skip to Main Content

Install Exchange Cumulative Update

You have to install a Cumulative Update in Exchange Server 2013/2016/2019. It’s good to keep the Exchange Server up to date. Plan the update before starting, and keep in mind that it can take time before it finishes. Also, if you have only one Exchange Server, mail flow will not work at that time. Now, what is the best procedure to install Cumulative Update in Exchange Server?

There are two options to upgrade Exchange Server to the latest Cumulative Update. Update Exchange with Graphic User Interface (GUI) or unattended mode (command line). The organization that we want to install the Cumulative Update for does have two Exchange Servers. We will install the Cumulative Update on the Exchange Server EX01-2019. The other Exchange Server is named EX02-2019. In this article, you will learn how to use unattended mode to install Cumulative Update in Exchange Server.

Good to know before installing Cumulative Update

  • After you upgrade Exchange to a newer CU, you can’t uninstall the new version to revert to the previous version. Uninstalling the new version completely removes Exchange from the server.
  • Any customized Exchange or Internet Information Server (IIS) settings you made in Exchange XML application configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will overwrite when you install an Exchange CU. Be sure to save this information so you can easily re-apply the settings after the installation.

Note: The previous /IAcceptExchangeServerLicenseTerms switch will not work starting with Exchange Server 2016 CU22 and Exchange Server 2019 CU11. You now must use either /IAcceptExchangeServerLicenseTerms_DiagnosticDataON or /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF for unattended and scripted installs.

Install Cumulative Updates best practices

Before the Cumulative Update:

  • Place the server in maintenance mode in the monitoring systems (for example, SCOM)
  • Check for Windows Updates and install the updates
  • Restart the server
  • Put the server in maintenance mode
  • Temporarily disable any anti-virus software
  • Temporarily disable any backup software
  • Use an elevated command prompt to run the Cumulative Update

After the Cumulative Update:

  • Restart the server
  • Check the event logs by filtering for errors and warnings
  • Take the server out of maintenance mode
  • Enable backup software
  • Enable anti-virus
  • Take the server out of maintenance mode in the monitoring systems (for example, SCOM)

Find Exchange Server version

Read more in the article Find Exchange version with PowerShell.

Before you start to install Exchange Cumulative Update, check which Exchange Server versions are running in the organization. Copy and paste the below script in Exchange Management Shell. The output will show the Exchange Servers build number.

$ExchangeServers = Get-ExchangeServer | Sort-Object Name
ForEach ($Server in $ExchangeServers) {
    Invoke-Command -ComputerName $Server.Name -ScriptBlock { Get-Command Exsetup.exe | ForEach-Object { $_.FileversionInfo } }
}

In our example, both the Exchange Servers EX01-2019 and EX02-2019 are running Exchange Server 2019 CU10 (build number 15.02.0922.007).

ProductVersion   FileVersion      FileName                                                         PSComputerName
--------------   -----------      --------                                                         --------------
15.02.0922.007   15.02.0922.007   C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exe   EX01-2019
15.02.0922.007   15.02.0922.007   C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exe   EX02-2019

Put Exchange Server in maintenance mode

Read more in the article Put Exchange Server in maintenance mode.

Sign in to Exchange Server EX01-2019. Run Exchange Management Shell as administrator. Set the Hub Transport Service to draining. It will stop accepting any more messages.

[PS] C:\>Set-ServerComponentState -Identity "EX01-2019" -Component HubTransport -State Draining -Requester Maintenance

Redirect any queued messages to EX02-2019. The target Server value has to be the target server’s FQDN. The target server shouldn’t be in maintenance mode.

[PS] C:\>Redirect-Message -Server "EX01-2019" -Target "EX02-2019.exoip.local"

Confirm
Are you sure you want to perform this action?
Redirecting messages to "EX02-2019.exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

If the server is a DAG member, run the following commands. If your server is not a DAG member, skip to the command for setting ServerWideOffline.

Pause the cluster node. Suspend Server EX01-2019 from the DAG.

[PS] C:\>Suspend-ClusterNode "EX01-2019"

Name      State  Type
----      -----  ----
EX01-2019 Paused Node

Disable database copy automatic activation. This command will also move any active database copies to other DAG members. Assuming there are other healthy DAG members available. This is not instantaneous, and it can take several minutes for the moves to occur. We’ll check it in one of the following commands.

[PS] C:\>Set-MailboxServer "EX01-2019" -DatabaseCopyActivationDisabledAndMoveNow $true

Make a note of the database copy automatic activation policy on the server. You can set it back to this value at the end of maintenance. The default setting is Unrestricted.

