Exchange Server 2016 CU3 and later supports installation on Windows Server 2016 for the Mailbox server role. The Edge Transport server role is not supported. The installation process for Exchange on Windows Server 2016 is much the same as installing previous builds of Exchange 2016 on Windows Server:

  1. Install the Exchange 2016 pre-requisites (note that .NET Framework does not need to be separately installed)
  2. Run Exchange 2016 setup

After setup is complete the Windows Defender service on the server should be configured with antivirus exclusions for Exchange 2016. The guidance remains the same for now, but Windows Defender has PowerShell cmdlets available that make it easier to configure the exclusions when compared with third party antivirus products.

On a newly installed Windows 2016 server there’s no exclusions configured by default.

PS C:\> Get-MpPreference | Select Exclusion*

ExclusionExtension :
ExclusionPath      :
ExclusionProcess   :

I’ve updated my Get-Exchange2016AVExclusions.ps1 script with an additional -ConfigureWindowsDefender switch that will add the exclusions to Windows Defender on the local server.

[PS] C:\Scripts\>.\Get-Exchange2016AVExclusions.ps1 -ConfigureWindowsDefender

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Scott

    Is you script still available to download from somewhere?

  2. Adrian

    Hi Paul.

    Do you know if it’s ok to have an Exchange 2016 DAG with mixed OS versions?
    Example: Have one DAG across sites, where you have 2 servers in one site with Windows Server 2016 Standard and have 2 servers on the other site with Windows Server 2016 Datacenter.

    Thank you.

      1. Adrian

        Hi Paul.

        Because we’re planning on having physical servers on the primary site (and therefore, no need to buy Windows server Datacenter version)
        But on the other site the Exchange servers will live on a virtual environment where Windows Server Datacenter already exists.
        Note: It will be an Active/Passive DAG.

        Thank you Paul.

  3. Marc

    I’m a Junior college teacher looking for teaching material you could point me too for teaching exchange 2016 to my students, they already take a full class on windows 2016.

  4. Tyler Do

    Are there any benefits to running Exchange 2016 on Server 2016 as opposed to Server 2012 R2?

    1. Space_Pirate

      Yes, the same question from me. We are testing Exchange 2016 CU4 on Window Server 2016. The combination of Server 2012R2/ Exchange 2016 has been OK until now. How about Exchange 2016 CU4 on Server 2012R2 ? Is it OK?

  5. Mark Levendowski

    This is a great script! Is there a way to get the output into CSV instead of TXT so I can then use the CSV to create the exclusions in Windows Defender via PS?
    I do a lot with PS but I’m still a bit of a novice. I tried to modify the script to Export-Csv but the CSV data was not what I expected.
    Or maybe there is a way to use the TXT files that I am not aware of.
    Thanks,
    Mark

    1. Mark Levendowski

      Oop, I see your script does enable the exclusions. I was not seeing the exclusions:
      Get-MpPreference | FL Exclusion*
      ExclusionExtension :
      ExclusionPath :
      ExclusionProcess :
      I got these errors when running the script:
      Add-MpPreference : Operation failed with the following error: 0x%1!x!
      I am thinking it is because the client disabled realtime scanning:
      Get-MpPreference | FL DisableRealtimeMonitoring
      DisableRealtimeMonitoring : True
      At this point I have not yet been able to confirm it is the disabled Realtime Scanning that is causing the script errors when trying to add the exclusions.
      Maybe someone does know?

  6. Tung Nguyen

    Hi Paul,
    I installed EX 2016 with 2 Mailbox srv and 1 Edge transport srv, with WS 2012R2
    My system run for 1 month, we use MS outlook IMAP with port 143 and 25.
    This week, we can’t use port 25, Outlook asked for password. I changed to 465 ssl that ok. Today, I restart 2 MB Srv then user port 25 it works about 3 hours and I can use port 25 in Outlook.
    Antivirus software was disable, telnet to 25 still work.
    Help me, please!
    Thank you very much!

      1. Tung Nguyen

        Tks Paul!
        I tested, same problem with 587.

          1. Tung Nguyen

            Use OWA stil normal.
            Logon method domain\user
            Event log has a lot of warning “Inbound authentication failed with error LogonDenied for Receive connector Default Frontend EX-MB-01. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [190.248.131.102].”
            Do you think, problem with frontend?

