In this article I will demonstrate the step by step process for installing cumulative updates and service packs for Exchange Server 2013.

The steps for installing cumulative updates and service packs on Exchange 2013 are:

  1. Prepare by downloading update files, checking backups, and reviewing known issues
  2. Update mailbox and multi-role servers in the internet-facing sites
  3. Update client access servers in the internet-facing sites (if any)
  4. Update Exchange 2013 servers in any remaining internal sites (if any)
  5. Update Edge Transport servers (if any)
  6. Perform health checks and rebalancing of servers

Preparation Tasks

Before installing any cumulative updates you should:

  • Download the CU or Service Pack setup file from the Microsoft Download Center (do not download from third party sites) and extract it to a folder on each server. You can download the latest cumulative update and upgrade an Exchange 2013 server to the latest version in one update. You do not need to install all of the cumulative updates released between your current version and the latest version.
  • Take a confirmed backup of Active Directory.
  • Take a confirmed backup of your existing Exchange 2013 servers and databases.
  • Have documented any customizations such as OWA, config files on servers, registry changes, Lync integration, or third party add-ons.
  • Review this known issue with receive connectors that can cause upgrades to fail, leaving servers in a non-operational state.
  • Verify that your Exchange SSL certificates have not expired.
  • Check the Exchange Supportability Matrix and verify that you are maintaining the .NET Framework on your servers to remain compatible with Exchange.

Installing Cumulative Updates and Service Packs

Cumulative updates and Service Packs should be installed in the internet-facing site first, before installing in other sites in the organization.

  • The first servers to be updated in a site are the Mailbox servers.
  • The Client Access servers are updated second.
  • Edge Transport servers can be updated last.

If you have multi-role CAS/MBX servers installed then setup updates the roles in the correct order anyway, and you should simply start with the internet-facing servers.

During the deployment of a cumulative update within a site that contains load-balanced Client Access server or Database Availability Group members there will be a period where servers are not at exactly the same version. Although this is expected and supported, it is not supported to stay in that state for a long period of time.

In other words, you should plan to update all DAG members within a short period of time, and not allow them to run at different versions for days, weeks or months.

Updating Mailbox Servers

Mailbox servers in a multi-server environment, whether installed as standalone or as a multi-role server, should be placed into maintenance mode before installing the cumulative update.

Note that the redirect target server must be provided as a fully qualified domain name.

[PS] C:\>Set-ServerComponentState E15MB1 –Component HubTransport –State Draining –Requester Maintenance

[PS] C:\>Redirect-Message -Server E15MB1 -Target E15MB2.exchange2013demo.com

Confirm
Are you sure you want to perform this action?
Redirecting messages to "E15MB2.exchange2013demo.com".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

If the server is a DAG member proceed to the next section which contains additional steps for DAG members, otherwise put the server into maintenance mode with the following command.

[PS] C:\>Set-ServerComponentState E15MB1 –Component ServerWideOffline –State InActive –Requester Maintenance

Exchange MVP Michael Van Horenbeeck has published a script for automating the process of starting and stopping maintenance mode.

Updating Mailbox Servers that are Database Availability Group Members

In addition to placing Mailbox servers in maintenance mode any DAG members also need to have active mailbox databases moved to another DAG member, and be blocked from activation while the cumulative update is being installed.

Suspend the DAG member from the cluster.

[PS] C:\>Suspend-ClusterNode –Name E15MB1

Name                 ID    State
----                 --    -----
E15MB1               1     Paused

Disable database copy activation.

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyActivationDisabledAndMoveNow $true

Review the existing database copy auto activation policy, so that you can return it to the same configuration after you’ve completed the upgrade.

[PS] C:\>Get-MailboxServer E15MB1 | Select DatabaseCopyAutoActivationPolicy

DatabaseCopyAutoActivationPolicy : Unrestricted

Set the auto activation policy to “Blocked”. If the policy is already set to “Blocked” then there is no action required.

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyAutoActivationPolicy Blocked

Put the server into maintenance mode.

[PS] C:\>Set-ServerComponentState E15MB1 –Component ServerWideOffline –State InActive –Requester Maintenance

Taking Servers Out of Maintenance Mode

To take the server out of maintenance mode after the upgrade the process is reversed. Make sure that you return the database auto activation policy to the original setting if it was not “Unrestricted”.

[PS] C:\>Set-ServerComponentState E15MB1 –Component ServerWideOffline –State Active –Requester Maintenance

[PS] C:\>Resume-ClusterNode –Name E15MB1

Name                 ID    State
----                 --    -----
E15MB1               1     Up

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyAutoActivationPolicy Unrestricted

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyActivationDisabledAndMoveNow $false

[PS] C:\>Set-ServerComponentState E15MB1 –Component HubTransport –State Active –Requester Maintenance

Exchange MVP Michael Van Horenbeeck has published a script for automating the process of starting and stopping maintenance mode.

Updating Load-Balanced Client Access Servers

If you are running load-balanced Client Access servers in a site then you should configure the load balancer to remove the server from the pool of hosts, and allow any existing connections to close, before you install the cumulative update.

The exact steps for this will depend on the load balancing solution that you use, and you should refer to your vendor documentation for those.

As each Client Access server is updated join it to the pool again and then repeat the process for the next server.

Active Directory Preparation Tasks

Some cumulative updates will include Active Directory schema changes. In those cases the following steps will be required.

Note: The AD preparation tasks are not required to be run separately to the upgrade of Exchange, unless in circumstances where you need to separate the tasks to different teams with different permissions, or if you have a multi-domain forest and want to control the AD changes.

Before applying the schema update follow the steps provided by Michael B Smith to retrieve the existing Exchange schema version, so that you can compare it before and after the AD preparation steps have been completed to verify that the schema update was applied.

  1. Run setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms (requires Enterprise Admins and Schema Admins permissions, and must be performed in the same AD Site as the Schema Master on a server with the RSAT-ADDS-Tools feature installed – the Schema Master itself would meet these requirements)
  2. Run setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
  3. Run setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms in each domain in your forest that contains Exchange servers or mailboxes

When the Active Directory changes have been applied, on each server run the upgrade.

Upgrading the Servers

Cumulative updates can be applied using either the command line or graphical setup, whichever you prefer. Both options are demonstrated below.

  • Follow the pre-installation processes outlined earlier in this article depending on the server roles installed.
  • Do not run the upgrade from the Exchange Management Shell as this will cause it to fail due to locked files. Run the upgrade from an elevated cmd prompt.
  • If you receive a warning that the Office Filter Pack is not installed this can be ignored, as it is not a required component for Exchange Server 2013.
  • Set the PowerShell execution policy on each server being upgraded to Unrestricted, as this may sometimes cause issues with update. Refer to KB981474.

Caution: a cumulative update is a full reinstall of Exchange Server 2013. If it is interrupted, or fails part way through the installation, you may need to perform a server recovery. There is also no way to uninstall a cumulative update.

Note: Exchange 2013 cumulative updates stop the “Microsoft Exchange FrontEnd Transport” and “Microsoft Exchange Transport” services during the pre-requisites check. If you do not proceed with the installation you will need to manually restart the Microsoft Exchange Transport service.

Upgrading Using the Command Line

In an elevated command prompt run the following command from the location where you extracted the cumulative update files.

Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

The command prompt window will display the progress as the upgrade proceeds. The upgrade itself is a lengthy process so you should allow plenty of time for each server.

After the cumulative update has been install restart the server if prompted to do so.

If you had placed the server into maintenance mode then you can run the commands or the script for stopping maintenance mode after the installation is finished (refer to the notes above).

Upgrading Using the Graphical Setup

From the location that you extracted the cumulative update files run Setup.exe. It is recommend to allow setup to connect to the internet and check for updates.

exchange-2013-installing-cumulative-updates-01

When the update check has completed click Next to continue.

exchange-2013-installing-cumulative-updates-02

Setup will begin copying files. This can take several minutes depending on your server’s performance capacity.

exchange-2013-installing-cumulative-updates-03

Setup will detect that this is an upgrade installation.

exchange-2013-installing-cumulative-updates-04

You will need to accept the license agreement each time you upgrade a server.

exchange-2013-installing-cumulative-updates-05

Setup will perform a pre-requisites check. If any pre-requisites are not met setup will stop and warn you about them, otherwise you will be able to proceed with the upgrade.

exchange-2013-installing-cumulative-updates-06

The upgrade itself is a lengthy process and you may find that some steps appear to have hung with no progress. This may be a bug with the graphical setup, whereas the command line setup will typically show the percentage progress as it goes.

languages

When setup is complete you will be prompted to restart the server if required.

exchange-2013-installing-cumulative-updates-07

After the cumulative update has been install restart the server if prompted to do so.

If you had placed the server into maintenance mode then you can run the commands or the script for stopping maintenance mode after the installation is finished (refer to the notes above).

Post-Installation Tasks

After deploying an Exchange 2013 cumulative update there are a number of post-installation tasks that may be required.

Rebalance the Database Availability Group

After you’ve updated all of your DAG members there is a good chance that the active databases will not be evenly distributed across the DAG, or won’t be on their first activation preference. This process is the same for Exchange 2013 as it is for Exchange 2010.

[PS] C:\>cd $exscripts

[PS] C:Program FilesMicrosoftExchange ServerV15scripts>.RedistributeActiveDatabases.ps1 -DagName E15DAG -BalanceDbsByActivationPreference

Restoring Customizations

After you have completed updating your servers you will need to re-apply any customizations that you had documented during the preparation steps above.

Verifying Server Health

Here are some suggestions for health checking your Exchange 2013 servers after applying updates.

  1. Check the cluster nodes are all up – verify that you have not left any DAG members suspended in the cluster by running the Get-ClusterNode cmdlet on one of the DAG members.
  2. Test service health – use the Test-ServiceHealth cmdlet to verify that all required services are running on each server.
  3. Test MAPI connectivity to every database – use the Test-MAPIConnectivity cmdlet to verify that all databases are mounted and accessible.
  4. Check the database copy status for DAGs – use the Get-MailboxDatabaseCopyStatus cmdlet to verify that all database copies, copy/replay queues, and content indexes are healthy.
  5. Test replication health for DAGs – use the Test-ReplicationHealth cmdlet on each DAG member to verify replication health is good.
  6. Check the database activation policy for each Mailbox server – verify that each Mailbox server that is in a DAG has the correct database activation policy for your environment.
  7. Check server component status – use Get-ServerComponent to verify that you have not left any servers in maintenance mode.
  8. Run Exchange Analyzer to check for best practices compliance.

You can also use Test-ExchangeServerHealth.ps1 to review the health of your environment.

Acknowledgements

Thanks to Exchange MVPs Tony Redmond, Jeff Guillet, Michael B Smith, and Michael Van Horenbeeck for sharing their notes and experiences with the cumulative update process.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Abhishek Gupta

    We are migrating from Exchange 2016 to Exchange 2019. We ran schema update using Exchange 2019 RTM. Now we want to update our 2016 server to latest CU 21 and Security update, but it is not working as it says schema version is higher than setup version

  2. Moaz

    Thank you for your great writing.

    I do have a question; regarding the installation path.

    Will installing the CU update rewrites the installation path? i.e. if I had Exchange files installed on the D drive; will it reinstall them on the C drive?

    Thank you.

  3. Dings delight

    Amazing write up. Your such a gem.
    I am currently upgrading from CU4 to CU23 i have multiple DCs but i get the following error.
    Setup encountered a problem while validating the state of Active Directory: ‘ADC02.xxx.local’ isn’t a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: ‘adc02’.
    The FQDN is correct though

  4. Ding

    Amazing write up. Your such a gem.
    I am currently upgrading from CU4 to CU23 i have multiple DCs but i get the following error.
    Setup encountered a problem while validating the state of Active Directory: ‘ADC02-NEW.xxx.Local’ isn’t a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: ‘adc02-new’.
    The FQDN is correct though

  5. kendall

    I am upgrading RTM to CU23 so i can then migrate to a new server. last time i tried this it broke. are there any tricks or do i need to step the upgrade?

  6. fathiya

    hi

    i have exchange 2013 and the CU14 .i want to upgrade to the CU23 what is the step؟ or do I need to upgrade in sequence ?

    thanks and regards

  7. Saad

    Hi Paul,
    Can you please provide Exchange Server 2013 CU 21? I had lost CU 21 and i didn’t found it from any of the existing websites.

  8. Leonid Kanareykin

    Thank you Paul, just upgraded my first part of DAG, F5 load balanced and consisting of one separate cas and one separate mbx server from cu13 to cu 22, on mbx I had .net.framework upgraded to 4.7.2 and on cas I had support by cu13 4.6.1 and I upgraded it. Only one problem I had with WMSVC service because i need to create cert for WMSVC. On monday 2 december I’m planning to upgrade second part of cluster consisting of one separate cas and one separate mbx server with old cu13. I completed upgrade absolutely seamlessly for my users.

    Thank you so mush for you great posts !!!

  9. Brian

    Thank you for the write up

  10. Kapil K

    Hi Paul,

    I am getting errors when installing Exchange2013-KB4471389-x64-en.msp on my Exchange Server 2013 CU21.

    Below is the error,

    “The upgrade patch cannot be installed by Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch”

    I have tried installing by running in admin elevated cmd, built-in administrator but getting the same error for all the upgrades. Please let me know the fix for the issue.

    Same issue on Exchange2013-KB4340731-x64-en.msp, Exchange2013-KB4459266-x64-en.msp and Exchange2013-KB4471389-x64-en.msp

    Thanks,
    Kapil

  11. Ilker

    Hi Paul
    That michels maintanence script also move all database to the other maibox server automaticaly?

  12. Pawamangi

    Hi Paul,

    Currently i am using Exchange 2013 which has CU18 installed.

    My question is since Exchange 2019 has come out would you think it best to upgrade to Exchange 2016 instead since in the long run Microsoft will do away with support for 2013, will you be doing any articles about 2013 to 2016 upgrade?

    Thanks.
    Samson.

  13. Teiv

    Hi Paul,

    I have Exchange enviroment with intergated Lync. Have you experience to update CU without effect Lync

    Thanks

  14. badbanana

    this article needs an update. do we still use Edge Transport servers alone?

  15. Kamran

    Any guides or steps to decommission co-existing exchange 2010 after migrating all mailboxes to 2013.

