By now you’ll have read the news that Microsoft has released Service Pack 2 (SP2) for Exchange 2010. If not, you can read my article on WindowsITPro.com and then go and fetch the necessary bits from the Microsoft Download Center.
Installing SP2 is a relatively straightforward affair and Exchange 2010 SP1 and SP2 servers can co-exist peacefully alongside each other for as long as it takes to roll out SP2. However, it is best practice to run a consistent software level across an entire Exchange organization so it’s best to schedule the updates to occur as quickly as possible. Of course, don’t do this until after you’re happy that SP2 meets your needs and requirements and has been tested in your own environment.
The biggest hindrance in the update process for most people is likely to be the requirement to schedule the prerequisite Active Directory schema update, which is required to support new features such as Address Book Policies (ABPs). Once the schema has been updated and replicated throughout the Active Directory forest, you should be able to upgrade Exchange 2010 SP1 servers following the normal order of CAS-Hub Transport-Mailbox servers (Edge servers can be updated first or last, UM servers should be updated before mailbox servers). CAS servers in Internet-facing sites are usually the first candidates for upgrade and this is especially so in Exchange 2010 SP2 if you plan to run a hybrid on-premises/Office 365 configuration. Those who run multi-role Exchange 2010 servers can simply start to upgrade servers…
Updates are performed from the command line with the SETUP program or by running the normal Exchange 2010 installation program. If you run SETUP, you’ll probably run the command SETUP /m:upgrade /InstallWindowsComponents to apply the upgrade and to install any Windows components that might be missing on a server.
SP2 update fails because IIS6 WMI Compatibility component is required
If you use the GUI version of the installation program to install SP2, you might encounter the error shown above when you attempt to upgrade Exchange 2010 SP1 CAS servers. This is because SP2 introduces a new requirement for CAS servers to have the IIS6 WMI Compatibility role. The Exchange installation program is able to detect the lack of prerequisite software on a server and offer to install the missing pieces for you but it can only do this for new installations as the code doesn’t cover the situation where a service pack or other upgrade introduces the need for a new component. As you’ll already have noted from the command-line example described above, the same limitation doesn’t exist for SETUP.
For those who like to script server updates, you can use PowerShell to run these commands to ensure that the correct prerequisite software is installed for Exchange 2010 SP2 (the change from previous versions is the addition of the Web-WMI component):
Import-Module ServerManager
Add-WindowsFeature NET-Framework, RSAT-ADDS, Web-Server, Web-Basic-Auth, Web-Windows-Auth, Web-Metabase, Web-Net-Ext, Web-Lgcy-Mgmt-Console, WAS-Process-Model, RSAT-Web-Server, Web-ISAPI-Ext, Web-Digest-Auth, Web-Dyn-Compression, NET-HTTP-Activation, RPC-Over-HTTP-Proxy, Web-WMI –Restart
For mailbox servers that are members of a Database Availability Group, remember that Exchange includes a script called StartDagServerMaintenance.ps1 that is designed to prepare a DAG server member for maintenance, such as installing a service pack. This script:
- Runs the Suspend-MailboxDatabaseCopy cmdlet for each database copy hosted on the DAG member to block replication and replay activity.
- Pauses the node in the cluster. This prevents the server taking on the role of the Primary Active Manager (PAM) for the DAG
- Sets the value of the DatabaseCopyAutoActivationPolicy parameter on the DAG member to “Blocked“. This step prevents the PAM attempting to automatically activate any of the database copies that are present on the server.
- Moves all the active databases that are currently hosted on the DAG member to other DAG members. Assuming that there are DAG members available to accept the workload, clients should be automatically transferred to the new locations by the RPC Client Access Layer.
Like all the other scripts included in the Exchange kit, you can find this one in the location \Program Files\Microsoft\Exchange Server\V14\Scripts. You’ll also find its companion script that’s designed to bring a DAG member back online after maintenance is complete, StopDagServerMaintenance.ps1, in the same location. This script does the following:
- Runs the Resume-MailboxDatabaseCopy cmdlet for each database copy hosted on the DAG member to allow the server to fully participate in database replication and replay.
- Resumes the node in the cluster to enable full cluster functionality for the DAG member
- Sets the value of the DatabaseCopyAutoActivationPolicy parameter on the DAG member to be “Unrestricted“. The PAM is then able to automatically activate database copies on the DAG member.
