Update Rollup 5 for Exchange Server 2007 (KB941421) has been released


EDIT: This post was edited on 11/28/2007 to mention KB944752.

The update is live at:

http://www.microsoft.com/downloads/details.aspx?FamilyId=41EC35E7-79A0-4ECB-A644-1ECE94178F9D&displaylang=en

It will also be offered via Microsoft Update.

The article covering this update can be found here:

http://support.microsoft.com/?kbid=941421

Note: We have a workaround for those of you that have had issues with some services not starting up automatically after RU5 has been applied (not all systems are affected). For more information, please see KB944752.

Nino Bilic

Comments (57)
  1. Mike Crowley says:

    on new installs, add/remove programs lists the most recent roll-up.  on my older machine, they say 1,2,3,4,5 seperatly.  why doesnt one replace the other, like service packs do?

  2. Alex says:

    I don’t see any entry in add/remove programs list after install…

  3. Dmackdaddy says:

    Worked like a charm – no reboot needed either!  Now I see Uninstall info for Roll Up 2 thru 5.  Hopefully I won’t need to remove any of them!  I’ll sit on this server for a while before I update my other 6.  I’m betting this will be the last update patch before SP1, right?

    -Dmack

  4. JP says:

    Has anyone say how half baked this Exchange 2007 was – seriously?  defend it all you want but its the truth.

  5. Kevin says:

    When SP1 is released, can it be installed on top of Rollup 5? Or will there be some adjustments necessary? Will SP1 include all of the fixes in Rollup 5?

  6. AK says:

    Rollup 4 disabled my CAS server, disabled exchange services and etc, will rollupt 5 cause the same issue?

    Speaking of SP1, when I installed SP1 Beta 2, on CCR. when I ran get-storagegroupcopystatus, summarycopystatus shows servicedown, but when I checked logs they service were working. Do you guys know about this issue?

    And for SP1, can you guys put more functionality on GUI? I think pscript is cool but it is really good for contractors not for a guy like me managing a exchange server with 700 mailboxes.

    Thanks.

  7. GOTWE Richard says:

    Hi,

    I prefer to wait SP1. I hope that the SP1 will contain all the rollup.

    Have you a date for the release of final version of SP1

    Best Regards

  8. Steve G says:

    It’s great these patches can now be deployed via Microsoft Update.

    However the CAS changes always ruin the work done to deploy custom css styles and graphics (following Microsoft guidance on this blog and on technet) requiring testing of the changes once again.

  9. Ian Fretwell says:

    Hmm, three servers here – all running rollup 4. All of them requested a restart – allegedly unrequired for this patch. And worse still upon restarting most of the services on all three servers failed to start automatically – they were quite happy to be started manually however. Not good really in my opinion.

  10. Ian Fretwell says:

    Further to that I now see that the prerequisites now state "• Remove all interim updates for Exchange Server 2007. "

    Wish I’d seen that sooner – but from the posts above it doesn’t look like anybody else did this – is that right ?

  11. Jeff says:

    Great.  Another 36MB download and complete reinstallation.  This update model is killing me.  Do you realize we need to install this 36MB update on servers with ESM/EMC installed, too?  At most of my customers that’s the Domain Controllers and requires scheduling downtime of all DCs.

    This is asinine.

  12. Jeff says:

    Correction to my comment above: The 36MB update must be installed on any machine where EMC (Exchange Management Console) and EMS (Exchange Management Shell) is installed.

  13. JonW says:

    So is it best practice to install these ‘Roll ups’? Or should I wait for SP1?

  14. AK says:

    JonW, I would wait until SP1 comes out.

  15. Vahn Kaiser says:

    I just had a serious issue with the latest exchange rollup (for exchange07)

    Thankfully it was on my personal server and not on a clients.

    Windows Update notified me of the availability of the (fruit)rollup.

    I said, ok, downloaded, installed…and kaput.
    I realized something was wrong when my pocketpc wasnt in sync.
    I “run”to the exchange server, and after about 30 seconds of going through the first troubleshooting procedure, i realize that all my exchange services had been disabled. and iis. DISABLED.

    it took me a good few hours to figure it out.
    what had happened was that the automatic download and istallation of the rollup was bad. the installation procedure was corrupt.
    i manually downloaded and installed rollup 5, and also kept an eye on the services, and indeed, they all get stopped, disabled, enabled, and then started again.  

