How to upgrade the CU level of an On-Premises Exchange server?

Posted on October 5, 2022 by m365guy One comment

This will be a straight forwarded blog post where I’m going to explain on how we can upgrade On-Premises Exchange servers CU level. Upgrading the CU level in general has been a challenging task since it’s not the same as traditional Windows updates. If you are looking for guidance on how to upgrade Exchange servers that don’t have the latest CU level installed. I will be sharing my methodology on how we can do this. This requires careful planning and a solid change management process before we can upgrade the CU level of an Exchange server. During this example, we will be using Exchange 2016.

Quick way to verify the installed Cumulative Update is by running the following command in PowerShell:

function Get-ExchangeCU() {
    Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | ? DisplayName -Match "Microsoft Exchange Server \d{4}" | Select -ExpandProperty DisplayName
}
Get-ExchangeCU

Another preferred way would be to use the Exchange Server Health Checker script. The Exchange Server Health Checker script helps detecting common configuration issues that are known to cause performance issues on an Exchange server and will also verify the latest CU. This script can be found here: https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

Microsoft’s official documentation keeps track of all the latest CU level that are available and were released for Exchange servers. This can be found here: https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019.

We can see that this Exchange server is an Exchange 2016 CU12. This means that this Exchange server has not been upgraded for at least upgraded 3 years.

Best Practices

Microsoft has a set of best practices that they are recommending before upgrading to the latest CU level. This can be found here as well: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/install-cumulative-updates?view=exchserver-2019

Always keep your servers as up to date as possible. This especially applies to the installation of a new server.
Always install the latest Cumulative Update when creating a new server.
There is no need to install the RTM build or previous builds and then upgrade to the latest Cumulative Update. This is because each Cumulative Update is a full build of the product.
Reboot the server beforehand.
Test the new update in a non-production environment first to avoid any problems in the new update affecting the running production environment.
Have a tested and working backup of both the Active Directory and your Exchange Server.
Backup any and all customizations. They will not survive the update.
Use an elevated command prompt to run the Cumulative Update.
Temporarily disable any anti-virus software during the update process.
Reboot your server upon completion of the update.
Test your Active Directory Replication Health status and make sure that every DC in the domain is replicating fine.

Verify Exchange Server Schema Version

Log in to an Exchange server or Domain Controller that contains the RSAT PowerShell module. Run the following script to gather information of what Exchange Schema version is currently in use. This script can be found here: https://www.alitajran.com/wp-content/uploads/scripts/Get-ADversions.ps1

# Exchange Schema Version
$sc = (Get-ADRootDSE).SchemaNamingContext
$ob = "CN=ms-Exch-Schema-Version-Pt," + $sc
Write-Output "RangeUpper: $((Get-ADObject $ob -pr rangeUpper).rangeUpper)"

# Exchange Object Version (domain)
$dc = (Get-ADRootDSE).DefaultNamingContext
$ob = "CN=Microsoft Exchange System Objects," + $dc
Write-Output "ObjectVersion (Default): $((Get-ADObject $ob -pr objectVersion).objectVersion)"

# Exchange Object Version (forest)
$cc = (Get-ADRootDSE).ConfigurationNamingContext
$fl = "(objectClass=msExchOrganizationContainer)"
Write-Output "ObjectVersion (Configuration): $((Get-ADObject -LDAPFilter $fl -SearchBase $cc -pr objectVersion).objectVersion)"

Another example would be to use dsquery.exe to query the RangeUpper and ObjectVersion. You can compare the object versions you see with the values to verify that Exchange successfully updated Active Directory during the installation.

dsquery * "CN=ms-Exch-Schema-Version-Pt,CN=schema,CN=configuration,DC=Contoso,DC=com" -scope base -at
tr rangeUpper

dsquery * "CN=Microsoft Exchange System Objects,DC=Contoso,DC=com" -scope base -attr objectVersion

Since we are talking about Exchange 2016. I’ve found a great blog post that currently tracks all the Schema Update versions for Exchange. This can be found here: https://www.alitajran.com/exchange-schema-versions/#h-exchange-server-2016-schema-versions. Since I’m using Exchange 2016 CU12, we can see that the objectVersion (Default) has been set to 13236. Our goal is to upgrade to the latest Exchange CU level, which means that if everything goes according to plan. The objectVersion attribute should be updated to 13243.

Verify Exchange Server Health

Great PowerShell script of @practical365 that will perform different Exchange Health Checks to see if everything is running fine. Let’s check this first, before we are going to upgrade to the latest CU level. Save this PowerShell script as Test-ExchangeServerHealth.ps1 and then run it on an Exchange server. It’s good to verify that your Exchange servers are in a healthy state before upgrading. This script can be downloaded here: https://github.com/cunninghamp/Test-ExchangeServerHealth.ps1

At the result, we can see that there are two Exchange servers in the environment. Both of them have passed all the checks, which is a good sign to proceed further.

Run Microsoft Exchange Health Checker script

Run the Microsoft CSS Exchange Health Script, which can be found here: https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

The Exchange Server Health Checker script helps detect common configuration issues that are known to cause performance issues and other long running issues that are caused by a simple configuration change within an Exchange Environment. It also helps collect useful information of your server to help speed up the process of common information gathering of your server. It’s similar to the previous script, but it looks at a few different things.

The required permission(s) to run this script are Local Admin on an Exchange server and a member of the Organization Management group. Start reviewing the following checks:

Verify if the SSL certificate has been expired or not

Verify whether .NET Framework 4.8 is installed or not

Upgrading to the latest Exchange 2016 CU23 level requires to have .NET Framework 4.8 installed. It is good to do this prior to upgrading the CU level.

Verify if all Exchange Web App Pools are starting

Install IIS Rewrite Module on Exchange servers

IIS URL Rewrite 2.1 enables Web administrators to create powerful rules to implement URLs that are easier for users to remember and easier for search engines to find. This feature is required when installing the latest Exchange 2016 CU, which happens to be by the time of writing this. CU23. If we don’t do this, it will throw the following an error.

IIS Rewrite Module can be installed here: https://www.iis.net/downloads/microsoft/url-rewrite

Ensure Exchange Servers have installed the latest Windows updates

Make sure that Exchange servers that we’re going to upgrade to the latest CU level have all the latest Windows updates installed. Once the Windows updates have been installed, make sure that the server has been rebooted beforehand.

Upgrading Exchange servers to the latest CU level

By the time of writing this. Exchange 2016 CU23 was the latest version for Exchange 2016. First, let’s download this ISO from the official Microsoft website. See: https://www.microsoft.com/en-us/download/details.aspx?id=104132

Now login to your Exchange server and make sure that the account has Enterprise Admins, Schema Admins, and Local Admin on all the Exchange servers.

Put the HubTransport in draining state

Hub Transport is a role that handles all the mail flow, and we are going to put it in draining state, so it will stop accepting messages.