[PS] C:\>Get-MailboxServer "EX01-2019" | Select DatabaseCopyAutoActivationPolicy

DatabaseCopyAutoActivationPolicy
--------------------------------
                    Unrestricted

Set it to Blocked to prevent any of the databases from becoming Active.

[PS] C:\>Set-MailboxServer "EX01-2019" -DatabaseCopyAutoActivationPolicy Blocked

Check for any database copies that are still mounted on the server. It may take a while for the Active databases to move. This command should return no results. If any database copies are still active on the server and other DAG members host copies of the database, perform a manual switchover.

[PS] C:\>Get-MailboxDatabaseCopyStatus -Server "EX01-2019" | Where {$_.Status -eq "Mounted"} | ft -AutoSize

Once the active databases have been moved, we will check the transport queue. Queues should be empty or almost empty, as we will be disabling all server components. Any emails still pending in the queues will have a delay in delivery till the server is taken out from maintenance mode.

[PS] C:\>Get-Queue

Identity             DeliveryType     Status MessageCount Velocity RiskLevel OutboundIPPool NextHopDomain
--------             ------------     ------ ------------ -------- --------- -------------- -------------
EX01-2019\Submission Undefined        Ready  0            0        Normal    0              Submission
EX01-2019\Shadow\3   ShadowRedundancy Ready  0            0        Normal    0              ex02-2019.exoip.local

Put the Server EX01-2019 into maintenance mode.

[PS] C:\>Set-ServerComponentState "EX01-2019" -Component ServerWideOffline -State Inactive -Requester Maintenance

Check the load balancer

Do you have the Exchange Server configured in a load balancer? Verify that the load balancer health checks have taken the server out of the pool or marked it as offline/inactive. If the load balancer does not automatically do this, manually mark the server as offline/inactive. Sign in to your load balancer and set any virtual services you have to disable any connections to Server EX01-2019. Typically there would be SMTP and HTTPS virtual services. This will force any future connections to Server EX01-2019.

How to verify Exchange Server is in maintenance mode

Verify if the Exchange Server EX01-2019 has been placed into maintenance mode. All components should show Inactive except for Monitoring and RecoveryActionsEnabled.

[PS] C:\>Get-ServerComponentState "EX01-2019" | Select Component, State

Component                     State
---------                     -----
ServerWideOffline          Inactive
HubTransport               Inactive
FrontendTransport          Inactive
Monitoring                   Active
RecoveryActionsEnabled       Active
AutoDiscoverProxy          Inactive
ActiveSyncProxy            Inactive
EcpProxy                   Inactive
EwsProxy                   Inactive
ImapProxy                  Inactive
OabProxy                   Inactive
OwaProxy                   Inactive
PopProxy                   Inactive
PushNotificationsProxy     Inactive
RpsProxy                   Inactive
RwsProxy                   Inactive
RpcProxy                   Inactive
XropProxy                  Inactive
HttpProxyAvailabilityGroup Inactive
ForwardSyncDaemon          Inactive
ProvisioningRps            Inactive
MapiProxy                  Inactive
EdgeTransport              Inactive
HighAvailability           Inactive
SharedCache                Inactive
MailboxDeliveryProxy       Inactive
RoutingUpdates             Inactive
RestProxy                  Inactive
DefaultProxy               Inactive
Lsass                      Inactive
RoutingService             Inactive
E4EProxy                   Inactive
CafeLAMv2                  Inactive
LogExportProvider          Inactive

Which .NET Framework and Exchange Server Cumulative Update

Read more in the article Update .NET Framework in Exchange Server.

A lot of Exchange admins have seen Exchange Servers breaking and not working after a Cumulative Update. It’s important to know that .NET Framework is a must for Exchange Server. When installing Cumulative Updates on Exchange 2013/2016/2019, we sometimes have to update .NET Framework. That is not always the case. Sometimes you can run the Cumulative Update without updating .NET Framework. Yes, we can download .NET Framework for free.

What Microsoft is saying about .NET Framework:

When upgrading Exchange Server from an unsupported CU to the current CU and no intermediate CUs are available, you should first upgrade to the latest version of .NET that’s supported by your version of Exchange Server and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest supported CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services.

