Thursday, July 26, 2018

Exchange 2010 SP3 Rollup 22 - Windows 2016 domain controllers

It's summer, very hot, and I'm taking a break from some of my more challenging blog adventures, like trying to configure BIND DNS in CentOS Linux. If I ever have the time to take another look at it, I may compose a blog post or two on the subject. For the time being, I'm going to settle for a subject with which I'm much more comfortable: Exchange 2010 SP3 and Rollup 22 that makes Exchange 2010 compatible with Windows 2016 domain controllers. I also take this opportunity to observe in more detail what happens when we install an Exchange rollup.


For some time, Windows 2016 domain controllers were not part of the Exchange 2010 supportability matrix:

Exchange 2010 - Supportability matrix

That changed with the release of Rollup 22 for Exchange 2010 SP3, released on June 19, 2018:

Release of Rollup 22 for Exchange 2010 SP3

Besides including previous updates (Exchange rollups are cumulative) and the latest DST (Daylight Saving Time) changes, Rollup 22 makes Exchange 2010 compatible with Windows 2016 domain controllers.

This is good news. I wanted to test Exchange 2010 with a Windows 2016 domain controller before retiring Exchange 2010 altogether (despite many fond memories of working with this product). Exchange 2010 is used less and less and will be at "EOL" (End of life) in January 2020.

For others about to follow the same path, the best start would be to read Rhoderick Milne's blog post in the link above and take note of the excellent recommendations. One thing that may be forgotten when installing updates or rollups (that are trustworthy of course) is to temporarily disable antivirus filescanning. This is especially true for Exchange rollups since the Exchange services are all stopped (disabled in fact) and usually a certain number of Exchange system files are replaced. If the antivirus software quarantines a file or locks it, that can cause the upgrade to fail.

We download the rollup here:


Now I'll review some (but not all) of the best practices for the installation of a rollup. It was already mentioned that we should temporarily disable antivirus file scanning. The exact procedure will be different for each anitvirus product. It was also recommended to set the PowerShell execution to "Unrestricted". In my case, it is at "Remotesigned" :

We change the settings this way:

Set-ExecutionPolicy Unrestricted

After the install is complete, we should return to a more secure option (like RemoteSigned).

We can also accelerate the installation by disabling publisher's certificate revocation checks in IE:

Remember : after the installation is complete we should reset the Powershell execution policy and the IE certificate revocation parameter to a more secure value (and re-enable the antivirus).

If the Exchange server is part of a Database Availability Group (DAG) we should place it in DAG maintenance mode so any active copy of  a mailbox database is transferred to another node and no attempt is made during the installation process to move the active copy of the mailbox back to server being upgraded:

After the installation, we will take the Exchange server out of maintenance mode.

Note : the installation of a rollup does not necessarily require a reboot but it is recommended (and even a reboot of the server before the rollup installation).


Now we are ready to begin the installation of the rollup.

When UAC is enabled, it is advisable to right click on the command prompt icon, "Run as administrator", navigate to the location of the downloaded rollup and launch it from the command line:

In the GUI, we do not have that option (only "Apply"):

I'll launch the installation in a moment but first, I want to observe the status of the Exchange services before and after.
In normal conditions, the following services should be set to "automatic" and "started" :

Remark: we can also verify with the PowerShell cmdlet Test-ServiceHealth.

After I launch the rollup (skipping the introductory screens here)...

Native images for .NET assemblies are generated...

And when we proceed with the installation, Exchange services are stopped:

We can observe this in the Services console as well. Here, the services are stopping (but "Startup Type" is still Automatic):

And here services are completely stopped and the startup type is set to "Disabled" to ensure they are not restarted during the replacement of Exchange binaries:

The update is installed. This screenshot shows the progress at a given point in time:

At the end of the installation, Exchange services are restarted:

And after a restart (preferred), Exchange 2010 is now ready to interact with Windows 2016 domain controllers.

Remember to take Exchange out of DAG maintenance mode and readjust any PowerShell, IE and antivirus parameters as described earlier in this blog post. We can also search for errors in the Event Viewer. It is also a very good idea to execute the PowerShell cmdlets that verify Exchange system health, for example:

- Test-ServiceHealth
- Test-ReplicationHealth
- Get-Mailboxserver
- Get-Mailboxdatabase | Get-MailboxdatabaseCopystatus
- Get-DatabaseAvailabilityGroup -s | fl