Patching Exchange 2010 · Web viewThe difference between the two is that Stop will immediately stop the server regardless of who is currently connected to it, while Drainstop will

Patching Exchange 2010

Exchange 2010 Patching Guide

1 How to Rebalance Mailbox Databases in a DAG with Exchange Server 2010 | Exchange 2010


Table of ContentsPatching Exchange Server 2010.............................................................................................................3

Introduction...........................................................................................................................................3

Permissions...........................................................................................................................................3

Patching Order......................................................................................................................................3

How to Install Updates on Exchange Server 2010 CAS Arrays...............................................................3

Preparing the NLB Cluster for Updates..................................................................................................4

Stop Conflicting Services........................................................................................................................6

Disabling Monitoring.............................................................................................................................7

Backing up the Server............................................................................................................................7

Updating the Server...............................................................................................................................7

Verifying the Update.............................................................................................................................8

Returning the Server to Production.......................................................................................................9

How to Install Updates on Exchange Server 2010 Hub Transport Server............................................10

How to Install Updates on Exchange Server 2010 Database Availability Groups.................................10

Stopping Conflicting Services...............................................................................................................11

Disabling Server Monitoring................................................................................................................11

Updating the Server.............................................................................................................................11

Verifying the Update...........................................................................................................................12

Returning an Exchange Server 2010 DAG Member to Production......................................................13

How to Rebalance Mailbox Databases in a DAG with Exchange Server 2010......................................13

Post Patching Checks...........................................................................................................................14

Appendix.............................................................................................................................................15



Patching Exchange Server 2010

IntroductionWindows and Exchange Application patching is an important regular requirement for the any Environment and this also requires a proper planning and regularity. If we don’t follow the process and don’t patch our servers then we leave our servers open for security risk and application bugs. Following the article will help in patching windows OS and Exchange application on an exchange server.

PermissionsThe following permissions will be required.

1. Windows Patching: Local Administrator

2. Exchange Patching: The following group membership will be required:

Local Administrator; Domain Admins; Organization management.

Patching OrderUpgrade your servers in the following order:

1. Client Access servers (beginning with the internet-facing site if any)2. Hub Transport and Edge Transport servers3. Mailbox servers4. Unified Messaging servers

You should also plan to update any management tools installations you have on admin workstations or servers, and also check your third party applications that integrate with Exchange in case they also need updated management tools.

How to Install Updates on Exchange Server 2010 CAS ArraysClient Access servers are the first server role to update, and you should begin with the internet-facing site if you have multiple sites in your organization.

For Client Access servers that are in a CAS Array you should remove some of the servers (eg half of them) from the load balancer configuration, upgrade them, re-add them to the load balancer, then repeat the process with the remaining Client Access servers in that load balanced array.

For most organizations the main benefit of deploying an Exchange Server 2010 Client Access Server array is to minimize downtime.

So when it comes time to update the CAS array members with patches, update rollups or service packs, the update process needs to be managed in a way that prevents all of the CAS array members from being offline at the same time.



Typically this means installing the updates to CAS array members one at a time, allowing each one to complete the update and (if necessary) reboot before updating the next member.

If in your ORGANIZATION, you have both CAS & HUB installed on same server, so you will install both the patches for CAS & HUB and then we will proceed with the reboot of the server.

Services Running –

Preparing the NLB Cluster for Updates

The first step is to remove the server that is about to be updated from the Network Load Balancing (NLB) cluster.

There are two ways to take a CAS array member out of the NLB cluster:

Issue a Stop command to the server Issue a Drainstop command to the server

The difference between the two is that Stop will immediately stop the server regardless of who is currently connected to it, while Drainstop will put the server in a state where it will not accept new connections but will continue serving existing connections until they disconnect.

For urgent updates, a Stop command may be necessary, but for planned maintenance a Drainstop has the least potential impact on active client connections to the CAS array.

To issue a Drainstop launch Network Load Balancing Manager, right-click on the desired server, choose Control Host and then Drainstop.

When the server has no more active connections it will be in a stopped state.4 How to Rebalance Mailbox Databases in a DAG with Exchange Server 2010 | Exchange

2010


Right click the server and choose Properties. Set the default state of the server to Stopped. This will prevent it from automatically starting and accepting client connections after any reboots that the updates require, to allow you time to verify the updates were successful first before rejoining the NLB cluster.

Stop Conflicting Services

The Client Access Server role is often installed on the same server as the Hub Transport server role, even when deployed as a CAS array.

Hub Transport servers often run additional applications such as antivirus and anti-spam software that hooks into the Exchange Server services. These can cause conflicts with Exchange Server updates, for example if a third party application tries to automatically restart a service that it depends on that has been stopped by the update process.

Forefront is one example of this, so for servers running Forefront Protection for Exchange those services can be stopped using FSCUtility.