Keep .NET Framework and Exchange Server up to date

Keep your Exchange Server up to date so that you don’t have to carry out a longer update path. I recommend downloading the Exchange CU ISO when it’s available and save it to the hard disk. Microsoft does remove older Exchange CUs when newer versions are released. When saving the Exchange CU ISO, you can always carry out the upgrade path. You can use an unofficial website to download an older Exchange CU.

How to update .NET Framework and Exchange Server Cumulative Update

Don’t immediately update when a .NET Framework version or Exchange Server version is released. Always wait and check if bugs are rising. Don’t forget to always test the Exchange Server CU in a test environment before updating it in production.

I made a flowchart that will show the procedure on how to update .NET Framework and Exchange Server Cumulative Update.

Install Exchange Cumulative Update flowchart

To keep it simple, keep these two steps in mind when planning the update path:

  1. Update to the last Exchange version that is supported by the .NET Framework (blue arrow)
  2. Update to the last .NET Framework that is supported for the Exchange Server (green arrow)

Keep updating till you’re on the version that you want to be. It will most likely be the last released Exchange version. Use the given flowchart. It’s easy to follow the update path for Exchange Server Cumulative Update and .NET Framework.

Install .NET Framework

Read more in the article Check which .NET Framework versions are installed.

We will update from Exchange Server 2019 CU10 to Exchange Server 2019 CU11. In this case, we don’t need to update .NET Framework because it’s already on .NET Framework 4.8.

If the correct .NET Framework version isn’t installed on the Exchange Server, you should go to the .NET Framework download page and download the appropriate version. After the download finishes, right-click the file and choose run as administrator. Install the .NET Framework on the Exchange Server. Restart when the installation is completed.

Prepare Active Directory and Domains

Read more in the article Prepare Active Directory and domains for Exchange Server.

Download Exchange Cumulative Update

Before we can prepare AD for Exchange 2019 CU, we need to download the Exchange 2019 CU ISO. Go to the following page to get a list of the Exchange Server CU. The page will show you the Exchange Server build numbers and release dates. Scroll down for Exchange Server 2019. Download the Exchange Server 2019 Cumulative Update and place it in the C:\install folder. Create an install folder if you don’t have one.

In File Explorer, right-click on the Exchange Server 2019 CU ISO image file and select Mount. It will mount the ISO image to a drive. For example, the I:\ drive. The I:\ drive contains the Exchange installation files. Make sure to mount the Exchange ISO image before proceeding to the next step.

Install Exchange Cumulative Update mount ISO

Before extending the Active Directory schema, the following needs to be installed on the Exchange Server:

  • The RSAT-ADDS feature must be installed
  • Account needs to be added to the Schema Admins and Enterprise Admins security groups

Note: You can extend the Active Directory Schema from the domain controller or any other server in the organization. The feature RSAT-ADDS is already installed on the domain controller. If you want to prepare the schema on the Domain Controller, you only need to install the .NET framework. Some organizations have different teams because of different administrative responsibilities in the environment.

Install RSAT-ADDS feature

RSAT-ADDS feature is already installed on the domain controller and Exchange Server. Suppose you didn’t install the RSAT-ADDS feature. Run PowerShell as administrator. Run the Install-WindowsFeature cmdlet, including the RSAT-ADDS feature. If you are not sure if it’s installed on the system, run the command, and it will tell you if there are no changes needed.

PS C:\>Install-WindowsFeature RSAT-ADDS

Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True    No             Success   {Remote Server Administration Tools, Activ...

Schema Admins and Enterprise Admins security groups

Before you can extend the schema, your account needs to be a member of the Schema Admins and Enterprise Admins security groups. Open Active Directory and add both groups to your account if it’s not set already. These are high privilege groups. We recommend removing your account from the groups when you’re done with this task.

Note: If you’ve just added yourself to these groups, you’ll need to log out and back into the server for the new group membership to take effect.

Install Exchange Cumulative Update security groups

Prepare Active Directory Schema

The first step in getting your organization ready for Exchange Server CU is to extend the Active Directory schema. Exchange stores a lot of information in Active Directory, but before it can do that, it needs to add/update classes and attributes.

Run Command Prompt as administrator. Run the following command to extend/prepare the schema for Exchange Server CU.

C:\>I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareSchema

Microsoft Exchange Server 2019 Cumulative Update 11 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.


Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

    Extending Active Directory schema                                                                 COMPLETED

The Exchange Server setup operation completed successfully.

You will see the COMPLETED messages in the output. The extend/prepare schema for Exchange Server CU went successfully.

