareAD command in the previous step has already prepared the domain for you.

C:\>E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains

Microsoft Exchange Server 2016 Cumulative Update 16 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.


Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

    Prepare Domain Progress                                                                           COMPLETED

The Exchange Server setup operation completed successfully.

Check Exchange Active Directory versions

After you did prepare the AD for Exchange 2016, you like to check if the Active Directory is updated. Run PowerShell as administrator. Make sure that you set the Execution Policy to Unrestricted. Press Y and Enter. If you don’t, the script will not run.

PS C:\> Set-ExecutionPolicy Unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the
security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to
change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y

Download the script Get-ADversions.ps1 and run it. For more information, read the article check Exchange Schema version with PowerShell. You can also run the following commands one by one.

PS C:\> # Exchange Schema Version
PS C:\> $sc = (Get-ADRootDSE).SchemaNamingContext
PS C:\> $ob = "CN=ms-Exch-Schema-Version-Pt," + $sc
PS C:\> Write-Output "RangeUpper: $((Get-ADObject $ob -pr rangeUpper).rangeUpper)"
RangeUpper: 15332
 
PS C:\> # Exchange Object Version (domain)
PS C:\> $dc = (Get-ADRootDSE).DefaultNamingContext
PS C:\> $ob = "CN=Microsoft Exchange System Objects," + $dc
PS C:\> Write-Output "ObjectVersion (Default): $((Get-ADObject $ob -pr objectVersion).objectVersion)"
ObjectVersion (Default): 13237
 
PS C:\> # Exchange Object Version (forest)
PS C:\> $cc = (Get-ADRootDSE).ConfigurationNamingContext
PS C:\> $fl = "(objectClass=msExchOrganizationContainer)"
PS C:\> Write-Output "ObjectVersion (Configuration): $((Get-ADObject -LDAPFilter $fl -SearchBase $cc -pr objectVersion).objectVersion)"
ObjectVersion (Configuration): 16217

How to confirm the Exchange Active Directory versions? Visit the page Exchange schema versions to get a list of the object versions.

Install Cumulative Update Exchange 2016 schema versions

Install Cumulative Update Exchange 2016 unattended mode

Run Command Prompt as administrator. Run the command to start the Cumulative Update for Exchange 2016.

C:\>E:\Setup.exe /IAcceptExchangeServerLicenseTerms /Mode:Upgrade

Microsoft Exchange Server 2016 Cumulative Update 16 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.

Languages
Management tools
Mailbox role: Transport service
Mailbox role: Client Access service
Mailbox role: Unified Messaging service
Mailbox role: Mailbox service
Mailbox role: Front End Transport service
Mailbox role: Client Access Front End service

Performing Microsoft Exchange Server Prerequisite Check

    Configuring Prerequisites                                                                         COMPLETED
    Prerequisite Analysis                                                                             100%

Configuring Microsoft Exchange Server

    Preparing Setup                                                                                   COMPLETED
    Stopping Services                                                                                 COMPLETED
    Language Files                                                                                    COMPLETED
    Removing Exchange Files                                                                           COMPLETED
    Preparing Files                                                                                   COMPLETED
    Copying Exchange Files                                                                            COMPLETED
    Language Files                                                                                    COMPLETED
    Restoring Services                                                                                COMPLETED
    Language Configuration                                                                            COMPLETED
    Exchange Management Tools                                                                         COMPLETED
    Mailbox role: Transport service                                                                   COMPLETED
    Mailbox role: Client Access service                                                               COMPLETED
    Mailbox role: Unified Messaging service                                                           COMPLETED
    Mailbox role: Mailbox service                                                                     COMPLETED
    Mailbox role: Front End Transport service                                                         COMPLETED
    Mailbox role: Client Access Front End service                                                     COMPLETED
    Finalizing Setup                                                                                  COMPLETED

The Exchange Server setup operation completed successfully.

The update did go successfully. Restart the Exchange Server.

Testing

Check the event logs by filtering for errors and warnings. If there are errors, make sure to troubleshoot and fix them.

Take Exchange Server out of maintenance mode

Read more in the article Take Exchange Server out of maintenance mode.

After the update, we like to get the Exchange Server EX01-2016 to be active again. Run Exchange Management Shell as administrator.