    With my experience, i would recommend manually downloading it, and installing it.

    Then again, i wouldnt expect an update to create so much confusion.

    I would manually start the services, set them to auto, everything as it should be, and it wouldnt work, something wouldnt start.  IIS gets shut down too, did i mention that??

    Anyway, i hope i helped …

  16. Mike Crowley says:

    Ian – thats crazy!  I have to uninstall previous updates before I install this one?  I’ve always let windows update do all the work.  this implies it doesnt know what its doing.

  17. Ian Fretwell says:

    Mike, I agree totally. Having checked back on the other rollup’s – they also now state the same thing. Still can’t solve the services not starting automatically – any ideas anybody ?

  18. Jeff says:

    Ian, I would reinstall Update 5.  Sounds like you may have had a pending restart that was interferring with the update.

  19. Ian Fretwell says:

    Thanks for the suggestion Jeff. Unfortunately it’s made no difference. The only thing I can see that is different since the install of R5 is that upon bootup the servers all sit showing "Applying computer settings" for nearly five minutes before continuing – event logs show nothing helpful as usual.

  20. Michael says:

    I have finished installing RU5 for using 5 hours. And found that all Exchange Services (except SA & IS) cannot be started even by manual.

    I am now waiting for another 2 hours to uninstall it but still in process.

    Anyone can help?

  21. rcon says:

    Hello

    I’m having problems trying to install Exchange 2007 Update Rollup 5. I tried two ways for this: My local WSUS 3 and standalone installer. Both produce same results:

    – update is installed successfully

    – all services is set to start automatically

    – after rebooting the system only MSEchangeADTopology service starting

    – trying to manually any start other exchange services fails with “Service failed to respond in a timely fashion”

    – uninstalling update solved the problem

    My setup:

    MS Windows Server 2003 SP2 R2 Enterprise x64 with last updates

    .Net Framework 2.0 + KB926766, KB928365, KB942084

    MS Exchange Server 2007 Enterprise x64

    Roles installed: Mailbox, Client Access, Hub Transport, Unified Messaging

    Updates installed: Update rollups 1, 2, 3, 4

    ~160 mailboxes

    Server is hosting Active Directory Global Catalog

    Any ideas?

    I disabled this Update Rollup in my WSUS, but what about upcoming SP1?

    I have another server with only Client Access role installed which is not DCGC – update working just fine.

  22. Scott Roberts (Exchange) says:

    The issue regarding services not starting after installing Rollup 5 is being looked at. PSS has made progress with identifying the actual issue. We are still searching for the root cause and why not everyone is seeing this. The post will be updated once we know more.

    On a side note, you will not need to uninstall any of the RTM Rollups when installing Exchange 2007 SP1.

  23. Scott Roberts (Exchange) says:

    Alex said:

    I don’t see any entry in add/remove programs list after install..

    Alex, do you have the ‘show updates’ checked and hit refresh (F5) in ARP to show the updates that are installed. If you did, then this is something worth investigating.

  24. Scott Roberts (Exchange) says:

    Steve G said:

    "However the CAS changes always ruin the work done to deploy custom css styles and graphics (following Microsoft guidance on this blog and on technet) requiring testing of the changes once again."

    Steve, I also find that a pain but Exchange does not support customization of OWA when the OWA files need to be updated. The MSI/MSP technology and how it was implemented is limited.

  25. Scott Roberts (Exchange) says:

     Ian Fretwell said:

    Further to that I now see that the prerequisites now state "• Remove all interim updates for Exchange Server 2007. "  

    An interim update is quick fix from Microsoft Support for a specific issue. Not many customers will have one of these. When they get the interim, the customer will be reminded that they need to remove it when they install the newer official update rollup that has that particular fix.