  16. Kamran

    Hey ,
    i have 2 questions,
    i have co-existence of 2010 and 2013 , both are working fine .
    2010 have MSME but 2013 has nothing installed for protection.

    Is Mcafee Security for Microsoft Exchange enough for its protection, as have turned off its anti-spam.

    Secondary ,Im using Windows backup Server for backups and logs ,my database is 350gb + 3 gb logs everyday , i have given 500Gb to backup drive but it consumes all of it and now the backups are failing due to low storage and it needs a full backup.
    can i delete the big file inside that backup drive/folder which took up 430 GB itself to restart backps?

    thanks.
    Kamran

    1. Paul Cunningham

      For McAfee, you need to decide for yourself whether it is good enough protection for your organization.

      For the backup, if you delete that backup file then I guess you won’t have any backups left any more, until you run another successful backup. That sounds risky to me.

  17. Jerry

    Hi,
    thanks for nice article.
    Ive problem I just installed CU17 on Exchange Edge Server, but I dont see that new version in ECP, when I use cmdllet on Edge server “Get-ExchangeServer” its ok, but when I use on CAS it showed the old one. How I can Update it?

    Thanks

  18. trkmany

    Hi, Paul,
    We have two Exch 2013 servers with multi roles installed, and updated to CU15
    can I update to CU18 directly?
    Please advice.

  19. Parvez Khan

    Hi Paul,

    While taking out severs from maintenance mode, do I need to remove redirecting also ?Please confirm. Its not mention in above steps.

    Thanks for the great work you are doing…

    1. Paul Cunningham

      The redirection is a one-time action to move queued messages to another server for processing. It’s not a permanent state.

  20. Ryan

    Hi Paul,

    I’m having a weird issue attempting to upgrade Exchange 2013 SP1 to CU15. The install is failing on the prerequisite checks and I just can’t figure it out.

    The local domain needs to be prepared using Setup /PrepareDomain before server roles can be installed.

    I’ve run the setup.exe /PrepareSchema and /PrepareAD switches manually prior to install and have confirmed the Schema version is 15312 per this TechNet blog post https://blogs.technet.microsoft.com/rmilne/2015/03/17/how-to-check-exchange-schema-and-object-values-in-ad/. The organisation version is also 16310. DCDiag tells me replication is working fine and running Setup /PrepareDomain does not stop this check from failing. I’m not sure why this one is failing at all.

    The mailbox server role isn’t installed on this computer.

    This one is somewhat off-putting as the Mailbox role is obviously installed, otherwise I’d be having many more problems. The setup points me to two TechNet articles for specifically UnifiedMessagingRoleNotInstalled and BridgeheadRoleNotInstalled. Neither of these articles have any actual information.

    As far as I know wouldn’t both of these be installed with Exchange regardless? We don’t use Unified Messaging and I’m not sure what the Bridgehead role actually is either.

    An unsupported operating system was detected. Exchange Server 2013 Client Access, Mailbox, and Edge Transport server roles support Windows Server 2008 R2 SP1 or later and Windows Server 2012.

    I’m running Server 2012 R2 Datacentre and Exchange 13 SP1 is already installed so this makes zero sense to me.

    I’ve attempted to run the upgrade installer with AV disabled, backup software disabled, there’s no monitoring software on that server. My AD account is a member of Enterprise Admins and Schema Admins. I’m pretty much out of ideas at this point.

    Any ideas? Cheers,
    Ryan

    1. Paul Cunningham

      It’s a bit hard to tell from your post what’s your comments and what is error messages so I don’t know what is going on with your upgrade there. I’d suggest posting to /r/exchangeserver on Reddit where you can provide more context about the issue and perhaps it will make more sense and I or someone else there will be able to suggest a fix.

      1. Ryan

        Ah, my bad. I couldn’t make the errors appear bold in the text (at least I’m not sure if I could).

        The errors are

        1. The local domain needs to be prepared using Setup /PrepareDomain before server roles can be installed.

        2. The mailbox server role isn’t installed on this computer.

        3. An unsupported operating system was detected. Exchange Server 2013 Client Access, Mailbox, and Edge Transport server roles support Windows Server 2008 R2 SP1 or later and Windows Server 2012.

        And the text underneath each was just my response to each.

        I shall post to the Exchange subreddit anyway.

        1. Paul Cunningham

          You sure you’re running setup on the server? I can’t think of any reason why it would throw those errors otherwise.

          1. Ryan

            I only have a single mail server and its called ex2, it’s definitely the right server.

            I think my only option at this point is to contact Microsoft.

  21. Fabio Martins da Silva

    This is the first article i see that askt to install first on MBX servers.

  22. Charly

    Is the above posted procedure still working for an:

    2x exchange 2013 CU3 -> CU15 upgrade on windows server 2012 ( DAG activated) enviroment ?

    1. Paul Cunningham

      Yes, but that’s a big leap in versions. Double check the .NET framework version support in the Exchange supportability matrix on TechNet to make sure you also end up with the correct .NET framework version installed.

      1. Radouane

        Hi,
        Regarding the .NET Framework version, our 2 DAGS and 2 CAS servers are in Exchange 2013 CU8 with .NET 4.5.2.
        We are planning to upgrade from CU8 to CU16.

        https://blogs.technet.microsoft.com/exchange/2017/03/21/released-march-2017-quarterly-exchange-updates/

        Technet article above states we should install CU15 first, upgrade .NET to 4.6.2 then upgrade to CU16 which is time consuming in a sens as the outage Windows is limited.

        We need to know whether is supported to first upgrade our servers .NET to 4.6.2 and then install CU16 without the hop at CU15 ?

        Concerning the CAS NLB, which is safest Stop-NlbClusterNode or Remove-NlbClusterMode ?

        Many thanks in advance,

        1. Paul Cunningham

          Microsoft publishes the Exchange Server Supportability Matrix which you’ll find via a Google search for those words, and it lists the Exchange and .NET version compatibility. You should plan an upgrade path for Exchange and .NET that keeps you within supported versions of each. Yes it’s more time consuming. That is the downside of leaving it so long to perform updates on your server.

          I don’t know what to do about the NLB cluster because I don’t run any. NLB was not recommended for use with Exchange 2013 for a variety of reasons so I never used it.

          1. Radouane

            Flawless Upgrade from Exchange 2013 CU8 to CU16, followed your article and advises, many thanks again 🙂

  23. Anoop Kumar singh

    Hi Paul,

    Thanks to you for publishing a wonderful article, it’s kind of life-saving for many.

    I have a query before go for CU15 that I have dual exchange environment one is MS Exchange 2007 (08.03.0485.001) and MS Exchange 2013 (847.32), is their anything i have to check before updation for Exchnage 2013.

    Simply i want to know for above environment do i have to go for updation?

    Your help is appreciated.

    Regards
    Anoop

    1. Paul Cunningham

      Update the 2013 server first, then the 2007 server (unless it’s already fully updated).

  24. Chuck

    Paul,

    I am currently on Exchange 2013 CU 12 and have tried to upgrade to both CU 14 or the new CU 15 without success. I have run the setup.exe from both an elevated command prompt as well as right click and run as Administrator. I get a quick setup initializing and then nothing else. I have tried with Exchange in maintenance mode as well as not putting it in maintenance mode. I get the same behavior. It is very strange as I successfully did a few other CU’s in the past.

