Am upgrading my Exchange server from CU9 to CU15 with Security Patch a Critical Exchange Control Panel ECP Vulnerability. If you run Cumulative 15 on Exchange 2016 . Download the appropriate patch for your running version. Run as administrator is quite important .as it may cause issues if you don’t run the patch with elevated prompt.
CVE-2020-0688 is a static key vulnerability in Microsoft Exchange Control Panel (ECP), a component of Microsoft Exchange Server. The use of static keys could allow an authenticated attacker with any privilege level to send a specially crafted request to a vulnerable ECP and gain SYSTEM level arbitrary code execution.
Microsoft rates this flaw as important, but notes that exploitation is more likely, according to its exploitability index.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
- CVE-2020-0692 | Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability
Performing Maintenance on an Exchange Servers , Usually i kill Client Access Connections to the Node from Load Balancer for 443 (Client Connectivity) and Port 25 (SMTP Connections)
To Drain the Existing Mail Queue
Set-ServerComponentState EXCH1 -Component HubTransport -State Draining -Requester Maintenance
Restart-Service MSExchangeTransport
if you have UM – To Drain Calls
Set-ServerComponentState EXCH1 -Component UMCallRouter -State Draining -Requester Maintenance
.\StartDagServerMaintenance.ps1 .\StopDagServerMaintenance.ps1 .\RedistributeActiveDatabases.ps1
.\StartDagServerMaintenance.ps1 will set the Exchange server into maintenance mode, which will prevent that other servers in the DAG, attempt a database failover onto the maschine where you are currently performing maintenance work. Also all active databases will be moved to the other nodes. And after the maintenance work is done, you will be able to automatically redistribute database with the RedistributeActiveDatabases.ps1 script based on the configured activation preference.
Those scripts are located in the Exchange scripts folder. In Exchange PowerShell the path to this folder is preloaded in the variable $exscripts.
cd $exscripts .\StartDagServerMaintenance.ps1 -ServerName EXCH1 –OverrideMinimumTwoCopies
To redirect messages pending delivery in the local queues to the Exchange server specified by the Target
Redirect-Message -Server EXCH1 -Target EXCH2
To place the server into maintenance mode
Set-ServerComponentState EXCH1 -Component ServerWideOffline -State Inactive -Requester Maintenance
Verify the server has been placed into maintenance mode
Get-ServerComponentState EXCH1 | Format-Table Component,State -Autosize
verify the server is not hosting any active database copies
Get-MailboxDatabaseCopyStatus -Server EXCH1
Verify DatabaseActivationPolicy is Blocked
Get-MailboxServer EXCH1 | Format-List DatabaseCopyAutoActivationPolicy
verify that the cluster node is paused
Get-ClusterNode EXCH1 | Format-List
Verify Queue is 0
Get-Queue
Now run the Upgrade Steps
Error:
A reboot from a previous installation is pending. Please restart the system and then rerun Setup.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.RebootPending.aspx
Error:
This computer requires .NET Framework 4.8 (https://support.microsoft.com/kb/4503548).
For more information, visit: https://docs.microsoft.com/Exchange/plan-and-deploy/system-requirements?view=exchserver-2016
Downloaded .NET 4.8 https://support.microsoft.com/en-us/help/4503548/microsoft-net-framework-4-8-offline-installer-for-windows
Error:
Setup can’t continue with the upgrade because the mscorsvw (14848) has open files. Close the process, and then restart Setup.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.ProcessNeedsToBeClosedOnUpgrade.aspx
Close and Reopen Setup
Open cmd Prompt
Run as Administrator
Browse for the .msp file and Click Enter.
To Exit the server from maintenance mode
Set-ServerComponentState EXCH1 -Component ServerWideOffline -State Active -Requester Maintenance
if you use UM – Set Server Component to Active
Set-ServerComponentState EXCH1 -Component UMCallRouter -State Active -Requester Maintenance
To Set HUB Component to Active
Set-ServerComponentState EXCH1 -Component HubTransport -State Active -Requester Maintenance
To Resume Transport Activty
Restart-Service MSExchangeTransport
Remove the restriction using below script
Resumes the node in the cluster.
Sets the value of the DatabaseCopyAutoActivationPolicy to Unrestricted.
Runs the Resume-MailboxDatabaseCopy cmdlet for each database copy on the node.
.\StopDagServerMaintenance.ps1 -ServerName EXCH1
We have to do the same process for all DAG members once is done,all database copies are active on EXCH1 for example and we need to redestribute them back to servers . For that purpose you can execute the following script. Otherwise Exchange 2016 Servers redistribute automatically in 60 minutes with native configuration.
.\RedistributeActiveDatabases.ps1 -DagName DAGNAME -BalanceDbsByActivationPreference
-OverrideMinimumTwoCopies – By default Script makes sure that there are at least 2 available copies of data available, before it attempts to move a database. if you have only one copy you have to use this switch
.\RedistributeActiveDatabases.ps1 script you will be asked to confirm every database move. If you are working in a large production evironment were you can have 50+ databases per server, this can be a bit annoying. There is however a posibility to change that within the script:
[switch] $Confirm = $true
Prompts on every move
[switch] $Confirm = $false
Moves without prompts (Don’t do this unless you are confident on the environment)
Verify all ok
Verify the server has been exited maintenance mode
Get-ServerComponentState EXCH1 | Format-Table Component,State -Autosize
Verify DatabaseActivationPolicy is Unrestricted
Get-MailboxServer EXCH1 | Format-List DatabaseCopyAutoActivationPolicy
verify that the cluster node is Resumed
Get-ClusterNode EXCH1 | Format-List
Get-MailboxDatabaseCopyStatus -Server Exch1
Get-MailboxDatabaseCopyStatus -Server Exch2
Test-ReplicationHealth
Reference _ Manual Steps Without Scripts _ Without HUB Maintenance _ Test Environments
If Servers on DAG – Move all your Active Databases
Move-ActiveMailboxDatabase Database0 -ActivateOnServer EXCH2
Set your Database Activation to Blocked
Set-MailboxServer -Identity EXCH1 -DatabaseCopyAutoActivationPolicy Blocked
Run the upgrade steps. Remove the restriction
Set-MailboxServer -Identity EXCH1 -DatabaseCopyAutoActivationPolicy Unrestricted