  26. Dimitri says:

    Hi All,

    I also had problems with the services on 2 Edge servers not starting after installing Rollup update 5. I was forced to remove it and reinstall Rollup update 4. Now everything is back to normal. I just got off the phone with MS and they are saying that they are busy working on a fix but for now have advised to not install Rollup update 5.

  27. Zachary says:

    Well after reading all these posts, i think i’ll pass on rhe 5th update rollup.

    i also want to second the above quote:

    " JP said:

    Has anyone say how half baked this Exchange 2007 was – seriously?  defend it all you want but its the truth. "

    more true words have never been spoken. all the features that are supposed to be added in SP1 should have been in the origional RTM build.

    i’ll have to research SP1 after it;s release as well, to see if people have the same or other issues as are discussed here.

    Some of the stuff in exchange 07 really is nice, but there was a great deal that exchange 2003 did better.

    1. GUI support for public folder administration/permissions

    2. ADUC intergration and GUI support for mailbox permissions

    3. Public folder access/support in OWA

    just to name a few, but hey, whos counting?

  28. Zachary says:

    Just to add as well…. Microsoft should immediately pull this update off the market. If it is causing so many problems with production servers, they clearly need to go back to the drawing board.

    Don’t continue to let people install a flawed update that causes downtime, aggravation and loss of revenue in the form of lost productivity.

    Put it back out when it is actually ready…

    Come on guys, get you’re beta testing in order. This is nothing short of egg on the face of every developer on the exchange team. I would be ashamed of myself if that were the quality of MY work.

    Add that to the list of existing complaints about exchange 2007 and you guys don’t exactly have the best rep at this point in time.

  29. K says:

    Does anyone have this problem while run update rollup 5? The last process "CA_NGEN_UPDATE_ALL" , it said it take extended period of time…

    I took me over an hour!!!! It is so troublesome!!!

  30. K says:

    After the update on CCR cluster, why all the services go disable?? And I don’t know which one should be Automatic or Manual!!! Can anyone help me?

  31. David says:

    I installed the update and had no problems with services however,  If I hit the /exchange Vir Dir on 2007 and proxy to 2003 the images for owa fail to load.  I’ve seen this in 2003 anyone have a fix for this?

    Thank You,

    David

  32. B says:

    Similar problems to rcon, Alex, K, and David here…

    Environment Details:

    OS is Windows Server 2003 R2 Enterprise x64 Edition with SP2 for all Exchange Servers and AD

    Problems caused by UR5 so far (in order of importance):-

    1 (David’s issue?) – Entourage clients see ‘not connected’ after the update was applied to the CAS machines.  It appears to be a problem with the /exchange virtual directory used by the Entourage DAV service.  When I use Internet Explorer to explore to the exchangecas.fqdn/exchange URL, I am prompted for my username and password and then get ‘HTTP/1.1 503 Service Unavailable’.  OWA, AutoDiscover, and Outlook Anywhere work fine.

    2 (K’s issue) – I ran the update separately on each node of my CCR cluster.  Each time after setup completed, it noted that it was restarting services and then finished setup.  When I look in the Services MMC I see all Exchange Services disabled.  I know most should be automatic and some should be manual, but I don’t know exactly what the config should be for a CCR cluster member machine.  Like K, this update took well over an hour.  On the CCR machines I think it was closer to 2.5h, but I wasn’t closely watching the clock.  Can someone give me a list of which services should be automatic vs. manual on a CCR machine?

    3 (rcon’s issue) – Various machines in my environment are affected by the service start-up issue.  My CAS machines are having this problem as well but I manually started each of the services that the Service Control Manager reported as having failed to start.

    4 (Alex’s Issue) – Many machines show no updates to Exchange in the Add/Remove Control Panel after UR5 is installed (even though UR4 was installed before I started).  Installing UR5 again will cause all of the applied updates to display (UR2, UR4, etc.).

    If PSS has already identified these issues, why can’t I find KB articles about these issues?

    I’m not going to complain about the quality of the update because I know how unique my environment may be and I also know the kind of limited resources the testing teams work with.

