Step-by-Step guide for Exchange server updates
Proper maintenance of security and functionality of the Exchange Server environments is critical for uninterrupted mail flow and protection against vulnerabilities. Whenever any vulnerability is identified in the existing Exchange version, the Microsoft Exchange team releases security updates that supports patch these vulnerabilities and protects against unauthorized access to mailbox data.
When you install the security updates, your Exchange server is protected against the known vulnerabilities. Additionally, if you are using Exchange server 2016 and 2019, you need to upgrade to the latest Cumulative Update (CU). The CU is a complete installation package containing all previous updates and changes.
Let us learn the process of updating your Exchange server and protecting it against any vulnerabilities and unauthorized data access.
How to prepare your Exchange server for updates?
Before installing the Security Updates or the CU, you need to prepare your Exchange server by following the below mentioned steps:
1. Check for Windows Updates and install the updates
2. Restart the Exchange Server
3. Set the server on maintenance mode
4. Install the following:
a. .NET framework 4.8+
b. Visual C++ Redistributable for Visual Studio 2012
5. Temporarily disable any anti-virus software
6. Temporarily disable any backup software
Additionally, you need to ensure the following points:
1. The account that you will use to install the CU requires membership in the Exchange Organization Management role group.
2. If you are running a standalone Exchange Server, the mail flow will stop while the Cumulative updates are being installed.
3. Always test the Cumulative update in a test environment before deploying it to the production server.
4. If the CU requires Active Directory schema updates or domain preparation, the account will likely require more permissions.
5. Check the Release notes by Microsoft before you install the Updates to see the latest updates.
6. Verify the target server meets the potentially new system requirements and prerequisites for the Updates.
How to Update the Exchange server
Here are the steps to download the latest CU and update the Microsoft Exchange server
Step -1 Check the current version of the Exchange server and download the latest updates
Before you install the latest CU, you need to check the version of your existing Exchange server. For this, enter the following cmdlet in the EMS:
Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion
Then visit Exchange Server build numbers and release dates page to check and download the latest Cumulative Update for your Exchange Server Version.
Step 2- Put the server on maintenance mode
As a best-practice you can put Exchange Server in maintenance mode before you install the CU. To put your Exchange Server 2013, 2016, or 2019 into maintenance mode, you can use the following PowerShell commands in EMS:
1. Set HubTransport to draining state using the following cmdlet:
Set-ServerComponentState -Identity “ServerName” -Component HubTransport -State Draining -Requester Maintenance
2. Then disable database copy auto-activation and move the active copy of the database to another DAG member. Use the following cmdlet:
Set-MailboxServer “ServerName-01” -DatabaseCopyActivationDisabledAndMoveNow $true
3. Block the DatabaseCopyAutoActivationPolicy. Use the following cmdlet:
Set-MailboxServer “ServerName-01” -DatabaseCopyAutoActivationPolicy Blocked
4. Then put the Exchange Server into maintenance mode using the following command,
Set-ServerComponentState “ServerName” -Component ServerWideOffline -State Inactive -Requester Maintenance
Step 3- Prepare the Active Directory
To prepare the Schema, Active Directory, and Domains, run Command Prompt as administrator and set the directory to CU ISO location using the CD command.
Then run the following commands to prepare the Schema, AD, and all Domains,
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareSchema
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAD
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAllDomains or /PrepareDomain
Restart the server in between to clear any pending reboots.
Step 4- Install the latest CU on your computer
Restart your Exchange server and follow the steps below to install the latest Cumulative Updates that you downloaded in Step 1.
1. In File Explorer, right-click on the downloaded Exchange CU ISO image file, and then select Mount. In the virtual DVD drive that appears, double click the setup.exe to start the Exchange server.
2. The Exchange Server Setup wizard opens. On the Check for Updates? page, choose one of the following options:
a. Connect to the Internet and check for updates (recommended)
b. Don’t check for updates right now
3. Then click Next to continue
4. On the Copying Files page, you will see the progress of copying files to the local hard drive.
5. The Upgrade page shows that Setup detected the existing installation of Exchange. Click Next to continue.
6. On the License Agreement page, review the license terms and conditions, select I accept the terms in the license agreement, and then click Next to continue.
7. The Readiness Checks page will verify that the prerequisite (mentioned in the beginning) are completed successfully. If not, the Setup Wizard will display errors. You need to resolve the errors and click Retry.
8. The Setup Wizard will check the prerequisites again and if no errors are detected, click on Install.
9. On the Setup Progress page, a progress bar indicates how the installation is proceeding.
10. On the Setup Completed page, click Finish, and then restart the computer.
11. Once the installation is finished, restart the server and then check the current version using the following command in EMS:
Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion
12. Remove the server from maintenance mode using the following commands:
Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance
Set-ServerComponentState ServerName –Component HubTransport –State Active –Requester Maintenance
Step 5- Install Security Updates
Once you have upgraded your Exchange Server with the Cumulative Updates, check for any pending security updates or patches. You can run healthChecker.ps1 script on your server to find the vulnerabilities and then apply the SUs to patch them.
To install security updates, navigate to the folder where Security updates are downloaded (.msp files) and run the following command in the elevated Command Prompt window:
.\Updatename.msp
Follow the wizard to complete the installation and then reboot.
Conclusion
Microsoft advises the Exchange server users to install the latest security updates to protect their organization from any threats and malicious attacks. Exchange Servers that do not have the latest security patches are vulnerable to attacks. To avoid these risks, it is important to install updates as soon as they become available.
In the event of a server corruption or database damage due to a virus attack or server failure, it is recommended to create a new server and restore mailboxes from the backup, rather than attempting to fix and reuse the compromised server. If a backup is unavailable, Exchange server recovery software, such as Stellar Repair for Exchange, can be used to recover mailboxes from the compromised server and saved in the PST format. The extracted mailboxes can be directly exported to a new Live Exchange Server or Office 365 tenant with ease.