    Also, I have no AV running as I know that causes issues. I have only tried GUI install and not silent.

    Any thoughts or suggestions?

    Thanks
    Chuck

  25. Mohammed

    Is it safe to upgrade from CU5 to CU15 or 14?

  26. Elnur

    Hi Paul

    I am using Exchange Server 2013 CU 14. Microsoft has recently issued CU15 for exchange 2013.
    Currently My exchange server fully updated and no updates required. Should i still upgrade to CU15 eventhough my exchange server fully updated.

  27. Adam

    Hi Paul, I have an Exchange 2013 CU11 environment. I planned to update it to CU13 but stopped after the pre check alerted me to the fact there was the AU-ENG language pack installed and it needed to be uninstalled.
    To uninstall the AU-ENG language pack do I use the setup.exe file from the Extracted CU13 code ?
    I have read a few articles about the version mismatch is you use the wrong code.

  28. Phil

    Hi Paul, if you install the Exchange Server 2013 CU14 update on a trial version (Version 15.0 (Build 516.32)) Does it continue to be in it’s trial condition?
    Cheers
    Phil

  29. Ayman

    I have Exchange Server 2013 CU2 is it recommend updating to CU14 and any excepted issues after update to CU14 direct please provide me

    1. Paul Cunningham

      You are running a CU that has been out of support for a long time, so yes you should update.

  30. Magudeeswaran M

    Hi ,

    I’m upgrading Exchange 2013 from CU8 to CU13, installation is stuck at “Mailbox role: Transport Service at 3% since last 4 hours” , not sure this is a known issue, there are no errors so far, no performance issues nor any disk space issue, but the installation is stuck.

  31. Mathew

    I had an issue with 4 node DAG set up where multi role installed. ECP and OWA crashed keep crashing after CU13 updated. I did startdagmaintenacemode.ps1 to put the server DAGs in maintenace mode . I did notice this issue sometime later after the update. All i had to run updatecas.ps1 to make the URL uptated. Can you suggest what would be the issue.

    1. Paul Cunningham

      You shouldn’t be using that script to put Exchange 2013 servers in maintenance mode. Whether that is causing your problem though, it’s hard to say. No software is perfect. But you should start by following the correct update procedures in future and see if problems keep occurring.

  32. Wilf Thorburn

    Great information. I have an installation not yet live. It is Exchange 2013 CU12. I have CU12 in the root of C, and installed from there. Once I have upgraded to CU14, can I delete the CU12 directory? It is abut 5 gigs.

  33. Sridhar K

    Thanks Paul Its Very Help full

  34. Sridhar K

    I can tell this is going to be a great help. I’m going to do the prep work before starting the upgrades

  35. Leo

    I haven’t even done the work yet and I can tell this is going to be a great help. I’m just doing the prep work before starting the upgrades

  36. Amk

    Hi Paul

    Having a major issue after running the update need help i get this error on Step 5 of 9: Mailbox Role: Mailbox Service:

    Error:
    The following error was generated when “$error.Clear();
    if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
    {
    if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
    {
    # upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
    get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
    $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
    $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
    $mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
    if ( $mbxs.length -eq 0)
    {
    $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
    if($dbs.Length -ne 0)
    {
    $mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
    if ($mbxUser.Length -ne 0)
    {
    enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
    }
    }
    }
    }
    else
    {
    write-exchangesetuplog -info “Skipping creating Discovery Search Mailbox because of insufficient permission.”
    }
    }
    ” was run: “Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.”.

    Error:
    The following error was generated when “$error.Clear();
    if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
    {
    if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
    {
    # upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
    get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
    $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
    $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
    $mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
    if ( $mbxs.length -eq 0)
    {
    $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
    if($dbs.Length -ne 0)
    {
    $mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
    if ($mbxUser.Length -ne 0)
    {
    enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
    }
    }
    }
    }
    else
    {
    write-exchangesetuplog -info “Skipping creating Discovery Search Mailbox because of insufficient permission.”
    }
    }
    ” was run: “Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.
    at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
    at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow)
    at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.Validate(TDataObject dataObject)
    at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalValidate()
    at Microsoft.Exchange.Configuration.Tasks.SetRecipientObjectTask`3.InternalValidate()
    at Microsoft.Exchange.Management.Common.SetMailEnabledRecipientObjectTask`3.InternalValidate()
    at Microsoft.Exchange.Management.RecipientTasks.SetUserBase`2.InternalValidate()
    at Microsoft.Exchange.Management.RecipientTasks.SetMailboxBase`2.InternalValidate()
    at Microsoft.Exchange.Management.RecipientTasks.SetMailbox.InternalValidate()
    at Microsoft.Exchange.Configuration.Tasks.Task.b__b()
    at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

    1. Amk

      I Finally managed to get it working! I Deleted the DiscoverySearchMailbox.

  37. Simon Berg

    Hi Paul

    In other forums people are saying the update order schould be like this, without specifying the conclusion to this.
    CAS, HUB, UM, MBX.

    In your article you mention to update Mailbox Server roles first, then Client Access Server role and last Edge Transport.
    Could you specify why?

  38. Réda BOUTBICHA

    I have a question about upgrading order of mailbox servers.

    I have an exchange infrastructure spread over two sites , I implemented site resiliency .
    Site1 : Two CAS and two maibox (Internet facing)
    Site2 : one CAS and one Mailbox
    About the order :

    1. I start by moving all DB to the second Mailbox, then upgrade Mailbox Server 1
    2. I Move all DBs to First Mailbox Server, then upgrade Second Mailbox server.
    3. Thereafter, i upgrade the third mailbox server in the DR Site.

    What do you say of this Steps, is that correct.
    Many Thank’s Mr Paul.

  39. Aleem Ijaz Janjua

    Thank you Paul for such a good article.

    I just wanted to share that a restart required after putting the server in maintenance mode, otherwise CU12 doesn’t proceed, and after the successfully update server should be restart again and take out server from Maintenance mode.

  40. Faris Mahsin

    Can we delete extracted Cumulative Update 12 folder from Exchange drive C after the update done ?

      1. Faris Mahsin

        Thank you Paul,
        My upgrade has been done successfully with latest patch 12 released on April.
        I just wanna be sure that during the upgrade process, all required files has been copied and nothing left where I need to bring these Cumulative back .

        Please advice.

  41. Shannon

    I noticed that when you list the items to bring servers out of maintenance mode, you don’t list the redirect message command. My process is to disable the node on our F5 (we have 3 multi-role servers) after I have moved any active databases off of the server. Would I still need to set the redirect message?

    1. Paul Cunningham

      The redirect command moves any queued mail to a different transport server. So it only needs to be done during the prep stage.

      Yes, you still need to do it, or you risk queued mail being lost if the maintenance goes wrong.