C:\> fscutility /disable

Disabling Monitoring

If the CAS array members are monitored using SCOM, this should also be disabled, or placed into maintenance mode before the update is performed. This prevents unnecessary alarms in the monitoring system due to stopped services or server restarts, and also prevents the monitoring agent from trying to perform any automatic remediation such as restarting services.

Backing up the Server

Some organizations will require an ad-hoc backup be run of at least one CAS array member before updates are applied. Others will be happy to rely on the latest scheduled backup instead. And some will even be satisfied that multiple CAS array members exist and so if a bad update puts one of them out of action there is no outage to end users, and the server can simply be manually reinstalled.

Updating the Server

Install the update following the procedure for that update type.



Update rollups come in the form of a .MSP file (Windows Installer Patch) that is applied to the server. Simply double-click the file or launch it from a command line window.

Service packs are a complete reissue of the Exchange Server setup files and are installed by running setup in upgrade mode, which can be run in either graphical or command line mode.

C:\> setup /m:upgrade

Both update rollups and service packs can take some time to install, so plan a large window of time for these updates.

Verifying the Update

After the update has completed, and if necessary the server rebooted, you should check the server’s health before placing it back into production in the CAS array.

Event Logs – look for error or warning events that have started since the update was applied.

Setup Logs – service packs write a complete setup log file to C:\ExchangeSetupLogs

Services – check the Exchange services are running (or at least those that you expect to be running, some such as IMAP and POP will be stopped if you have not explicitly enabled them)



[PS] C:\>get-service *exchange*

Status Name DisplayName------ ---- -----------Running MSExchangeAB Microsoft Exchange Address BookRunning MSExchangeADTop... Microsoft Exchange Active Directory...Running MSExchangeAntis... Microsoft Exchange Anti-spam UpdateRunning MSExchangeEdgeSync Microsoft Exchange EdgeSyncRunning MSExchangeFBA Microsoft Exchange Forms-Based Auth...Running MSExchangeFDS Microsoft Exchange File DistributionStopped MSExchangeImap4 Microsoft Exchange IMAP4Running MSExchangeMailb... Microsoft Exchange Mailbox ReplicationStopped MSExchangeMonit... Microsoft Exchange MonitoringStopped MSExchangePop3 Microsoft Exchange POP3Running MSExchangeProte... Microsoft Exchange Protected Servic...Running MSExchangeRPC Microsoft Exchange RPC Client AccessRunning MSExchangeServi... Microsoft Exchange Service HostRunning MSExchangeTrans... Microsoft Exchange TransportRunning MSExchangeTrans... Microsoft Exchange Transport Log Se...Stopped msftesql-Exchange Microsoft Search (Exchange)Running vmickvpexchange Hyper-V Data Exchange Service

Returning the Server to Production

If the update was successful and the server healthy then it can be placed back into production.

Re-enable services such as Forefront Protection for Exchange.

C:\> fscutility /enable

Start the server in the NLB cluster.

Set the NLB initial host state to Started.



And re-enable monitoring agents and alarms for the server.

After the first CAS array member has been successfully updated you can move on to the next one.

How to Install Updates on Exchange Server 2010 Hub Transport Server

In ORGANIZATION, since CAS role/HUB Role are installed in the same server, hence we will install both the patches for CAS and HUB simultaneously and then proceed with the reboot of the server.

How to Install Updates on Exchange Server 2010 Database Availability GroupsThere is no order in a DAG because there is no “active server” or “passive server”. There are only servers that host either active or passive database copies. So when updating a DAG member you should make sure it is only hosting passive database copies at the time.

To update the DAG members with new patches, update rollups or service packs, the update process should be managed to prevent all of the DAG members from being offline at the same time.

To do this you can move the active mailbox databases off a particular server so that it can be patched, and if necessary rebooted, without causing any downtime for mailbox users on that database.

Open the Exchange Management Shell and navigate to the scripts folder on the Exchange server.

cd $exscripts

Next run the StartDagServerMaintenance.ps1 PowerShell script.

.\StartDagServerMaintenance.ps1 -serverName DAGP01

The script will automatically do the following tasks for you:

Calls Suspend-MailboxDatabaseCopy on the database copies. Pauses the node in Failover Clustering so that it cannot become the Primary

Active Manager. Suspends database activation on each mailbox database.



Sets the DatabaseCopyAutoActivationPolicy to Blocked on the server. Moves databases and cluster group off of the designated server.

Stopping Conflicting Services

If the mailbox server is running any Exchange-integrated services, such as antivirus software, these should be disabled prior to the update.

For example to disable Forefront use the FSCUtility command.

C:\> fscutility /disable

Another example is Data Protection Manager 2010, which may be configured to perform Copy backups from passive database copies at frequent intervals through the day. Make sure these jobs are paused to prevent errors or conflicts from occurring.

Disabling Server Monitoring

If the DAG members are monitored using SCOM or a similar system then this should also be disabled or placed into maintenance mode.

This will prevent alarms from being raised as well as prevent any automatic remediation actions from being run by the monitoring agent that may cause the server updates to fail.