Note that workload is not automatically transferred back to the newly reenabled DAG member. You will have to either perform a manual switchover of databases to make them active on the DAG member or rely on the update of another DAG member to transfer databases and balance workload across the DAG. Inevitably, you will end up switching some databases around once all the servers have been upgraded to SP2.
As an example, here’s how we would run the scripts to work with a server called ExServer1 during maintenance.
1. Navigate to the scripts directory (or do one of the tricks to get the scripts directory in your search order for PowerShell).
2. Run the script to prepare a DAG server member for maintenance.
.\StartDagServerMaintenance -ServerName "EXSERVER1"
3. When maintenance is done, run the other script to bring the server back online within the DAG.
.\StopDagServerMaintenance -ServerName "EXSERVER1"
All in all, your upgrade to SP2 should proceed reasonably smoothly and with a minimum of fuss. Microsoft has invested lots of time into making it all flow nicely and you’ll appreciate their work after the upgrade is complete.
– Tony
Thoughtsofanidlemind's Blog 
Hi Tony,
I’d recommend to add the Telnet-Client feature too while you’re installing the required Windows components with PowerShell. Telnet is not required to install Exchange but it’s the first troubleshooting tool people need when something’s not working.
Cheers,
Jetze
Sure. Sounds like an excellent idea.
I’ve downloaded and unpacked SP2, and I’m looking for that schema update. Is that a separate process, or is it integrated into the SP2 installation? I’d like to run that first, let it propagate out to the other domain controllers, and then install SP2.
You run SETUP /PrepareAD as per http://technet.microsoft.com/en-us/library/bb125224.aspx… everything is in the kit.
TR
Wouldn’t this be done anyway while going through the graphical install?
I think that the question is whether it’s possible to run the AD update separately as many companies have to schedule schema changes at specific times.
TR
Pingback: Exchange Server 2010 Service Pack (SP2) is released! - Neil Johnson - a rock 'n roll nerd.... - Site Home - TechNet Blogs
Any advice on installing SP2 on SBS2011?
No advice because I have never run SBS2011. You could pose the question in the Microsoft TechNet Forums.
Any comment on Forefront Protection for Exchange in relation to SP2 installation? I presume that it needs to be disabled before setup starts (which stops all Exchange services).
Use the advice given in http://support.microsoft.com/kb/929076 and all should be well!
TR
Hosting mode in SP2 is still very unclear. MS is suggesting to not use the hosting switch anymore instead “creation of logical organizations is something the admins has to do by combining things like ABP’s, together with OU separation, changing ACL’s on the OAB folders, maybe creating transport rules and changing default calendar permissions etc. The guidance document outlines the things you need to consider when configuring a product that is single tenant by design, to behave in a multi-tenant way.” Are they trying to push towards development of 3rd party control panels or just another way to dominate the hosted world with 365?
I read the push to be towards standardization of an approach to hosting Exchange based on product components (like ABPs) rather than the roll-your-own stuff that’s been needed in the past. However, I totally understand the view that Microsoft would prefer to have everyone on Office 365 rather than on other hosting platforms, even if they run Exchange 2010. I just don’t think that’s what’s happening here though.
TR
Did http://blogs.technet.com/b/exchange/archive/2011/12/06/exchange-2010-service-pack-2-and-hosting.aspx help at all?
Tony, do you have to run the SETUP /m:upgrade /InstallWindowsComponents command and active directory schema update if you ran them both before installing service pack one??
You do have to apply an additional schema update before you can install SP2. The schema has been updated between SP1 and SP2 to accommodate new features such as Address Book Policies. You might have all the necessary Windows components installed on mailbox and HT servers but the CAS servers need an additional component. I would run Setup to update the schema and then run Setup /m:Upgrade on individual servers.
TR
Pingback: Check list before installing Exchange 2010 SP2 | Exchangepro.dk
Hi Tony, I found your post very informative. One thing though, I’ve not been able to find any where on the web on how long should the update take. In particular, the mailbox servers. Is it in-depended of the database sizes and are updates only for the binaries.
It’s not dependent on the database sizes as the update to SP2 only updates the Exchange files. Once the Active Directory schema is updated, you should be able to update a mailbox server in 15-20 minutes.
TR
Is Service Pack 2 for Server 2008 a prerequisite before you install SP2 for Exchange 2010? All roles are contained on 1 server but we have not upgraded that to SP2 for 2008 as of yet. I tried to install SP2 for Exchange 2010 this morning but it bailed at the Client Access Role portion 41 minutes into the upgrade
Nope. I installed Exchange 2010 SP2 on a Windows 2008 R2 server – I just had to make sure that the hot fixes required by Exchange were installed beforehand. You might take a look at the setup log in c:\ExchangeSetupLogs to see what caused the CAS role to fail.