You can now remove the server from maintenance mode. Note: If the server is not a DAG member, only the first and last commands are necessary. If the server is a DAG member, you need to run all the commands. Use the database copy auto-activation policy value that was set on the server. The default is Unrestricted.

[PS] C:\>Set-ServerComponentState "EX01-2016" -Component ServerWideOffline -State Active -Requester Maintenance

[PS] C:\>Resume-ClusterNode -Name "EX01-2016"

Name             ID    State
----             --    -----
EX01-2016        1     Up

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyAutoActivationPolicy Unrestricted

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyActivationDisabledAndMoveNow $false

[PS] C:\>Set-ServerComponentState "EX01-2016" -Component HubTransport -State Active -Requester Maintenance

Rebalance Database Availability Groups

Read more in the article Balance mailbox databases in Exchange DAG.

Throughout the update process, the database copies will move between DAG members. Return your active database copies to their most preferred DAG member. Use the PowerShell script supplied by Microsoft.

[PS] C:\>cd $exscripts
 
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts\>.\RedistributeActiveDatabases.ps1 -DagName "DAG1" -BalanceDbsByActivationPreference -SkipMoveSuppressionChecks

Verify out of maintenance mode

Verify if the Exchange Server EX01-2016 is back up and running. Run the following commands.

The cluster node needs to have the state up.

[PS] C:\>Get-ClusterNode "EX01-2016"

Name              ID    State
----              --    -----
EX01-2016         1     Up

Check that the cluster node has the state up on all the Exchange Servers.

[PS] C:\>Get-ClusterNode

Check that all the required services are running.

[PS] C:\>Test-ServiceHealth "EX01-2016"


Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS, MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
                          MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC, MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost, MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Check that the required services are running on all the Exchange Servers.

[PS] C:\>Get-ExchangeServer | Test-ServiceHealth

Test the MAPI Connectivity.

[PS] C:\>Test-MAPIConnectivity -Server "EX01-2016"

MailboxServer           Database           Result    Error
-------------           --------           ------    -----
EX01-2016               DB1                Success
EX01-2016               DB2                Success
EX01-2016               DB3                Success
EX01-2016               DB4                Success
EX01-2016               DB5                Success

Test the MAPI Connectivity on all the Exchange Servers.

[PS] C:\>Get-ExchangeServer | Test-MAPIConnectivity

Get the result of the DAG Copy Status Health.

[PS] C:\>Get-MailboxDatabaseCopyStatus -Server "EX01-2016" | Sort Name | Select Name, Status, Contentindexstate

Name           Status  ContentIndexState
----           ------  -----------------
DB1\EX01-2016 Mounted            Healthy
DB2\EX02-2016 Mounted            Healthy
DB3\EX01-2016 Mounted            Healthy
DB4\EX02-2016 Mounted            Healthy
DB5\EX01-2016 Mounted            Healthy

Get the result of the DAG Copy Status Health on all the Exchange Servers.

[PS] C:\>Get-MailboxDatabaseCopyStatus * | Sort Name | Select Name, Status, Contentindexstate

Check the Replication Health.

[PS] C:\>Test-ReplicationHealth -Server "EX01-2016"

Server          Check                      Result     Error
------          -----                      ------     -----
EX01-2016       ClusterService             Passed
EX01-2016       ReplayService              Passed
EX01-2016       ActiveManager              Passed
EX01-2016       TasksRpcListener           Passed
EX01-2016       TcpListener                Passed
EX01-2016       ServerLocatorService       Passed
EX01-2016       DagMembersUp               Passed
EX01-2016       MonitoringService          Passed
EX01-2016       ClusterNetwork             Passed
EX01-2016       QuorumGroup                Passed
EX01-2016       FileShareQuorum            Passed
EX01-2016       DatabaseRedundancy         Passed
EX01-2016       DatabaseAvailability       Passed
EX01-2016       DBCopySuspended            Passed
EX01-2016       DBCopyFailed               Passed
EX01-2016       DBInitializing             Passed
EX01-2016       DBDisconnected             Passed
EX01-2016       DBLogCopyKeepingUp         Passed
EX01-2016       DBLogReplayKeepingUp       Passed

Check the Replication Health on all the Exchange Servers.