  42. Rune Goksør

    We got problem with CU12. We have 2 MBX-servers and 1 CAS in front. Setup went fine on MBX-servers. Unfortunately setup stoppet on step 3 of 5 with an unhandled exception and only a close-button and a text containing

    Problem signature:
    Problem Event Name: CLR20r3
    Problem Signature 01: DependentAssemblyGenerator.exe
    Problem Signature 02: 15.0.1178.0
    Problem Signature 03: 568db3b7
    Problem Signature 04: mscorlib
    Problem Signature 05: 4.0.30319.34209
    Problem Signature 06: 53489fcf
    Problem Signature 07: 4524
    Problem Signature 08: 13c
    Problem Signature 09: System.UnauthorizedAccess
    OS Version: 6.2.9200.2.0.0.272.7
    Locale ID: 1044
    Additional Information 1: b330
    Additional Information 2: b33007b9c9016bfb24d0229578114157
    Additional Information 3: c561
    Additional Information 4: c561f660eddeaff463c95a13fe957cb3

    After that setup tried to continue to step 4 of 5 (Finalizing Setup) but exited out and gave me a flood of similiar errors about DependentAssemblyGenerator and lack of access.

    We rebooted CAS-server, but it was clear that it was currently in an inconsistent state. The Powershell execution policy was set to signed, so I set it to “Unrestricted” as recommended in this point over here:

    Set the PowerShell execution policy on each server being upgraded to Unrestricted, as this may sometimes cause issues with update. Refer to KB981474.

    I reran setup and the setup fortunately continued and seemingly came to 100% right before it suddenly exited with no message. Rebooted the server, and all worked fine. You should probably not underestimate the importance of that Powershell execution policy.

  43. Lenny Li

    Now CU12 installed successfully, but users can only access owa. All of their desktop outlook cannot connect to the exchange server.

  44. Lenny Li

    Which/where is the certificate file? Any chance we can manually do something to it to renew it on the server without having to go through GUI?

    1. Paul Cunningham

      EAC is just presenting a way to manage certificates for Exchange. A certificate is a certificate. You can manage it through IIS if you need to (should be able to do the renewal that way) or using the Certificates snap-in in MMC.

      If you’re still stuck and your server is still non-operational I recommend you open a Microsoft support case to get them to help you recover the server.

      In future, it’s a good idea to keep an eye on your Exchange certificates and renew them before they expire.

      1. Lenny Li

        the best practise analyser said the registry value maxuserport on registry key systemcurrentcontrolsetservicestcpipparameters isnt set to 60000.

        well, do i launch regedit and find hkey_current_configsystemcurrentcontrolsetservices and create a tree for tcpip if it does not exist?

  45. Lenny Li

    I’ll give it one more shot by adjusting the date to 19/4/2012. Would exchange 2013 work if i just ignore the rest of the steps in the CU setup and run? how do we fix the Something went wrong screen that show no specific details? Is a complete reinstall of exchange 2013 feasible? Can’t rescue any database/data? How do we bloody renew the certificate if the EAC on IIS cannot be browsed?

  46. Lenny Li

    Install still failed at 100% about certificate expired. I have already set the date to 19/4/2013. What can i do?

  47. Lenny Li

    I tried to goto EAC to try regenerate a new certificate but the intranet website cannot be accessed. At this moment I’m trying to change system clock to 4 years ago to see if it can succeed.

  48. Lenny Li

    Our CU12 update setup failed when the “Mailbox role: Transport service” finished at 100% with the following. What can we do?:

    Error:
    The following error was generated when “$error.Clear();
    Install-ExchangeCertificate -services IIS -DOmainController $RoleDomainController
    if ($RolesDatacenter -ne $true -And $RolePartnerHosted -ne $true)
    {
    Install-AuthCertificate -DomainController $RoleDomainController
    }
    ” was run: “System.Security.Cryptography.CryptographicException: The certificate is expired.
    at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
    at Microsoft.Exchange.Management.SystemCOnfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
    at Microsoft.Exchange.COnfiguration.Tasks.Task,b_b()
    at Microsoft.Exchange.COnfiguration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineFailed)”.

    1. Paul Cunningham

      “The certificate is expired.”

      Your certificate has expired. It will need to be renewed or replaced.

      1. Lenny Li

        If I try to launch EAC, the browser goes to https://localhost/ecp/?ExchClientVer=15 with a server error/ configuration error: Could not load file or assembly Microsoft Exchange Clients Strings, Version=15.0.0… The system cannot find the file specified.

      2. Lenny Li

        Looking at IIS, the full collection of certificates did not expire except the SSL one for the mail.mydomain.com cert which expired in 2015. Winding back the clock does not help prevent the error. So is the solution to add a simple mail server role, temporarily disable exchange, and get the new cert?

  49. Lenny Li

    We have never updated exchange 2013 running win2012. Recently we noticed the “Something went wrong” screen when accessing owa. this screen has no details of the actual error, so we are trying luck with installing CU12. do you think it will solve the problem, or are there other things we can do?

  50. Joel Rennie

    Hi Paul,

    I skipped CU 10 & 11 can I just go straight to CU 12 for exchange 2013?

    Kind Regards

    1. Paul Cunningham

      Each CU is a complete build of Exchange encompassing all previous fixes and updates, so you can always install or upgrade with the very latest CU.

  51. Carlo

    Hello,

    Just wanted to ask like how long will it take to do a massive jump update from CU2 to CU11.

  52. kyle

    Hi Pual

    This atricle (removed) recommend upgrading the CAS servers first, followed by the mailbox servers in the 2CAS+2Mailbox DAG Exchange 2013 environment .
    But in your guide give me this steps:The first servers to be updated in a site are the Mailbox servers.The Client Access servers are updated second.Edge Transport servers can be updated last.
    I’m confused…..

    1. Paul Cunningham

      Mailbox first, then CAS. If you follow Microsoft’s best practices and deploy multi-role servers then it becomes irrelevant.

      1. kyle

        Thanks for your quickly reply,i’ll be follow this guide to upgrade the server from CU7 to CU11 and wish everything goes well.

        Many thanks.

  53. Luis César Vielman

    Hi Paul.
    It’s safe to delete all the extracted files, after the installation finished.

  54. Lee

    Hi Paul,

    Just letting you know that Michael B Smith’s site link doesn’t work:
    http://theessentialexchange.com/blogs/michael/archive/2013/03/14/powershell-quick-script-finding-the-exchange-schema-version.aspx

    http://rickardnobel.se/verify-schema-versions-on-all-domain-controllers/ – might be a good link

    Also Michael’s maintenance script link has been moved. It’s listed in the Exchange Gallery though:

    https://gallery.technet.microsoft.com/office/Exchange-Server-2013-ff6c942f

    That should be permanent link.

    Cheers,

  55. Scott

    Hi Paul. I hope that you see this comment as I am sure you dont go back and read everything. got a quick question for you. Do I need to run Setup.exe /PrepareAD /IAcceptExchangeServerLicenceTerms on every server or just the first mailbox server to be updated?

    1. Paul Cunningham

      AD only needs to be prepped once. That said, if you forgot to do it, the first server you run setup /m:upgrade on will automatically run the AD prep.

  56. Deepak

    Hi Paul,

    First of a big thanks for the article 🙂 , i have a small query i have gone through the article again and again and have a small confusion on which server should i start first the CU updates.

    Below is a high level infra details

    3 nos of Multi role server in DAG in PROD AD site
    2 nos of dedicated CAS server in CAS AD site (for External Connection)
    1 Journaling in PROD AD site.

    Now my confusion is should i start updating the multirole servers which are in DAG first or should i target the CAS server which are dedicated CAS site for external connection.

    Also can i target the journaling server for upgrade simultaneously with other server as it is a standalone box.