Prepare Active Directory

After the Active Directory schema has been extended, you can prepare other parts of Active Directory for Exchange Server CU. During this step, Exchange will update containers, objects, and other items in Active Directory to store information. The collection of the Exchange containers, objects, attributes, and so on is called the Exchange organization.

Run Command Prompt as administrator. Run the following command to prepare Active Directory for Exchange Server CU.

C:\>I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD

Microsoft Exchange Server 2019 Cumulative Update 11 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.


Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

    Organization Preparation                                                                          COMPLETED

The Exchange Server setup operation completed successfully.

Prepare Active Directory domains

The final step to get Active Directory ready for Exchange Server CU is to prepare each of the Active Directory domains where Exchange will be installed. This step creates additional containers, security groups, and sets permissions so that Exchange can access them.

If you have more than one domain, you can run the following command to prepare all the domains for Exchange Server CU.

Note: If you have only one domain, you can skip this step because the /PrepareAD command in the previous step has already prepared the domain for you.

C:\>I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains

Microsoft Exchange Server 2019 Cumulative Update 11 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.


Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                                                                           COMPLETED

Configuring Microsoft Exchange Server

    Prepare Domain Progress                                                                                         COMPLETED

The Exchange Server setup operation completed successfully.

Check Exchange Active Directory versions

After you did prepare the AD for Exchange Server CU, you like to check if the Active Directory is updated. Run PowerShell as administrator. Make sure that you set the Execution Policy to Unrestricted. Press Y and Enter. If you don’t, the script will not run.

PS C:\> Set-ExecutionPolicy Unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the
security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to
change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y

Download the script Get-ADversions.ps1 and run it. For more information, read the article check Exchange Schema version with PowerShell. You can also run the following commands one by one.

PS C:\> # Exchange Schema Version
PS C:\> $sc = (Get-ADRootDSE).SchemaNamingContext
PS C:\> $ob = "CN=ms-Exch-Schema-Version-Pt," + $sc
PS C:\> Write-Output "RangeUpper: $((Get-ADObject $ob -pr rangeUpper).rangeUpper)"
RangeUpper: 17003
 
PS C:\> # Exchange Object Version (domain)
PS C:\> $dc = (Get-ADRootDSE).DefaultNamingContext
PS C:\> $ob = "CN=Microsoft Exchange System Objects," + $dc
PS C:\> Write-Output "ObjectVersion (Default): $((Get-ADObject $ob -pr objectVersion).objectVersion)"
ObjectVersion (Default): 13242
 
PS C:\> # Exchange Object Version (forest)
PS C:\> $cc = (Get-ADRootDSE).ConfigurationNamingContext
PS C:\> $fl = "(objectClass=msExchOrganizationContainer)"
PS C:\> Write-Output "ObjectVersion (Configuration): $((Get-ADObject -LDAPFilter $fl -SearchBase $cc -pr objectVersion).objectVersion)"
ObjectVersion (Configuration): 16759

How to confirm the Exchange Active Directory versions? Visit the page Exchange schema versions to get a list of the object versions.

Install Exchange Cumulative Update schema versions

Check Exchange Server before running Exchange Cumulative Update

Read more in the article Check Exchange Server before running Exchange Cumulative Update.

The Exchange Server Setup Assist script helps detect common configuration issues that cause Exchange Server Cumulative Update installation issues and other issues caused by a simple configuration change within an Exchange Environment.

Download SetupAssist.ps1 PowerShell script from GitHub and place it on the Exchange Server C:\scripts folder. If you don’t have a scripts folder, create one. Ensure that the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Run Setup Assist PowerShell script

Run PowerShell as administrator. Change the directory path to C:\scripts and run the script.

Note: Run the SetupAssist.ps1 PowerShell script from the Exchange Server where you want to install the Cumulative Update.

PS C:\> cd C:\scripts
PS C:\scripts> .\SetupAssist.ps1
Setup Assist Version 22.01.14.0319

TestName                             Result  Details
--------                             ------  -------
Exchange AD Latest Level             Passed  At Exchange 2019 CU11
User Administrator                   Passed  exoip\administrator S-1-5-21-288954866-3807497283-1560389301-500
Organization Management              Passed  EXOIP\Organization Management
                                             S-1-5-21-288954866-3807497283-1560389301-1104
Execution Policy                     Passed  Unrestricted
Exchange Services                    Passed
Services Cache Files                 Passed
Computers Container Exists           Passed  DC=exoip,DC=local
DC DNS Host Name                     Passed  DC01-2019.exoip.local
Multiple Active Sync Vdirs Detected  Passed
Msi Cache File                       Passed
IIS URL Rewrite                      Passed  Installed Version 7.2.1993
Microsoft Visual C++ 2012            Passed  Visual C++ 2012 Redistributable
Microsoft Visual C++ 2013            Passed  Visual C++ 2013 Redistributable
Other Well Known Objects             Passed
Pending Reboot                       Passed
Valid Home MDB                       Passed


