question

ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 asked EricYin-MSFT commented

Installation of Exchange 2016 CU19 for the current Exchange security patch


I have a question related to the current Exchange vulnerabilities: I run an Exchange server 2016 with CU15. Since the installation of the security patch required a more recent CU, I tried to install CU19 but the system threw a "System.UnauthorizedAccessException” at step 16 of 18 which is “Mailbox role: client access front end service”. I already tried to reinstall CU19 but it does not seem to be possible. Since CU19 was not successfully installed, I still cannot install the security patch.

Since a few days, there is also a security patch for CU15 available. However, the system detects CU19 so I am also unable to install this patch.

Is there any option to repair CU19 or how would you suggest proceeding? The ultima ratio would be to fully reinstall the entire Exchange server but cannot imagine that is the most efficient way.

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 answered ExchangeAdmin-1818 commented

Thank you for the quick reply. I directly disconnected the servers’ internet connection on Wednesday a week ago when the vulnerabilities have first been published. This was not a problem since the server has not been used as a productive system. So it is not compromised.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would still verify that. That permissions error is one indicator.
Regardless, consider rebuilding it if you can't get the CU update to run:

See this thread for some possible solutions on the permissions issue:
https://docs.microsoft.com/en-us/answers/questions/307762/cu-update-install-failing-with-error-1603.html?childToView=313033#answer-313033

0 Votes 0 ·

Yesterday I have verified again that the server is not compromised.

Thank you for the link. This link might have helped me when I tried to install CU19 for the first time. Obviously, I should have set the permission as suggested in the link (for whatever reason).

0 Votes 0 ·
EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered EricYin-MSFT commented

Hi,
Did you run [prepare AD][1] steps before the setup?
Does the DC that your server connects to have FSMO roles?
Is the account you log in a member of schema admins, domain admins and exchange organization management?
Run the following command and check if any components are inactive:

 Get-ServerComponentState –Identity <ServerID>

Check the Exchange setup log if the update fails again.
[1]: https://docs.microsoft.com/en-us/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your answer! I interpret your link in the way that preparing the AD schema is only relevant "if you have a large Active Directory deployment, or if a separate team manages Active Directory". I have a very small AD so I used the Setup wizard that does not require preparing the AD schema if I see it correctly. The same opinion is held in another thread [2]. But please correct me if I'm wrong!

I also think that I should make my user a schema and domain admin. However, I'm afraid this would only help after I have reinstalled the entire Exchange server since I have already unsuccessfully installed the CU. What would you suggest as the next step?

[1] https://docs.microsoft.com/en-us/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019
[2] https://docs.microsoft.com/en-us/answers/questions/307762/cu-update-install-failing-with-error-1603.html?childToView=313033#answer-313033

0 Votes 0 ·
EricYin-MSFT avatar image EricYin-MSFT ExchangeAdmin-1818 ·

I have never tested with a user account that does not belong to schema and domain admin so I can't make a conclusion, but I found a saying:

if the account you are using is part of schema admins,domain admins and enterprise admins groups, running setup will automatically does that for you in the backend.. if you don't have those permissions then the person with these permissions has to run /prepareschema and /preparead against setup.exe manually

Normally we use the domain account with all permissions and then run the setup without Prepare AD steps, that's OK. Since you've got an issue now, you might need to try those steps.

0 Votes 0 ·

I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·