    P.S my 3 multirole server and CAS server sit behind the F5 HLB in diffrent pools.

    1. Deepak

      Hi Paul,

      were you able to check my query, it would be great to see you feed back on the same.

  57. A.Mitterlehner

    Top Guide 🙂
    Update 2 DAG Server and 2 CAS.

    The only thing i had to install was the Windows Feature RSAT-ADDS and the IIS 6.0 Resource Kit.

    Perfect Guide.

    Big Thx for that Great work

  58. Jino KJ

    Hi Paul,

    I am getting error when upgrading exchange 2013 cu3 to CU7 getting the error below. we have created additional active sync and Owa virtual directory ,

    C:\>cd TempCU7

    C:TempCU7>setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms

    Welcome to Microsoft Exchange Server 2013 Cumulative Update 7 Unattended Setup
    Copying Files…
    File copy complete. Setup will now collect additional information needed for
    installation.
    Languages

    Client Access role: Client Access Front End service FAILED
    The following error was generated when “$error.Clear();
    $fe = get-ActiveSyncVirtualDirectory -server $RoleFqdnOrName -DomainCo
    ntroller $RoleDomainController -ErrorAction SilentlyContinue;

    if ($fe -eq $null)
    {
    new-ActiveSyncVirtualDirectory -DomainController $RoleDomainControll
    er -Role ClientAccess;
    }
    else
    {
    update-ActiveSyncVirtualDirectory $fe -DomainController $RoleDomainC
    ontroller -InstallIsapiFilter $true
    }
    ” was run: “System.Management.Automation.ParameterBindingException: Cann
    ot convert ‘System.Object[]’ to the type ‘Microsoft.Exchange.Configuration.Tasks
    .VirtualDirectoryIdParameter’ required by parameter ‘Identity’. Specified method
    is not supported. —> System.NotSupportedException: Specified method is not su
    pported.
    at System.Management.Automation.ParameterBinderBase.CoerceTypeAsNeeded(Comman
    dParameterInternal argument, String parameterName, Type toType, ParameterCollect
    ionTypeInformation collectionTypeInfo, Object currentValue)
    — End of inner exception stack trace —
    at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecute
    Enumerate(Object input, Hashtable errorResults, Boolean enumerate)
    at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Bool
    ean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pip
    eElementAsts, CommandRedirection[][] commandRedirections, FunctionContext funcCo
    ntext)
    at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(Inter
    pretedFrame frame)
    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.R
    un(InterpretedFrame frame)”.

    The Exchange Server setup operation didn’t complete. More details can be found
    in ExchangeSetup.log located in the :ExchangeSetupLogs folder.

    1. Paul Cunningham

      Why CU7? It’s already unsupported, CU10 and CU11 are the current support builds.

      Keep in mind there’s only one supported way to add OWA/ECP virtual directories to Exchange 2013, documented here:
      http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx

      Not sure whether adding ActiveSync vdirs is supported at all.

      Either way, if that is the most obvious way your server deviates from a normal server, then removing those vdirs would be a good idea.

      1. Jino KJ

        Thank you Paul…. I have removed Additional created Activesync virualdirectory , now able to rollout CU7,

  59. CrustyB

    I’m have a multi-role DAG, half are active servers, half are passive. Could I bypass maintenance mode and simply switchover the active databases on a server and proceed with the CU?

    1. Paul Cunningham

      You can skip any steps you like since you are the person who will be dealing with the consequences.

      Or you can just follow the recommended procedures, which exist for good reason.

  60. Dmitry Monakhov

    Hi Paul!
    Can I directly upgrade Exchange 2013 SP1 to CU10? It’s supported?

  61. Asif

    Hi Paul,

    I have Single Server Exchange 2013 (all roles on same server) with CU5. Can I directly upgrade it to CU10 ? or shall I have to go through one by one installing all the CU’s ?

    Thanks.

    1. Paul Cunningham

      It is possible, and supported, to always update directly to the latest build. But only the N-2 scenarios are tested. So it’s possible you’ll run into a previously unknown issue going CU5 -> CU10. I’ve done various upgrades that were more than N-2 in the past with no issues, and only occasionally run into issues with N-3 or more that are covered in the cautionary notes in the blog post above.

  62. tony Holdgate

    Hi Paul- just reviewing a RAP done by MS on an organisation I am contracting for now with a Hybrid 2010/13 exchange over two nodes. They have quoted
    “You should upgrade your client access servers with service packs and hotfixes before upgrading the mailbox servers, unless directed otherwise in the release notes. ”

    I thought it was the other way round- mailbox first? And if they are multi role servers (which all of these are) then I ignore this correct?

    1. Paul Cunningham

      The customer is entitled to seek clarification of advice given in a RAP, so that would be the best course of action.

      I thought 2013 was Mailbox first, but then I always deploy multi-role so it’s not something I ever have to think about.

  63. IT

    Would maybe be good to add a little note about Exchange UM language packs. My experience is that you have to uninstall them and then re-install the updated versions. Otherwise…great post.

  64. Davey H

    I have one Exchange Server 2013, but 2 domains in the forest. Both domains have users with mailboxes. I would like to upgrade from SP1 to CU10.
    Do I have to run the
    “setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms” in both domains?

    Many thanks
    Dave

  65. FrankP

    I will add my 2 cents off lessons learnt after upgrading a 6-servers/2DAGs environment from CU4(SP1) to CU8:

    1. Follow exactly all the steps given in this article and additionally:
    2. Uncheck “Check for publisher’s certificate revocation” in IE options – advanced – security. It will save you hours of nail-biting in front of your screen.
    3. Disable your antivirus client

  66. SAWANTPN

    can we install fresh exchange 2013 sp1 CU1 on server where schema update is already CU7 as there are already exchange servers 2013 who have CU7 update.
    is there any possibility of issue while installing exchange 2013 CU1?

  67. Flip

    Paul,

    Before I get started I have 2 CAS and 2 MBX servers with 1 DAG. Server A and Server B have their primary own databases. MBX Server A and has a copy on MBX Server B. Server B has a copy on Server A. How would I start this if both servers active servers?

    For example: If I started with MBX Server B. Would I failover MBX Server B to A, follow your guide, and then apply the updates? Then failover to B and then continue with A? Or is this not possible?

    1. Paul Cunningham

      I’m confused by your description but I’m going to assume what you’re saying is that each of your databases has a copy on each of the DAG members.

      Yes, follow the update procedure demonstrated above.

      1. Flip

        We have an active active setup. But based on your answer we should be fine…

        Thanks!

  68. Dave

    Good thing there is a script available. 🙂

    Final question on this topic, would you recommend updating one DAG member first and then waiting until the following weekend to update the rest of the DAG members to make sure there were no issues with the updates (if a lab environment is not available for testing)

  69. Dave

    Do we need to follow the same procedures (excluding AD preparation) for your monthly Windows security updates?

  70. jc

    Hi Sir Paul,

    We have Exchange 2013 SP1 and are looking to install CU7. I have downloaded and extracted the set-up files, however when try to run the update I receive a number of concerning errors regarding Active Directory.

    I am aware that the update will require Schema updates, however I thought the GUI installed handled these for me.

    Exchange is deployed at a AD site that is not in the same site as the Schema Master. Could this be the issue? Do I have to update the schema manually?