-----Results That Didn't Pass-----


Setup Log Reviewer Results
--------------------------

Setup.exe Run Date: 02/06/2022 21:51:28
Setup.exe Build Number: 15.2.986.5
Current Exchange Build: 15.2.922.7
The most recent setup attempt completed successfully based off this line:
[02/06/2022 21:51:55.0149] [0] The Exchange Server setup operation completed successfully.

No Action is required.

Install Cumulative Update Exchange Server unattended mode

Run Command Prompt as administrator. Run the command to start the Cumulative Update for Exchange Server.

Note: Temporarily disable any anti-virus software and backup software. Close all other Windows sessions.

C:\>I:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /Mode:Upgrade

Microsoft Exchange Server 2019 Cumulative Update 11 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.

Languages
Management tools
Mailbox role: Transport service
Mailbox role: Client Access service
Mailbox role: Mailbox service
Mailbox role: Front End Transport service
Mailbox role: Client Access Front End service

Performing Microsoft Exchange Server Prerequisite Check

    Configuring Prerequisites                                                                                       COMPLETED
    Prerequisite Analysis                                                                                           COMPLETED

Configuring Microsoft Exchange Server

    Preparing Setup                                                                                                 COMPLETED
    Stopping Services                                                                                               COMPLETED
    Language Files                                                                                                  COMPLETED
    Removing Exchange Files                                                                                         COMPLETED
    Preparing Files                                                                                                 COMPLETED
    Copying Exchange Files                                                                                          COMPLETED
    Language Files                                                                                                  COMPLETED
    Restoring Services                                                                                              COMPLETED
    Language Configuration                                                                                          COMPLETED
    Exchange Management Tools                                                                                       COMPLETED
    Mailbox role: Transport service                                                                                 COMPLETED
    Mailbox role: Client Access service                                                                             COMPLETED
    Mailbox role: Mailbox service                                                                                   COMPLETED
    Mailbox role: Front End Transport service                                                                       COMPLETED
    Mailbox role: Client Access Front End service                                                                   COMPLETED
    Finalizing Setup                                                                                                COMPLETED

The Exchange Server setup operation completed successfully.

The update did go successfully. Restart the Exchange Server.

Testing

Check the event logs by filtering for errors and warnings. If there are errors, make sure to troubleshoot and fix them.

Take Exchange Server out of maintenance mode

Read more in the article Take Exchange Server out of maintenance mode.

After the update, we would like to get the Exchange Server EX01-2019 active again. So, let’s remove the server from maintenance mode.

Run Exchange Management Shell as administrator and run the commands.

Note: Only the first and last commands are necessary if the server is not a DAG member. If the server is a DAG member, you need to run all the commands.

Use the database copy auto-activation policy value that was set on the server. The default is Unrestricted.

[PS] C:\>Set-ServerComponentState "EX01-2019" -Component ServerWideOffline -State Active -Requester Maintenance

[PS] C:\>Resume-ClusterNode -Name "EX01-2019"

[PS] C:\>Set-MailboxServer "EX01-2019" -DatabaseCopyAutoActivationPolicy Unrestricted

[PS] C:\>Set-MailboxServer "EX01-2019" -DatabaseCopyActivationDisabledAndMoveNow $false

[PS] C:\>Set-ServerComponentState "EX01-2019" -Component HubTransport -State Active -Requester Maintenance

Rebalance Database Availability Groups

Read more in the article Balance mailbox databases in Exchange DAG.

Throughout the update process, the database copies will move between DAG members. Return your active database copies to their most preferred DAG member. Use the PowerShell script supplied by Microsoft.

[PS] C:\>cd $exscripts
 
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts\>.\RedistributeActiveDatabases.ps1 -DagName "DAG01-2019" -BalanceDbsByActivationPreference -SkipMoveSuppressionChecks

Verify out of maintenance mode

Verify if the Exchange Server EX01-2019 is back up and running. Run the following commands.

The cluster node needs to have the state up.