TR
On a server running multiple roles e.g. CAS, Mailbox and Hub transport role on one server…. i just run setup once and the service pack updates all roles correct?
Yes, all server roles should be updated at the same time.
TR
I applied SP2 and now none of the clients are able to connect to the exchange server. The message says Cannot open the outlook window. The set of folders cannot be opened. Microsoft exchange is not available.
But the service is running. What gives?
There are a variety of reasons why Outlook might not be able to connect. Have you run it in troubleshooting mode (set through options) to get a log to see whether AutoDiscover is working properly?
Maybe a server reboot might be necessary?
TR
I think I have many issues going on at the same time. Perhaps there is a single reason, I don’t know. One issue is Outlook is not connecting to the server. Another is that as administrator I am unable to add a new mailbox. It complains that I do not have sufficient permissions in DC. In EMC, right-click and specify the DC. Then go to tools-> best practices analyzer. Connect to AD. Now there is new screen which is for specifying the scope and I see it says the scope is for two servers. One is Exchange Administrative Group ->ServerA.(ServerA is where the exchange is installed)
The second is First Administrative Group->ServerB. Problem is Server B was in service as DC when the Exchange was installed in SerevrA but has been decommissioned.It doesn’t exist. I am beginning to think all of my problems are here. The question is what to do now? Why is ServerB coming into picture even when I told it to use current DC?
-Ravi
Ravi,
This really sounds like your installation is screwed up. The fact that Exchange reports that you don’t have sufficient permission to add a mailbox indicates that EMC and RBAC have concluded that you don’t have membership of the Organization Management or Recipient Management role group. Are you running EMC (or EMS) with the same account as you used to install Exchange?
If Server B shows up in the organization after it was removed, it may just be that it’s listed in Exchange’s configuration because you removed it from service without running Setup to deinstall Exchange. If necessary, you can remove the server with ADSIEdit.
TR
Hi Tony,
I have used only one account, domain admin account while installing Exchange2010 and also while running EMC or EMS. At this point should I even consider re-installing exchange2010 after making a backup of everyone’s mailbox?
On a separate note, I am able to connect to my mail via OWA but not Outlook. Would you be able to help me to straighten this out? Its the same issue with rest of the users in my group.
-Ravi
Sorry, I don’t do online consulting, mostly because I think there’s too much potential to make mistakes. I suggest that you log a support call with Microsoft and have them get you out of the mess that you’re in.
TR
Tony,
Our CAS and mailbox servers have interim update for RU4 installed and our most updated RU level is RU4. Should the interim update for RU4 be uninstalled first before the SP2 is installed?
Thanks,
Kevin
I think you should be able to run the SP2 update without removing anything. This is a “build to build” (B2B) update and the installation program should be intelligent enough to handle the necessary updates.
TR
We haven’t yet upgraded from our relative ‘base’ install to SP1 prior to this. Are there any known issues in going directly from the base to SP2?
None that I know out. Exchange should treat this as a build to build upgrade and proceed as normal, assuming that you’ve performed the schema update and installed any hot fixes that have been flagged since RTM.
TR
We are trying to send email with in the same doamin but through some application when we send email through that program it rejects the email based on scl…. if I remove the check from scl… in exchange then We can receive the email from specific email account which is configured in that application..
Any idea to sort out this problem……..
Regards,
Rashid
while sending email to another domain that domain rejects the email with below error:
*****@tawuniya.com.sa
SMTP error from remote mail server after MAIL FROM: SIZE=22579:
host mail4.tawuniya.com.sa [86.51.7.156]: 554 Message is Rejected by RBL
why it shows riqbal@eigbox.net………………. ?
and one time it accepts the email now that domain not accepting email from our domain…..
Kindly advise.
Regards,
Rashid Iqbal
Looks like your email is being blocked by the target domain because your domain is listed on a real-time black list (RBL). Do you have a record of sending spam? If not, you should contact the administrator of the domain that is blocking you and ask them what’s going on.
TR
Currently we have one main database for all the mail boxes, I am thinking that why not I make three databases,
one for managements.
second for managers
third for users.
is it possible that I import and export from existing database to new database…….. without any lose of emails………
regards,
rashid
Sure. Just use the Move Mailbox feature to move the mailboxes to the different databases. No problem there at all.