    The only think I’m going to push on here is the PSS to KB follow through.  I don’t know what happened.  Back in the Windows 9x days the MS KB was the ultimate resource for finding up-to-date and timely articles from PSS on all kinds of issues, even if just to say ‘hey, we’ve seen this problem but have no idea what’s going on yet…’.  These were the ‘stay tuned’ sorta things.  These were great cause they were a clear signal that I don’t have to call PSS and open a support case on these issues cause someone’s already working on it.  Today the KB has become less relevant and less helpful to us in getting access to real troubleshooting information.

    I liked those good old KB days when I could make some more informed decisions about applying updates based on the types of issues that MS is addressing.  Now I need to rely on these blogs for someone to say ‘yes, actually, we know of this, this, and this, but we don’t have the answers yet…’, which is fine, but it just doesn’t feel as formal as before.

    Anyway, help on these issues is all I’m really excited about at the moment.  It’s Sunday night at 1:40AM and most of my users are on MACs and Entourage and are likely tucked into bed right now, but in about 4h they’ll be calling and I’ll be directing them to OWA until I can get this problem (issue 1) solved.

  33. B says:

    I still can’t get my Entourage users connected.  The error is still ‘HTTP/1.1 503 Service Unavailable’, and this is after uninstalling UR5.  I went ahead and built a new CAS machine and installed only UR4.  Strangest thing…  It has the problem too…  I think the problem now exists at the mailbox store.  Originally the /Exchange URL didn’t respond at all, but now I get the Forms Based Authentication page and only get the Service Unavailable message after entering my credentials.  I rebuilt the OWA virtual directories on the original CAS machine after uninstalling the update and it’s healthier now as well, but still seems to be related to the mailbox store.  I’m currently trying to uninstall SU5 from my CCR mailbox store, but it has been over an hour and it’s just sitting at Add/Remove programs with a dialogue box that says Microsoft Exchange Server.  It didn’t bring up the SU5 setup to do the uninstall like the CAS machine did.  A bit strange.

  34. Stefan says:

    tried to update our CAS Server, after reboot the services didn’t start, manuell start was also not possible. luckily uninstall of update 5 did work and everything is fine again. I would recommend not to install this update.

  35. rcon says:

    ADD:

    With UR4 service "Microsoft Exchange Anti-spam Update" was "Disabled", after UR5 it changed to "Automatic" (WHY!?)

    I convert my prodution server to VM for testing, – trying anything with no success.

  36. B says:

    I still can’t get the /exchange URL to work.  Have any of you seen this?

    As I indicated before, I have successfully removed UR5 from the CAS machine and also built a new one.  I managed to remove UR5 from the CCR cluster but then noticed that it showed no updates, so I reinstalled UR4.

    Still I cannot make the /exchange virtual directory come alive to allow the Entourage clients to connect.

    I did discover a few interesting things along the way.  When we first installed our environment we did not manually allow the WebDav Web Service Extension but Entourage still worked.  Maybe it was enabled by default, though several articles I have found suggest that you will need to manually change it from ‘Prohibited’ to ‘Allowed’ in IIS.  I have noticed that my CAS machine, that used to work to service the Entourage clients, now has this set to ‘Prohibited’ after installing and later removing UR5.  I have set it back to ‘Allowed’ and restarted the machine, but the Entourage clients still can’t connect to Exchange.

  37. Stuart Presley says:

    I’ve seen a few of the service startup issues resolved by increasing the service timeout parameters:

    1. In Registry Editor, locate, and then right-click the following registry subkey:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl

    2. Point to New, and then click DWORD Value. In the right pane of Registry Editor, notice that New Value #1 (the name of a new registry entry) is selected for editing.

    3. Type ServicesPipeTimeout to replace New Value #1, and then press ENTER.

    4. Right-click the ServicesPipeTimeout registry entry that you created in step c, and then click Modify. The Edit DWORD Value dialog box appears.

    5. In the Value data text box, enter the desired timeout value in milliseconds and click OK. For example, if the new service timeout should be 60 seconds (60000 milliseconds), then enter 60000. (I suggest setting this to 120000).