[PS] C:\>Get-ClusterNode "EX01-2019"

Name      State Type
----      ----- ----
EX01-2019 Up    Node

Check that the cluster node has the state up on all the Exchange Servers.

[PS] C:\>Get-ClusterNode

Check that all the required services are running.

[PS] C:\>Test-ServiceHealth "EX01-2019"


Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
                          MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
                          MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC,
                          MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
                          MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Check that the required services are running on all the Exchange Servers.

[PS] C:\>Get-ExchangeServer | Test-ServiceHealth

Test the MAPI Connectivity.

[PS] C:\>Test-MAPIConnectivity -Server "EX01-2019"

MailboxServer           Database            Result    Error
-------------           --------            ------    -----
EX01-2019               DB01                Success
EX01-2019               DB03                Success

Test the MAPI Connectivity on all the Exchange Servers.

[PS] C:\>Get-ExchangeServer | Test-MAPIConnectivity

Get the result of the DAG Copy Status Health.

[PS] C:\>Get-MailboxDatabaseCopyStatus -Server "EX01-2019" | Sort Name | Select Name, Status, Contentindexstate

Name           Status  ContentIndexState
----           ------  -----------------
DB01\EX01-2019 Mounted      NotApplicable
DB02\EX01-2019 Healthy      NotApplicable
DB03\EX01-2019 Mounted      NotApplicable
DB04\EX01-2019 Healthy      NotApplicable

Get the result of the DAG Copy Status Health on all the Exchange Servers.

[PS] C:\>Get-MailboxDatabaseCopyStatus * | Sort Name | Select Name, Status, Contentindexstate

Check the Replication Health.

[PS] C:\>Test-ReplicationHealth -Server "EX01-2019"

Server          Check                      Result     Error
------          -----                      ------     -----
EX01-2019       ClusterService             Passed
EX01-2019       ReplayService              Passed
EX01-2019       ActiveManager              Passed
EX01-2019       TasksRpcListener           Passed
EX01-2019       TcpListener                Passed
EX01-2019       ServerLocatorService       Passed
EX01-2019       DagMembersUp               Passed
EX01-2019       MonitoringService          Passed
EX01-2019       ClusterNetwork             Passed
EX01-2019       QuorumGroup                Passed
EX01-2019       FileShareQuorum            Passed
EX01-2019       DatabaseRedundancy         Passed
EX01-2019       DatabaseAvailability       Passed
EX01-2019       DBCopySuspended            Passed
EX01-2019       DBCopyFailed               Passed
EX01-2019       DBInitializing             Passed
EX01-2019       DBDisconnected             Passed
EX01-2019       DBLogCopyKeepingUp         Passed
EX01-2019       DBLogReplayKeepingUp       Passed

Check the Replication Health on all the Exchange Servers.

[PS] C:\>Get-DatabaseAvailabilityGroup | Select -ExpandProperty:Servers | Test-ReplicationHealth | Sort Name

Verify the Database Activation Policy is set to Unrestricted.

[PS] C:\>Get-MailboxServer "EX01-2019" | Select Name, DatabaseCopyAutoActivationPolicy

Name              DatabaseCopyAutoActivationPolicy
----              --------------------------------
EX01-2019                             Unrestricted

Verify the Database Activation Policy is set to Unrestricted on all the Exchange Servers.

[PS] C:\>Get-MailboxServer | Select Name, DatabaseCopyAutoActivationPolicy

Load balancer

Do you have the Exchange Server configured in a load balancer? Verify that the load balancer health checks have taken the server in the pool or marked it as online/active. If the load balancer does not automatically do this, manually mark the server as online/active. Sign in to your load balancer and set any virtual services you have to enable any connections to Server EX01-2019. Typically there would be SMTP and HTTPS virtual services. This will enable connections to Server EX01-2019.

Install Cumulative Update on all Exchange Servers

Do you have more than one Exchange Server running in the organization? Do the same steps on all the Exchange Servers. It can be the:

  • Exchange Mailbox server
  • Exchange Edge server
  • Exchange Hybrid server

Install Exchange Management tools

The Exchange Server CU will automatically update the management tools on the Exchange Server. But, there are scenarios where the organization has Management Servers or workstations where they administer the Exchange Server from. Don’t forget to run the Exchange Server CU setup and update the management tools to the same version as the Exchange Server.

Check that Exchange Server is up to date

Read more in the article Microsoft Exchange Server vulnerability check.

How to verify that all the Exchange Servers in the organization are up to date? Run the Exchange Health Checker script (make sure you download the latest version from GitHub).