    My account is already member of Enterprise Admin, Schema admin

    Errors are below

    Error:

    The Mailbox server role isn’t installed on this computer.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.UnifiedMessagingRoleNotInstalled.aspx

    Error:

    The Mailbox server role isn’t installed on this computer.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.BridgeheadRoleNotInstalled.aspx

    Error:

    Setup can’t continue with the upgrade because the perfmon (2112) has open files. Close the process, and then restart Setup.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.ProcessNeedsToBeClosedOnUpgrade.aspx

    Error:

    The Active Directory schema isn’t up-to-date, and this user account isn’t a member of the ‘Schema Admins’ and/or ‘Enterprise Admins’ groups.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.SchemaUpdateRequired.aspx

    Error:

    Global updates need to be made to Active Directory, and this user account isn’t a member of the ‘Enterprise Admins’ group.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalUpdateRequired.aspx

    Error:

    You must be a member of the ‘Organization Management’ role group or a member of the ‘Enterprise Admins’ group to continue.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalServerInstall.aspx

    Error:

    You must use an account that’s a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedBridgeheadFirstInstall.aspx

    Error:

    You must use an account that’s a member of the Organization Management role group to install the first Client Access server role in the topology.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedCafeFirstInstall.aspx

    Error:

    You must use an account that’s a member of the Organization Management role group to install the first Client Access server role in the topology.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedFrontendTransportFirstInstall.aspx

    Error:

    You must use an account that’s a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedMailboxFirstInstall.aspx

    Error:

    You must use an account that’s a member of the Organization Management role group to install or upgrade the first Client Access server role in the topology.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedClientAccessFirstInstall.aspx

    Error:

    You must use an account that’s a member of the Organization Management role group to install the first Mailbox server role in the topology.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedUnifiedMessagingFirstInstall.aspx

    Error:

    Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter on a computer in the domain powerplay and site Default-First-Site-Name, and wait for replication to complete. See the Exchange setup log for more information on this error.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx

    Error:

    The forest functional level of the current Active Directory forest is not Windows Server 2003 native or later. To install Exchange Server 2013, the forest functional level must be at least Windows Server 2003 native.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.ForestLevelNotWin2003Native.aspx

    Error:

    The Mailbox server role isn’t installed on this computer.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.MailboxRoleNotInstalled.aspx

    Error:

    Either Active Directory doesn’t exist, or it can’t be contacted.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.CannotAccessAD.aspx

    Warning:

    Setup will prepare the organization for Exchange 2013 by using ‘Setup /PrepareAD’. No Exchange 2007 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2007 servers.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.NoE12ServerWarning.aspx

    Warning:

    Setup will prepare the organization for Exchange 2013 by using ‘Setup /PrepareAD’. No Exchange 2010 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2010 servers.

    For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.NoE14ServerWarning.aspx

    -Nick

  71. Marty_V

    As always, your contributions to the Exchange Admin world are very much appreciated.

    I am making every effort to apply CU7 to E2K13 SP1 and it’s been riddled with problems just about every step of the way. My stumbling block at the moment is “setup cannot continue with the upgrade because the setupui has open files.” I have restarted the VMs, run Sysinternals Process analyzer and confirmed nobody else has a session on the box.

    Do you have any suggestions on where I might look?

    Thank you!

    Marty

      1. Marty

        I tried running the setup via both GUI and command line and had the same result. Got it all worked out though. This particular VM had a problem with a cert and Windows Manager. The WMSVC service would not start. Generating a self-signed cert and assigning it to WMSVC got me through the update.

  72. Brice Cunningham

    Just wanted to say thank you for all you do. I refer to your articles whenever I work on my E2K13 server! BC

  73. Jeff Brown

    Paul, you mention upgrading the Mailbox before the CAS. This is different from earlier versions of Exchange where you start at the CAS, then Hub, etc and mailbox last. Is there any official documentation on the server role order to install Exchange 2013 CUs? I’m having trouble finding any. Thanks!

    1. Paul Cunningham

      Yes it is different. No I can’t find any “official” source for that online.

      1. Gareth Gudger

        If you run the upgrade on a multi-role server, you will see that Setup always upgrades the Mailbox role before the CAS role.

  74. Hassan

    hi paul

    please clearly say to me updating exchange 2013 RTM to CU7 needs the AD preparation in Graphical mode? my exchange roles are in single server plaese show me all of the steps in graphical mode upgrading

  75. Chimwemwe Mtonga

    Please help I am having this error below on step 8 of 15 mailbox role:transport service

    Error:
    The following error was generated when “$error.Clear();
    $vdirName = “PowerShell”;
    $InternalPowerShellUrl=”http://” + $RoleFqdnOrName + “/powershell”;
    new-PowerShellVirtualDirectory $vdirName -Role Mailbox -InternalUrl $InternalPowerShellUrl -DomainController $RoleDomainController -BasicAuthentication:$false -WindowsAuthentication:$false -RequireSSL:$false -WebSiteName “Default Web Site” -AppPoolId “MSExchangePowerShellFrontEndAppPool”;
    new-PowerShellVirtualDirectory $vdirName -Role Mailbox -DomainController $RoleDomainController -BasicAuthentication:$false -WindowsAuthentication:$true -RequireSSL:$true -WebSiteName “Exchange Back End” -Path ($RoleInstallPath + “ClientAccessPowerShell-Proxy”);
    ” was run: “The virtual directory ‘PowerShell’ already exists under ‘MIMMAIL.mm.co.mw/Default Web Site’.
    Parameter name: VirtualDirectoryName”.

  76. Wahid Iqbal

    HI Paul;

    it was great reading this article, i want to discuss my Problem of outlook users being prompted for passwords .

    following is the configuration

    AD site 1 : 2 malbox servers & 2 CAS servers running Exchange 2013 CU3
    AD site 2 : 1 malbox server & 1 CAS server running Exchange 2013 CU3
    Edge Transport Server: Exchange 2010 SP-3
    users : Windows 7 / outlook 2010 & 13 Compliant with (http://technet.microsoft.com/library/ee681792%28v=office.15%29)

    while outlook running perfectly suddenly a password pop up ofccures, even after providing credentials for 5 / 10 times are not authenticated.i googled it around & realized that this is a common issue after CU3 deployment. i ran Get-OutlookAnywhere and found my authentication setting are set as Basic, Negotiate and NTLM as described in http://edsitonline.com/2013/11/29/outlook-usernamepassword-popups-after-exchange-2013-cu3-upgrade/ (i though i did not change my current setting as recommended in the page).

    modified users outlook profile by unchecking “download shared folder” and set the authentication from negotiate to kerbros as mentioned in https://social.technet.microsoft.com/Forums/office/en-US/11370f4d-b931-4338-8ab7-acc9e1a231e0/outlook-2013-asks-for-credentials-connecting-to-exchange-2010-multiple-times?forum=officeitpro
    although it worked for some days but again the same problem.

    now i am thinking to upgrade my CAS servers only from CU3 to CU6 released in august earlier this year.

    in my opinion any schema extention / prepareAD / PrepareDomain is not required in our case because i had CU3(please confirm).

    please also suggest if i can modify the authentication settings as mentioned in http://edsitonline.com/2013/11/29/outlook-usernamepassword-popups-after-exchange-2013-cu3-upgrade/ because my only pain is to stop password prompts.