[PS] C:\>Get-DatabaseAvailabilityGroup | Select -ExpandProperty:Servers | Test-ReplicationHealth | Sort Name

Verify the Database Activation Policy is set to Unrestricted.

[PS] C:\>Get-MailboxServer "EX01-2016" | Select Name, DatabaseCopyAutoActivationPolicy

Name              DatabaseCopyAutoActivationPolicy
----              --------------------------------
EX01-2016                             Unrestricted

Verify the Database Activation Policy is set to Unrestricted on all the Exchange Servers.

[PS] C:\>Get-MailboxServer | Select Name, DatabaseCopyAutoActivationPolicy

Load balancer

Do you have the Exchange Server configured in a load balancer? Verify that the load balancer health checks have taken the server in the pool or marked it as online/active. If the load balancer does not automatically do this, manually mark the server as online/active. Sign in to your load balancer and set any virtual services you have to enable any connections to Server EX01-2016. Typically there would be SMTP and HTTPS virtual services. This will enable connections to Server EX01-2016.

Install Cumulative Update on all Exchange Servers

Do you have more than one Exchange Server running in the organization? Do the same steps on all the Exchange Servers. It can be the:

  • Exchange Mailbox server
  • Exchange Edge server
  • Exchange Hybrid server

Check that Exchange Server is up to date

Read more in the article Microsoft Exchange Server vulnerability check.

How to verify that all the Exchange Servers in the organization are up to date? Run the Exchange Health Checker script (make sure you download the latest version from GitHub).

Download and place the HealthChecker.ps1 PowerShell script on the Exchange Server C:\scripts folder. If you don’t have a scripts folder, create one. Make sure to check if the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Install Cumulative Update Exchange 2016 healthchecker script

Create Exchange Servers report

Run Exchange Management Shell as administrator. Change the path to the scripts folder.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>

Verify the signature before running the script with the Get-AuthenticodeSignature cmdlet.

[PS] C:\scripts>Get-AuthenticodeSignature -FilePath ".\HealthChecker.ps1" | ft -AutoSize


    Directory: C:\scripts


SignerCertificate                        Status Path
-----------------                        ------ ----
ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B Valid  HealthChecker.ps1

Run the cmdlet to create a report for all Exchange Servers. It will run the HTML report and open it automatically.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

If the report does not open automatically, you can find the report in the C:\scripts folder.

Install Cumulative Update Exchange 2016 healthchecker script report

Check Exchange Servers report for vulnerabilities

The HTML Report will show as below screen. All looks great because the environment got two Exchange Servers with the mailbox role. Both of them are on Exchange 2016 CU19 and patched. The column Security Vulnerabilities shows both Exchange Servers as None.

Install Cumulative Update Exchange 2016 check report

If you’re not up to date or not patched, it will show you that you’re vulnerable. Do you see red or yellow warnings in the Exchange Server report? Look into it and fix it!

Conclusion

In this article, you learned how to install Cumulative Update Exchange in 2016. It’s important to know that you plan it accordingly by using the flowchart. Download the appropriate CU and .NET Framework setup files. Place the server in maintenance mode and install the update following with a system restart. In this article, we did use the unattended mode to install the Cumulative Update. As last, take the Exchange Server out of maintenance mode.

Did you enjoy this article? If so, you may like the article Create bulk mailboxes in Exchange Server with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 31 Comments

  1. Hello, Ali, tell me more about how to update the edge server.
    Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON / mode:Upgrade / role:EdgeTransport ?
    Exchange 2019CU4 ->CU11, updated the server with the mailbox role (DAG) updated according to your article you are a great fellow.

    thanks.

  2. Dear Mr Tajran
    First in first I want to thank you for sharing ,but I have question :how can I upgrade CU on Edge server?
    Is it necessary or not ? for mailbox servers are enough ?

    1. Update both Exchange mailbox server and Exchange Transport server. Start first with the Exchange mailbox server.

      On the Exchange Edge Transport server:
      – Update .NET Framework to 4.8 (which is the latest at the moment)
      – Mount the Exchange CU ISO file and run setup.exe
      – Reboot
      – Test

  3. Salaam Ali,
    if I have one exchange server with all role installed. though I have to put server in maintenance mode?

    thanks

    1. That depends on your configuration. In this article, it’s run from Exchange Server itself because there is one domain.