Download and place the HealthChecker.ps1 PowerShell script on the Exchange Server C:\scripts folder. If you don’t have a scripts folder, create one. Ensure that the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Install Exchange Cumulative Update healthchecker script

Create Exchange Servers report

Run Exchange Management Shell as administrator. Change the path to the scripts folder.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>

Verify the signature before running the script with the Get-AuthenticodeSignature cmdlet.

[PS] C:\scripts>Get-AuthenticodeSignature -FilePath ".\HealthChecker.ps1" | ft -AutoSize


    Directory: C:\scripts


SignerCertificate                        Status Path
-----------------                        ------ ----
8740DF4ACB749640AD318E4BE842F72EC651AD80 Valid  HealthChecker.ps1

Run the cmdlet to create a report for all Exchange Servers. It will run the HTML report and open it automatically.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

If the report does not open automatically, you can find the report in the C:\scripts folder.

Install Exchange Cumulative Update healthchecker script report

Check Exchange Servers report for vulnerabilities

The HTML Report will show as below screen. The Exchange Server Cumulative Update for EX01-2019 was successful and is on version Exchange 2019 CU11. The EX02-2019 is on Exchange version 2019 CU10 because we didn’t run the Cumulative Update yet. We will do the same steps for that Exchange Server.

The column Security Vulnerabilities shows that there is a vulnerability detected. That’s because there are Exchange Server Security Updates available.

Install Exchange Cumulative Update check report

If you’re not up to date or not patched, it will show you that you’re vulnerable. Do you see red or yellow warnings in the Exchange Server report? Look into it and fix it!

Conclusion

You learned how to install Exchange Cumulative Update. It’s important to know that you plan it accordingly using the flowchart. Download the appropriate Exchange Server CU and .NET Framework setup files. Place the server in maintenance mode and install the update following a system restart. In this article, we did use the unattended mode to install the Cumulative Update. As last, take the Exchange Server out of maintenance mode.

Did you enjoy this article? If so, you may like the article Create bulk mailboxes in Exchange Server with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 39 Comments

  1. Hello
    Dear Ali
    I have problem at step prepare active directory…
    after run “H:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD” on organization preparation 29% not go more… and get this error Error:

    The following error was generated when “$error.Clear();
    initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

    ” was run: “System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateOrMoveEWPGroup(ADGroup ewp, ADOrganizationalUnit usgContainer)
    at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
    at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
    at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)
    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
    at System.Management.Automation.CommandProcessor.ProcessRecord()”.

    Please Help me to solve that… Thanks a lot.

    1. My problem is solved.
      The default Exchange groups were moved in Active Directory.
      After putting it in its previous place, the problem was solved.
      Thanks a lot.

  2. Don’t we have to use the StartDagServerMaintenance.ps1 script when putting a DAG server in maintenance mode?

  3. Hi , thx a lot for the article !!
    I have just update my exchange 2016 server to cu22 from cu19, all working, but when i do the “Test-ServiceHealth” my result is all true eccept
    Role : Mailbox Server Role
    RequiredServicesRunning : False

    email flow is ok, What does that mean,?

    1. When you run the command “Test-ServiceHealth”, it will show which services are running and not running. Start these “not running services” on the Exchange Server and test again with the “Test-ServiceHealth ” command.

      1. THX soooo much, i had the throttling service down i have restart It and now it’s all’ true, THX again For your work !

  4. Hi, this is a very helpful article. How would it differ for a hybrid environment? I have a exchange 2016 on prem that does not have any mailboxes on it as all are in O365. I first tried to run the schema update and it failed. Logs seem to be pointing to a hybrid config setup. I later found that you need ot run Setup.exe /PrepareAD /TenantOrganizationConfig MyTenantOrganizationConfig.xml /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF. That appeared to have worked as it stated it completed succcesfully but I dont see any change to the ad version numbers and the setupassist is still telling me to run prearead from the computer. Any idea why?

  5. Dear Ali,
    Hope you are doing well.

    I started to upgrade the Exchange server 2019 CU9 to CU11 but I faced to :

    Performance counter names and help text failed to unload. Unlodctr exited with error code ‘1224’.

    so I had to restore the backup.

    would you please guide me on how can I resolve this issue?

    regards,
    Hamila

  6. hello

    is there something to pay attentionm if we are using exchange with AD-splitpermissions?
    some poeple told me, i must deactivate splitpermission before applying CU, im not convainced.