TR
Hi All,
I’ve tried to upgrade my Exchange server 2010 to my Exchange server 2010 SP2. Actually I forgot to prepare Active Directory and domains. Then upgrading halt at Hub Transport Role 45% and recovery also halting at the same place. Now Exchange Management Console is giving “The attempt to connect to http://exchange.domain.com/PowerShell using “Kerberos” authentication failed.” and Exchange Management Shell also unable to connect exchange server. I would be much appreciated if you all can help my issue.
I think this is a situation where you need to contact Microsoft support and have them help you through the recovery process. There is a way to remove the “watermark” from the system registry to force Exchange to begin an installation from scratch but I think that it’s best to involve support and get their help as you fix the server.
TR
Hi TR,
We have Exchange 2010 (without any SP) installed on Win Server 2008 R2 Entp (SP1).
Exchange 2010 is configured as DAG (two databases on two different servers).
What should be the best practice or steps to install Exchange SP2?
Thanks
Shabbir
See http://technet.microsoft.com/en-us/library/bb629560.aspx – you can certainly upgrade direct from RTM to SP2 (it’s known as a build to build upgrade). Before starting you will have to ensure that all of the prerequisites are met (Active Directory schema upgraded, hot fixes applied). You should follow the steps in the TechNet article to upgrade each of the DAG members.
TR
I run the StartDAG scripts and after a few minutes, I am returned to another prompt. I assume the script worked, but how can I be certain. There wasn’t any logging that I can tell. I’ve got to service pack 6 servers, testing with our disaster recovery servers first. Thanks.
Is the DAG active? Are databases (active and passive) mounted?
TR
Yes, the DAG is active and databases are mounted. If I attempt to run the script from a remote server using -WhatIF, I get:
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\StartDagServerMaintenance.ps1 -ServerName DR-EXDATA1 -whatif
whatif: Set-MailboxServer -Identity BLOCKEDOUT -DatabaseCopyAutoActivationPolicy:Blocked
Whatif: Suspend-MailboxDatabaseCopy `”BLOCKEDOUT`” -ActivationOnly -Confirm:False -SuspendComment `”Suspen
ded ActivationOnly by StartDagServerMaintenance.ps1 at 2012-04-24T10:45:05`”
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>
I don’t see where the database move would be. When I run the script without the whatif, it runs for a few seconds and then returns to the prompt. I know the database copy isn’t suspended as it doesn’t list it that way in EMC.
If you can think of anything else that might be an issue, thanks. If not, I’ll open an incident with Microsoft so that I can get things moving.
Thanks Tony.
It doesn’t matter that you’re running the script from a remote server. Everything is executed via Remote PowerShell anyway.
Look at what the commands are doing. You’re running with -WhatIf so Exchange is showing you what will happen.
First, it sets the policy for the server DR-EXDATA1 to prevent any databases being activated automatically by Active Manager.
Next, it suspends activation of the database copies to make sure that an administrator doesn’t activate them.
These steps prepares the database copies on the DAG member DR-EXDATA1 to allow you to then take the server offline. You check the effects by running the Get-MailboxDatabaseCopy cmdlet to view the properties of the database copies.
There doesn’t seem to be any active database copies on this server. As per http://technet.microsoft.com/en-us/library/ff625233.aspx, if there were active copies, I’d expect to see them being moved. See http://www.mikepfeiffer.net/2010/08/performing-maintenance-on-dag-members-in-exchange-2010-sp1/ for a write-up on the script. Or just refer to http://technet.microsoft.com/en-us/library/dd298065.aspx, which says:
Specifically, the StartDagServerMaintenance.ps1 script performs the following tasks:
Runs Suspend-MailboxDatabaseCopy with the ActivationOnly parameter to suspend each database copy hosted on the DAG member for activation.
Pauses the node in the cluster, which prevents the node from being and becoming the PAM.
Sets the value of the DatabaseCopyAutoActivationPolicy parameter on the DAG member to Blocked.
Moves all active databases currently hosted on the DAG member to other DAG members.
If the DAG member currently owns the default cluster group, the script moves the default cluster group (and therefore the PAM role) to another DAG member.
Hi, I am installing Exchange 2010 SP2 on a server that has management tools installed. It has already been installed on all other roles in the Exchange 2010 organization. The setup fails with the last 2 steps saying it was unable to reconnect to a specified DC, however that DC is online. Any ideas?