  77. Matt Hall

    Are there any set-servercompnentstate or other maintenance mode commands we should run on a CAS only server or can we just apply the updates?

    1. Paul Cunningham

      Basically just take them out of your load balancing (whether that is a HLB or DNS RR or anything else).

      1. Matt Hall

        Thanks Paul! It is only DNS RR at the moment. We are trying to get a load balancer purchased. 🙂

  78. Abolfazl Babamohammadi

    Hello
    I am update exchange sp1 to cu5 but for some problem i want to downgrade to sp1
    i install new Mailbox and CAS SP1
    now i problem with active directory schema , i want to restore AD schema to exchange sp1
    can you help me ?
    thank

  79. Anatoly

    I have Exchange 2013 SP1 servers with role: Mailbox, CAS and Edge.
    I want to install cu6 (http://www.microsoft.com/en-us/download/details.aspx?id=44022)
    what is the procedure for updating the Exchange Server 2013?

    I think that at first it is necessary to update the Mailbox-server, at second CAS-server, at third Edge-servers.
    Am I right?

    1. Paul Cunningham

      A good place to start would be this very article that you’re commenting on.

      1. Anatoly

        Thanks for the answer, but please reply to the order in which it is necessary to update the server?

  80. phemmy

    Hello Paul
    i am having issues with installation of Exchange 2013 SP1.
    i have 3 Exchange servers across two AD sites. Each server holds both Mailbox and CA role.
    The Exchange Servers are not fully operational yet but we already created all the mailboxes on them. I attempted to install the 2013 SP1, starting with setup /prepareschema command. The command was executed successfully but got the error below when i ram setup /preparead commands

    =================================================================================
    Welcome to Microsoft Exchange Server 2013 Service Pack 1 Unattended Setup
    Copying Files…
    File copy complete. Setup will now collect additional information needed for
    installation.

    Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis COMPLETED

    Configuring Microsoft Exchange Server

    Organization Preparation FAILED
    The following error was generated when “$error.Clear();
    initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

    ” was run: “Active Directory operation failed on apl.com. One or more attribute entries of the object ‘CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=apl,DC=com’ already exists.”.

    The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the :ExchangeSetupLogs folder.
    =====================================================================================

    The three exchange servers were just installed and configured last week. we want to make sure we have the latest update on the exchange servers before we go live.

    Do you have any idea what i can do to resolve this issue.

  81. Ajith

    I’m sure you don’t find a better article for installing CU!

    Btw, I’m just doing CU3 in my lab with the help of your article. Thank you Paul 🙂

  82. Michael

    Hi Paul,

    Can we update to CU3 directly from RTM (build 516.32)? Is the procedure same to this posting?

    Thanks,

    Michael

    1. Paul Cunningham

      Yes. CUs and Service Packs are full builds of the product. You can always go straight to the latest CU or Service Pack.

  83. Rob Derbyshire

    Hi Paul
    No mention of the steps for

    Get-ExecutionPolicy cmdlet from PowerShell

    Can you clarify which execution policies need to be set to unrestricted?
    MachinePolicy
    UserPolicy
    Process
    CurrentUser
    LocalMachine

    We believe it should only be MP and LM.

    Thanks

  84. suren

    Hi,

    Great Article …. Thanks.

    I have 4 Servers for exchange 2 Mailbox and 2 CAS Servers …. just installed exchange on all the servers and not yet created DAG or configured the mail-flow ( i mean post installation tasks) . Can i update to CU3 now ?

    What steps do i need to follow ?

    Thanks .

  85. Brandon Nolan

    below is the script I put together to help me with migrations and update procedures. I use this all the time to gather CAS information.

    start-transcript -path c:tempCASConfig.txt -append

    get-clientaccessserver | fl Name,fqdn,Out*,*uri,*site*,*version,orig*

    get-autodiscovervirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*version,orig*

    get-webservicesvirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*mrs,*version,orig*

    get-oabvirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*version,orig*

    get-owavirtualdirectory -adpropertiesonly | fl server,identity,name,*url,logon*,*version,orig*

    get-ecpvirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*version,orig*

    get-ActiveSyncvirtualdirectory -adpropertiesonly | fl server,identity,name,activesyncserver,*url,*version,orig*

    Get-OutlookAnywhere -ADPropertiesOnly | fl server,name,External*,*auth*

    stop-transcript

    1. Scott

      That is a great script. Thanks a lot. did you manage to get anything together for the IIS Authentication?

  86. Brandon Nolan

    As a value add:

    I followed this guide and installed CU3 onto a CU2 DAG environment and the only thing I wanted to note is I noticed only the External URL of the ActiveSync virtual directory was set to $null post install. This happened on each of the nodes of the cluster. I changed the setting back to what I needed it to be before bringing the node out of maintenance mode and had great success with all Exchange functions. Thanks again for your insight Paul!

    If I could add anything the settings we typically see change with SP’s and CU’s are Virtual directory settings and the Authentication and SSL settings in IIS. I have created scripts to grab the CAS virtual directory settings before running updates so I can verify the settings after updates easier. I would like to get a similar script for gathering the IIS Authentication and SSL settings if anyone is interested in helping. I can upload the CAS script if anyone is interested.

    1. Radou

      Hi Brandon,
      Don’t know if you still have these scripts around because I am interessed in 🙂
      Many Thanks in advance,

  87. Stephane

    Hello,

    I have something very strange with my CU3.
    I download the “Exchange2013-x64-cu3.exe” and when I launch the setup in GUI I see correctly “Welcome … Exchange Server 2013 CU3 …”

    When I launch in powershell for update the schema I have :
    Welcome to the unattended Setup of Microsoft Exchange Server 2013 with Cumulative Update 2

    After the update of schema the version of schema is always the same : “15281 (CU2)” and not 15283 (CU3)

    Is it normal ?

    Thank’s.

  88. Mohamad

    hi ,
    After update cu2 send messages Stuck in Drafts too.

  89. Mohamad

    After update cu1 send messages Stuck in Drafts 🙁 why???

    1. Nankumba Joanna

      AM ALSO FACING SAMEPROBLEM,BUT I REALISED THIS STARTS AFTER PUTTING SERVER INTO MAINTANANCE MODE

      1. Nankumba Joanna

        This is what I did, i prepared schema, AD and domain before I could install the cumulative update. After that i did not put my server in maintenance mode as Paul advised.I went ahead and installed the cumulative update and it was succefull.

  90. Rajkumar

    Hi Paul,

    In my case, Exchange installed on a different directory other than the default one C:

    Do I need to specify the directory name while running the below command?

    Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

    or the upgrade switch will automatically get the directory in which exchange is installed.

    Please advice…

    1. Paul Cunningham

      No, you don’t need to specify the install directory for an upgrade.

  91. Preston Cole

    Hi Paul

    I have an issue with my environment after installing CU2. I’ve been on to MS support and they reckon CAS servers should be upgraded before MB servers.
    What are your thoughts?

    Preston

  92. Arun

    Hi,

    Is that CU1 requires RTM preinstalled or it can be freshly build.

    1. Didar Ali

      Kindly provide SP1 as it is not available in Microsoft or google world.

  93. Matt Tunny

    Awesome write up. Big help thanks mate.

Leave a Reply