  7. Hello, Ali, tell me more about how to update the edge server.
    Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON / mode:Upgrade / role:EdgeTransport ?
    Exchange 2019CU4 ->CU11, updated the server with the mailbox role (DAG) updated according to your article you are a great fellow.

    thanks.

  8. Dear Mr Tajran
    First in first I want to thank you for sharing ,but I have question :how can I upgrade CU on Edge server?
    Is it necessary or not ? for mailbox servers are enough ?

    1. Update both Exchange mailbox server and Exchange Transport server. Start first with the Exchange mailbox server.

      On the Exchange Edge Transport server:
      – Update .NET Framework to 4.8 (which is the latest at the moment)
      – Mount the Exchange CU ISO file and run setup.exe
      – Reboot
      – Test

  9. Hi Ali

    when attempting to do a CU update on exchange 2016 to CU 19 it fails with this error: I have an exchange hybrid deployment with office 365

    [03/20/2021 07:23:36.0871] [1] Evaluated [Setting:IsHybridObjectFoundOnPremises] [HasException:True] [Value:
    Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetectionException: The On-Premises test failed with the message: Object reference not set to an instance of an object.. —> System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
    at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
    — End of inner exception stack trace —
    at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
    at Microsoft.Exchange.Management.Analysis.PrereqAnalysis.b__2_40(Result`1 x)
    at Microsoft.Exchange.Management.Analysis.Builders.SettingBuilder`2.c__DisplayClass2_0.b__0(Result x)
    System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
    at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()

  10. Salaam Ali,
    if I have one exchange server with all role installed. though I have to put server in maintenance mode?

    thanks

    1. That depends on your configuration. In this article, it’s run from Exchange Server itself because there is one domain.

      To prepare Active Directory schema and domains, run the commands in a command prompt on a computer that’s a member of the same Active Directory domain and site as the schema master.

      Run the command in a command prompt to find the schema master: netdom query fsmo

      More information: Exchange Server setup operation didn’t complete

      1. thanks.
        one the setup where you Redirect-Message -Server “EX01-2019” -Target “EX02-2019.exoip.local”. Do you have to redirect message back to EX01-2019 server when you take the EX01-2019 server out of maintenance mode? I don’t see you mention on the article. thanks for the help.

  11. In a rush to upgrade all our servers to CU19 as the base requirement to install the out-of-band security patches MS just published.

    Updated our Edge server first (only internet facing server) to CU19 which was successful, but it broke incoming email from the Internet. Logged a ticket with MS support 3 days ago and have yet to hear back.

  12. Hello ALI TAJRAN,
    Nice article and its very useful. Waiting for more to see like this articles on Exchange.
    I have one query does Exchange 2016CU15 Hybrid server retain the HYBRID CONFIGURATIONS as it is intact post upgrade to CU18 or 19.

    Regards
    Anand Sunka

    1. Hi Anand,

      Great that you find it useful.

      You already have a hybrid deployment, and it’s in place. You can upgrade Exchange to the latest Cumulative Update, and it will retain the hybrid configuration.

      I recommend testing the mail flow/connection between both organizations after you finish the CU.

  13. Hi,
    My exchange upgrade process gets stuck on removing exchange file 90% for more than 30 minutes!
    what to do right now?

  14. Hi Ali,

    I have Symantec Mail Security installed on my Exchange server – what is the best practice regarding that? Uninstall first? disable services/protection agents?
    Any advice is greatly appreciated!

    1. It would be best to keep the differences between CUs as short as possible to prevent unexpected issues. That’s why I recommend doing it on the same day. If you want to install the CU on one Exchange Server first and wait it out for a week, this is supported. But don’t wait too long. Update the remaining Exchange Servers within a couple of days or a week and not after months.

  15. If Exchange 2016 is in DAG environment, do you to repeat the CU install again on the Passive server.

    1. Correct, you have to keep the Exchange Servers builds on the same version. Finish the first Exchange Server with the Cumulative Update. Do the health check and move the mailbox databases to it. Start the process again, this time for the second Exchange Server. If you have more than two Exchange Servers, keep on going, as you have to do all of them.

      Remember to keep this order:
      – Update mailbox servers in the internet-facing sites
      – Update mailbox servers in remaining internal sites (if any)
      – Update Edge Transport servers (if any)

      1. Thank you very much for confirming – much appreciated.

        Excellent article very comprehensive with outstanding attention to detail.

  16. Thank you for taking the time to compile this information! It is very informative and will assist me a great deal.

Leave a Reply

Your email address will not be published.