Have a look in the setup log to see the exact error. It might give you some clues… look in the \ExchangeSetupLogs directory.
Hi Tony,
The setup log gives the same info as the error I see in the GUI. See extract from setup log that incliudes the error:
[06/25/2012 11:46:39.0126] [1] 0. ErrorRecord: Provisioning layer initialization failed: ‘Failed to reconnect to Active Directory server .com. Make sure the server is available, and that you have used the correct credentials.’
[06/25/2012 11:46:39.0142] [1] Setup is stopping now because of one or more critical errors.
[06/25/2012 11:46:39.0142] [1] Finished executing component tasks.
[06/25/2012 11:46:39.0282] [1] Ending processing Install-AdminToolsRole
[06/25/2012 11:47:30.0172] [0] End of Setup
[06/25/2012 11:47:30.0172] [0] **********************************************
Are you installing Exchange with an administrator account – something that can add an object to Active Directory? If the DC is online, it’s probably a permissions issue. I’d run the install using “Run As Administrator” with a suitably permissioned account.
“Make sure the server is available, and that you have used the correct credentials.”
TR
The account I am using, is the same account that was used to upgrade the rest of the Exchange org, which worked fine. I tried running it by using Run as Administrator and that seemed to have worked. Thanks for the help.
On a side note, could you please remove my previous comment in regards to the extract from the log file?
Thanks again.
No worries. I’m glad things worked out in the end. I have amended the previous entry to remove the vast bulk of the setup log and the server names, which is what I think you might be worried about…
Thanks Tony, appreciate it 🙂
Thanks Tony for this write up, and making yourself available for us admins of the world that are floundering around doing this update and many, many others. I enjoy, and use the information I find in your blogs daily!
Can service pack 2 be applied to exchange 2010 version 14.00.0726.00 (Base Rollup 5, no service packs)? If so, can you point me to a document that identifies the process, and problem saving tips? Also, preparing the AD for the update..
You can install SP2 on top of an existing installation. Afterwards you’ll want to install the latest roll-up update to make sure that you’re running the newest software.
There are tons of documents available on the Internet that discuss Exchange installation. I didn’t encounter any problems with SP2. There is an AD update to extend the schema for address book policies and the normal care and attention required for any AD update needs to be given to this process.
TR
Hi Tony, we had to apply some Windows patches to our Exchange Server and so I decided to set the Exchange Mailbox Servers in Maintenance Mode, while running StartDagServerMaintenance I got the following messages
Log Error- Failed at command ‘Move-DagActiveManager’ with ‘could not move the cluster group’
Log Error -Move-CriticalMailboxResources: An error ocurred while moving critical resources off server ‘mailboxserver1′
Note:
a) We have a 2 node DAG, mailboxserver1 was hosting the active copies and mailboxserver2 was hosting the passive copies.
b) MailboxServer1 was the PAM
After realizing the script might have not done all the required steps, I performed the steps manually, installed the OS patches, reboot server and then used the StopDagServerMaintenance script which returned a warning
Call-Cluster.exe did not succeed, but 5058 was not a retry-able error code, Not attempting any other servers, This may be an expected error by the caller.
Checked the CopyAutoActivationPolicy and it got changed back to Unrestricted.
Bottom line, I was able to perform all the operations manually, just thought share this with you guys in case there was something I should be aware of or be worried about.
Thanks in advance.
Carol
Thanks very much for sharing your experience. It’s always good to hear about how things work in the real world.
TR
Hi Tony,
I have a large estate (68 Exchange 2010 servers) in a total of 4 regions across multiple WAN links included several DAG’s each with over 64 db’s on them. I wanted to know if I could safely upgrade region by region or do i for instance have to upgrade all CAS server EMEA & AU then move onto HUB ect only it gets very difficult to plan due to time zones.
I think region by region is the way that I would approach your move. I don’t see the sense in doing all the CAS first, etc. Upgrade the entire infrastructure in one place and then move on to the next one.
TR
Hi Tony,
we have 3 sites and each site has 4 exchange servers . 2 sites have exchange 2010 SP1 and one have exchange 2k7. If we update the 2 sites exchange servers from SP1 to Sp2 (2010), IT WONT create any co existence issues with exchange 2007 servers. Please clarify it
Thanks in Advance
David
I can’t see any issues that you will meet in terms of co-existence as you have separated the two versions of Exchange into different sites. Go for it!
TR