Updating the Server

Install the update following the deployment notes for that update type.

Update rollups come in the form of a .MSP file (Windows Installer Patch) that is applied to the server. Simply double-click the file or launch it from a command line window.

Service packs are a complete reissue of the Exchange Server setup files and are installed by running setup in upgrade mode, which can be run in either graphical or command line mode.

C:\> setup /m:upgrade

Both update rollups and service packs can take some time to install, so plan a large window of time for these updates.



Verifying the Update

After the update has completed, and if necessary the server rebooted, you should check the server’s health before placing it back into production in the CAS array.

Event Logs – look for error or warning events that have started since the update was applied.

Setup Logs – service packs write a complete setup log file to C:\ExchangeSetupLogs

Services – check the Exchange services are running (or at least those that you expect to be running, some such as IMAP and POP will be stopped if you have not explicitly enabled them)

[PS] C:\>Get-Service *exchange*

Status Name DisplayName------ ---- -----------Running MSExchangeADTop... Microsoft Exchange Active Directory...Running MSExchangeIS Microsoft Exchange Information StoreRunning MSExchangeMailb... Microsoft Exchange Mailbox AssistantsRunning MSExchangeMailS... Microsoft Exchange Mail SubmissionStopped MSExchangeMonit... Microsoft Exchange MonitoringRunning MSExchangeRepl Microsoft Exchange ReplicationRunning MSExchangeRPC Microsoft Exchange RPC Client AccessRunning MSExchangeSA Microsoft Exchange System AttendantRunning MSExchangeSearch Microsoft Exchange Search Indexer



Running MSExchangeServi... Microsoft Exchange Service HostRunning MSExchangeThrot... Microsoft Exchange ThrottlingRunning MSExchangeTrans... Microsoft Exchange Transport Log Se...Running msftesql-Exchange Microsoft Search (Exchange)Running vmickvpexchange Hyper-V Data Exchange ServiceStopped wsbexchange Microsoft Exchange Server Extension...

Returning an Exchange Server 2010 DAG Member to Production

Once again Exchange 2010 with Service Pack 1 makes this task easier thanks to a script provided by Microsoft. Open the Exchange Management Shell and navigate to the scripts folder on the Exchange server.

cd $exscripts

Next run the StopDagServerMaintenance.ps1 PowerShell script.

.\StopDagServerMaintenance.ps1 –serverName DAGP01

The script will automatically reverse each of the actions made by StartDagServerMaintenance.ps1 except that it will not move active mailbox databases back to the server.

To move the active mailbox databases you can continue to go to each mailbox server in the DAG and run StartDagServerMaintenance.ps1 and perform your updates. When all of the servers have been updated you can rebalance the DAG automatically using a script from Microsoft which is .\RedistributeActiveDatabases.ps1.

How to Rebalance Mailbox Databases in a DAG with Exchange Server 2010 After an outage or maintenance to the Exchange 2010 Mailbox servers in a Database Availability Group you may find that the mailbox databases are no longer balanced across all of the DAG members.

For example after applying updates to DAG members you may see that all of the mailbox databases are active on a single DAG member.

To check the same-



For e.g.; The output may show that all of the mailbox databases are active on server DAGP01, even though some of them have DAGP02 as a preferred server.

Exchange Server 2010 Service Pack 1 shipped with a script that allows you to automatically redistribute mailbox databases to their first activation preference. The script can be found in the \Scripts folder of the Exchange Server 2010 installation path, which by default would be C:\Program Files\Microsoft\Exchange\V14\Scripts. The script is RedistributeActiveDatabases.ps1

To rebalance the mailbox databases based on activation preference, execute the script.

Output of the script Each mailbox database in the DAG is now active on its preferred server.

Post Patching ChecksRun the following tests on all Exchange servers

1. Get-queue | ? {$_.MessageCount –gt 5}

Queue should be less than 10 mails

2. Test-ServiceHealth

No service should show in ServiceNotRunning

3. Test-ReplactionHealth

Replication should show Passed for all

4. Test-OutlookWebServices

No Error should come except the Id 1104

5. Test-Mapiconnectivity

This should be success

6. Get-mailboxdatabasecopystatus *\*

Databases should show healthy and mounted.

7. Configure a test account and test send and receive of the email.8. If you have an ActiveSync enabled account, test the mail from

ActiveSync device as well.

Pre-Patching Exchange running Services should resemble with post patching running services.



Appendix

Windows Patching—

Login to the server

For Windows Patching

Go to start All Programs Windows Update

Click on the blue where it says numbers of updates are available.



Ensure that there is no Exchange rollup/hotfix/ServicePack, if there is a rollup checked then UNCHECK the Exchange rollup/hotfix/ServicePack

Then Click ok and then click on Install Updates

Once completed click finished and restart the server.


Documents

Patching Exchange 2010 · Web viewThe difference between the two is that Stop will immediately stop the server regardless of who is currently connected to it, while Drainstop will