      To prepare Active Directory schema and domains, run the commands in a command prompt on a computer that’s a member of the same Active Directory domain and site as the schema master.

      Run the command in a command prompt to find the schema master: netdom query fsmo

      More information: Exchange Server setup operation didn’t complete

      1. thanks.
        one the setup where you Redirect-Message -Server “EX01-2016” -Target “EX02-2016.exoip.local”. Do you have to redirect message back to EX01-2016 server when you take the EX01-2016 server out of maintenance mode? I don’t see you mention on the article. thanks for the help.

  4. In a rush to upgrade all our servers to CU19 as the base requirement to install the out-of-band security patches MS just published.

    Updated our Edge server first (only internet facing server) to CU19 which was successful, but it broke incoming email from the Internet. Logged a ticket with MS support 3 days ago and have yet to hear back.

  5. A bit lost in the schema section, your description sounds as if Exchange is being installed for the first time, rather than simple being updated.

    “The first step in getting your organization ready for Exchange 2016 is to extend the Active Directory schema.”

    My organization is already ready, as the Exchange 2016 Server already exists…

  6. Hello ALI TAJRAN,
    Nice article and its very useful. Waiting for more to see like this articles on Exchange.
    I have one query does Exchange 2016CU15 Hybrid server retain the HYBRID CONFIGURATIONS as it is intact post upgrade to CU18 or 19.

    Regards
    Anand Sunka

    1. Hi Anand,

      Great that you find it useful.

      You already have a hybrid deployment, and it’s in place. You can upgrade Exchange to the latest Cumulative Update, and it will retain the hybrid configuration.

      I recommend testing the mail flow/connection between both organizations after you finish the CU.

      1. Hi Ali

        when attempting to do a CU update on exchange 2016 to CU 19 it fails with this error: I have an exchange hybrid deployment with office 365

        [03/20/2021 07:23:36.0871] [1] Evaluated [Setting:IsHybridObjectFoundOnPremises] [HasException:True] [Value:
        Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetectionException: The On-Premises test failed with the message: Object reference not set to an instance of an object.. —> System.NullReferenceException: Object reference not set to an instance of an object.
        at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
        at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
        — End of inner exception stack trace —
        at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
        at Microsoft.Exchange.Management.Analysis.PrereqAnalysis.b__2_40(Result`1 x)
        at Microsoft.Exchange.Management.Analysis.Builders.SettingBuilder`2.c__DisplayClass2_0.b__0(Result x)
        System.NullReferenceException: Object reference not set to an instance of an object.
        at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
        at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()

  7. Hi,
    My exchange upgrade process gets stuck on removing exchange file 90% for more than 30 minutes!
    what to do right now?

  8. Hi Ali,

    I have Symantec Mail Security installed on my Exchange server – what is the best practice regarding that? Uninstall first? disable services/protection agents?
    Any advice is greatly appreciated!

    1. It would be best to keep the differences between CUs as short as possible to prevent unexpected issues. That’s why I recommend doing it on the same day. If you want to install the CU on one Exchange Server first and wait it out for a week, this is supported. But don’t wait too long. Update the remaining Exchange Servers within a couple of days or a week and not after months.

  9. Thank you very much for confirming – much appreciated.

    Excellent article very comprehensive with outstanding attention to detail.

  10. If Exchange 2016 is in DAG environment, do you to repeat the CU install again on the Passive server.

    1. Correct, you have to keep the Exchange Servers builds on the same version. Finish the first Exchange Server with the Cumulative Update. Do the health check and move the mailbox databases to it. Start the process again, this time for the second Exchange Server. If you have more than two Exchange Servers, keep on going, as you have to do all of them.

      Remember to keep this order:
      – Update mailbox servers in the internet-facing sites
      – Update mailbox servers in remaining internal sites (if any)
      – Update Edge Transport servers (if any)

  11. Thank you for taking the time to compile this information! It is very informative and will assist me a great deal.

Leave a Reply

Your email address will not be published. Required fields are marked *