    6. Restart the computer. You must restart the computer for Service Control Manager to apply this change.

    The short of it: It looks like we changed the signing process for the new rollup and we are having to perform validation against the binaries. Those machine accounts that don’t have Internet access (say no access behind a DMZ, or proxy requires authorization) will experience this issue.

  38. rcon says:

    So I need wait 15+ times while every Exchange service trying to reach online access will timed out? It’s not good solution!

  39. rcon says:

    So I need wait 15+ times while every Exchange service trying to reach online access will timed out? It’s not good solution!

  40. B says:

    My issue #1 (above) was caused by issue #2.  The UR5 installer had disabled the IIS Admin, HTTP SSL, and World Wide Web Publishing Services on the CCR mailbox stores.  It seems the CAS proxies the request directly to the web service running on the user’s mailbox store.  While the CAS services were running fine, CAS needs to connect directly to the same service on the mailbox store and that was the service that was unavailable.

    Once these three (3) services were enabled and started on the mailbox store the service resumed normally.

    Thanks for listening!  ;)

  41. Ted says:

    FYI   Make sure your server can get to the internet becasue for some reason rollup5 is calling to the internet. Before I did that it would take hours for rollup5 to complete and it still wouldn’t start the services. After I enabled the server to get to the internet it took only minutes to install and everything worked fine.

  42. Stuart Presley says:

    rcon: No, in the workaround you are simply increasing the service timeout to 2 minutes instead of 1 minute.

    An alternate solution, rather than changing the service timeout which requires a restart and changes the timeout for all services, is the following:

    Install fix from http://support.microsoft.com/kb/942027/ (or have a higher CLR build e.g. 2.0.50727.926). This contains the fix outlined in http://support.microsoft.com/default.aspx/kb/936707.

    Create configuration files for all managed code Exchange 2007 services to resolve this issue.

    To create an application configuration file that contains this configuration setting, follow these steps:

    1. Create a file, and then name the file the <ApplicationName>.exe.config file.

    2. In a text editor, open the file that you created in step 1.

    3. Add the following code to the file.

    <configuration>

    <runtime>

              <generatePublisherEvidence enabled="false"/>

    </runtime>

    </configuration>

    4. Save the changes to the file.

    If the configuration file already exists for a service add the “<generatePublisherEvidence enabled="false"/>” line to the runtime options section in the file.

    Services/Apps which you may want to update the .config file:

    EdgeTransport.exe

    ExBPA.exe

    ExBPACmd.exe

    ExTRA.exe

    Microsoft.Exchange.Cluster.ReplayService.exe

    Microsoft.Exchange.EdgeSyncSvc.exe

    Microsoft.Exchange.Monitoring.exe

    Microsoft.Exchange.Search.ExSearch.exe

    Microsoft.Exchange.ServiceHost.exe

    MSExchangeMailboxAssistants.exe

    MSExchangeMailSubmission.exe

    MSExchangeTransportLogSearch.exe

    Services which you need to create a .config file for:

    Microsoft.Exchange.AntispamUpdateSvc.exe

    MsExchangeFDS.exe

    MSExchangeTransport.exe

  43. David says:

    Please tell me there is a fix for this it’s holding up my Exchange 2007 migration.

    I installed SR5 and had no problems with services however,  if I hit the /exchange Vir Dir on 2007 for a user located on 2003 the images for owa fail to load.

  44. Mark says:

    What is changed that causes "Publisher verification" to trigger the timeout? The assemblies were always signed right (even in previous rollups)?

  45. Mark Priem says:

    Another workarround:

    set a proxy server using the proxycfg.exe cmd. (ex: proxycfg.exe  -p "proxy.fqdn.com:8080" "<local>;*.internaldomain.com". You don’t even have to allow access. The proxy will deny access, hence preventing the TTL (which is 121)on the SYN packet sent to clr.microsoft.com to timeout.