  7. Walter

    Hello Paul

    Build number 15.01.0225.037

    1. Avatar photo

      That exact build number is not listed here as far as I can tell:

      https://technet.microsoft.com/en-us/library/hh135098(v=exchg.150).aspx

      Assuming there’s a typo and what you’re actually trying to install is 15.01.0225.042, you’ll see on that page that build number is Exchange 2016 RTM. That version of Exchange is not supported to run on Windows Server 2016. You must use at least CU3. CU3 has some bugs though, so you should look at installing CU4 which was released this week.

  8. Walter Gabauer

    Hello Paul,
    I have the same problem as jason
    Exchange build is the latest from eopen

  9. Roël Ramjiawan

    Dear Paul,

    Something worth mentioning;

    When I tried to install Exchange 2013 CU3 (full install) it keep gave me the ” A reboot from a previous installation is pending ” error.

    I am familiar with the UpdateExeVolatile registry key and the PendingFileRenameOperations registry key in the HKEY Local Machine System CurrentControlSet Control Session Manager.

    But there was nothing present there not even the empty keys. So upon further research I stumbled upon PendMoves and MoveFile (Windows Sysinternals from Mark Russinovich).
    PendMoves told me I had files Pending FIle Rename Operations in the
    C:Windowssystem32spoolV4Dirs with all kinds of dirs with GUIDS in it.

    But this was a fresh install of Windows Server 2016 with only AD/DNS installed on it.

    Still I couldn’t find those in the PendingFileRenameOperations so then I checked the whole registry on that key and I found it.

    HKEY Local Machine System ControlSet001 Control Session Manager was the location.

    So instead of CurrentControlSet it was ControlSet001 in Windows Server 2016.

    Maybe you can add this to the article? I don’t know if this differs from the previous Windows Servers Edition because I do not have much Experience with the final version of Windows Server 2016.

    And I did not want to install Exchange 2016 on a Technical Preview which I already been testing for almost a year right now. Besides it took some time to for CU3 to show up.

    I thought sharing this would be good to help others and I was racking my brain for a few days.

    1. Roël Ramjiawan

      O and I restarted like ten times so that was not the problem

  10. Hayden Kirk

    I disable defender on 2016 servers. seems very intensive. Any downsides to this?

  11. Fred

    What about doing an in-place upgrade of Exchange 2016 running on Server 2012 R2 to Server 2016? It didn’t work for me. Exchange services wouldn’t start.

      1. ndfan77

        So what/where are the migration steps to move Exchange 2016 from Windows Server 2012 to Windows Server 2016?

        Something like(?):
        – Deploy new Windows 2016 server
        – Install second instance of Exchange 2016 (any potential interference with existing Exchange 2016 installation?)
        – Apply same settings as existing Exchange server
        – Move mailboxes to new Exchange server (how?)
        – Change firewall to map inbound ports to new Exchange server
        – Shutdown old Exchange server
        – Move licensing from old Exchange server to new Exchange server?

          1. ndfan77

            Thanks. Read through the like-for-like, and the autodiscovery/certificate article it referenced. The one part I don’t feel like I understand well enough before “diving in” is the bit about setting the SCP back to the original value immediately after the 2nd Exchange installation.

            When I issue “Get-ClientAccessService | fl” there are something like 25 lines returned. Is the gist of setting the SCP back to the “original value” just a matter of setting the AutoDiscoverServiceInternalUri back to what it was?

          2. Avatar photo

            AutoDiscoverServiceInternalUri is the only thing you need to touch.

            “….you need to be aware of the Autodiscover SCP that the new server will be registering in Active Directory, and be prepared to change that immediately to match the Autodiscover URL for the existing server”

          3. ndfan77

            Ah, very good. Thanks for the clarification! (And for the site and content. It is appreciated.)

  12. SILVIO TAVARES

    PS1 dont working for me.

    Dont run in my windows 2016 powershell

    Error the signature

    1. SILVIO TAVARES

      I disabled WIndows Defender on Windows 2016…

  13. IsmatSahar

    thanks sir,really awesome

  14. IsmatSahar

    thanks sir,really awesome

  15. Diego

    Now Exchange 2016 is compatibility on Windows Server 2016, because that from back months this not supported. Thanks

  16. Joel Rennie

    Thanks!

Leave a Reply