  46. Dimitri says:

    We have decided to pull the plug on the Edge servers as SMTP relays in our Exchange 2003 environment. We are going back to the good old SMTP connectors and virtual SMTP servers to deliver mail inbound and outbound. The two edge boxes have been performing badly causing messages to queue on the Exchange 2003 SMTP connector. Even when mail got to the Edge it used to take over 30 minutes for outbound mail to be delivered… The two boxes we even over spec for what we needed them but they are history! I will wait until at lease SP1 has been out with a few fixes until we even think about testing Ex 2007…

  47. Vinkie says:

    I installed RU5 on a CAS and it broke my server. None of the essential services wanted to start (some 6 of them). Restart server – no go.

    Uninstall RU5 and revert back to RU4 and voila…. It works.

    Bummer

  48. Vinkie says:

    AK,

    Seems yours and mine are swopped around. I had RU4 installed and no hassles (no RU1-3). Installing RU5 caused my CAS to stop. Is there a connection? I.e. do I have to uninstall previous RUps before applying latest? If so, it sucks.

  49. rcon says:

    Stuart Presley:

    I think Microsoft should release "An alternate solution" as separate fix. Because no one will leave any of production boxes directly connected to Internet. Such configuration is wrong and insecure by default! And it’s hard to implement "An alternate solution" on every server by hand.

    Changing timeout for *ALL* services is not right way too.

    Anyway thank you for your work!

  50. Stuart Presley says:

    rcon:

    We’re looking into better alternatives and agreed that changing timeout for all services is not the right way, but it did provide temporary relief as we were learning more.

    All of the binaries are signed with authenticode and for strong names. There are a few other "workarounds" but the gist of the issue is that the binaries have been signed with different certificates because one of the certificates in the signing process had expired.

    We are also working on a public KB article and will be updating the blogs soon.

    An alternative to modifying/creating individual application exe .config files is to modify the machine.config instead. That will work but does disable it across the board.

  51. MSHoltz says:

    Hello Vinkie,

    Read the comments above, you need connection to internet to start a couple of services after installation of UR5.

    Type in "proxycfg -d proxyserver:port" on the server, then you can start the services.

    I wonder what MS think about, you can’t start the mailserver because the internet connection is down…

  52. rcon says:

    ADD:

    If you trying to implement creating/changing *.config files solution, do not forget non-default-services enabled in your configuration (e.g. IMAP4 service files located not in bin folder).

    I think it must be done for all *.exe files in exchange subfolders (I have 40+ :) for 100 % working configuration.

  53. Bostjan says:

    you need access to the net on the server after installing UR5

    start/run:

    proxycfg -p proxyserver:port (if u have proxy)

    proxycfg -d (connected directly to the internet)

    this helped me.. i hope that it works for you too.

    Cheers

  54. Maurice says:

    Tried to install Update Rollup 5 on an Exchange 2007 RTM  server without internet access. The proxycfg trick works, but…

    The server also has Forefront Security installed and after installing UR5, the Transport service no longer wants to start.

    I tried installing Update Rollup 1 for Forefront (KB 936831), but that didn’t work.

    Rolling back to UR4 allows the Transport service to start again…

  55. AK says:

    Vinkie, RU5 suppose to have all the element of RU 1,2,3 and 4.

    I installed RU5 and it disabled all exchange services,,,grrrrrrrr

    I installed sp1 beta and it did not but I can’t uninstall sp1 beta.

    It seems M$ wants to released half baked product first and try to fix issue with service packs!

    Now I don’t belived in RollUps…what is it? bunch of hot fixes?

    arrrrrrrrrrrr

  56. Andrew Ehrensing says:

    You can also added the following to the <servicename>.Config this way it does not affect all the services

    We had to do to get the Exchange Services to work after RU5 was to add this to existing .Config files and created New Config files for each service that did not start.

    Example: for the MSExchangeTransport.exe  we had to create this file “MSExchangeTransport.exe.config” this is a Text file and add :

    <configuration>

       <runtime>

           <generatePublisherEvidence enabled="false"/>

       </runtime>

    </configuration>

    For services with existing file just add :

           <generatePublisherEvidence enabled="false" />

    In-between the <runtime> and </runtime>

    Note: Just an addition… It didn’t work for me until I added a space after the “false” value:

           <generatePublisherEvidence enabled="false"_/>

  57. Stuart Presley says:

    Please refer to
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;944752 for further details on this issue.

Comments are closed.