Update Rollup 6 for Exchange Server 2007 Service Pack 1 Released


Update Rollup 6 for Exchange Server 2007 Service Pack 1 (announced a few days ago) has been released.

We would like to call out the following fixes included in this rollup:

1) Fix for a security issue which has been assigned a severity rating of critical. More information about the issue can be found in the Microsoft Security Bulletin MS09-003.

2) Fix to allow Internet Explorer 8 to be used for Outlook Web Access (OWA) 2007. This does not include the OWA 2007 S/MIME control. We are still working on some changes in the control to make it work better with Internet Explorer 8. We will be releasing an updated version of the S/MIME control in a future rollup. Users using the S/MIME control should continue to use Internet Explorer 7.

KB 959241 has more details about this release and a complete list of all fixes included in this rollup.

From the installation perspective, a reminder that the rollup installer will overwrite any OWA script files if required to ensure proper operation of OWA. If you have customized the logon.aspx page or other similar OWA pages, you will need to redo any customization after installation of the rollup.

I would also like to address a concern expressed when we announced the release of the rollup last week. Update Rollup 5 for Exchange Server 2007 Service Pack 1 introduced an issue where you receive an error when attempting to enable SCR on a storage group if the environment has a parent domain -> child domain active directory structure. Tim has blogged about this over here. If you are impacted by this issue, the workaround would be to leave the server which has only the Exchange Server 2007 Management tools installed running Update Rollup 4 for Exchange Server 2007 Service Pack 1 to administer your Exchange organization. An Exchange server which only has the Exchange 2007 Management Tools installed is not vulnerable to the security issue fixed in this bulletin. When the fix is released the server can be upgraded directly to that rollup as our rollups are cumulative.

Finally, I would like to highlight a new “Exchange Software Updates” forum at http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/threads/ which deals with Updates we release for Exchange. If you encounter issues, post them in the Exchange Software Updates forum as opposed to comments in response to this blog. We have staffed the forums with engineers monitoring the forum ready to assist you unlike the blog comments which are usually blocked till I or another person on my team can take a look and respond.

Ananth Ramanathan

Comments (41)
  1. alexk3 says:

    Some reason from WSUS, UR6 for ex2k7 sp1 is set as "not applicable" for CCR CMS??? but it is still needed for stand alone mailbox, CAS (NLB), HT, and PF servers.

    so CCR mailbox servers are not affected by the security holes?

  2. alexk3 says:

    Downloaded the UR6 from KB 959241, and applied to CCR mailbox servers.

  3. Dvord Direwood says:

    I’m really concerned about this rollup.  I can understand the importance of the security risk, but I’ve been holding off on rollups for a while due to the problems posed by 4&5.  Have all problems with those rollups been resolved?  

    I don’t want to gimp my production server (no we can’t afford testing licenses and servers).

  4. alexk3 says:

    Dvord Direwood : You can install exchange server evaluation and not apply exchange server keys. If you buy an enterprise edition of server 2008 and use Hyper-V, you can freely install up to 4 standard version of server 2008 on Hyper-V.

    I think importance of testing your exchange server is a lot more important than testing licenses and servers.

    Or get a Technet/MSDN license you will get some test server licenses, HWs not included.

    If you have your own business you can become a Microsoft partner (https://partner.microsoft.com/US/Partner?lc=1033) and buy "Microsoft Action Pack Subscription"

    https://partner.microsoft.com/US/40016455 -> it used to be around $150 and have all sort of products like servers exchanage and all desktops, office and CALS and so on.

    I don’t know the price now a days. Good luck.

  5. Ananth Ramanathan says:

    AlexK,

    Thanks for the suggestions to Dvord. Appreciate it. And glad to know you figured out the solution your issue. For anyone else who may see the same behavior, Microsoft Update does not detect update rollups for Exchange Server 2007 on clustered Exchange servers. The update rollup needs to be downloaded and installed. (Details in KB http://support.microsoft.com/kb/959241).

    Dvord,

    After the problems we had with Update Rollup 4’s premature release on Microsoft Update, we have taken steps to address the quality. We have also kept the number of non-security changes in this rollup to a minimum to reduce the risk.

  6. Kevin says:

    Thanks for the post Ananth.

    However I think the confusion is that you have not clearly addressed our concerns regarding the roll-ups.

    You start by saying you will address them, relating we hope to roll-up 6. Then you talk about 4 and 5 and talk in the tense of "when applying 5 leave one of them running 4".

    Can you answer clearly please, will roll-up 6 cause us issues if we have a parent – child domain structure?

  7. Kevin says:

    Just a follow-up to my post … in the linked blog the following lines can be found:

    "The issue is scheduled to be corrected in Exchange 2007 SP1 RU8.

    ***UPDATE:  As of today this has been rescheduled for Exchange 2007 SP1 RU7***"

    Meaning that the issue persists with RU6.

    That is good to know, but it would have been better to include a similar line in the original post.

    Cheers

  8. Ananth Ramanathan says:

    Thanks for your feedback Kevin. And you are correct. The issue seen in a parent – child domain structure is not fixed in this rollup.

    Let me make another attempt at clarifying the workaround. Hope this helps.

    You can workaround the issue by taking the following steps which will keep you secure and enable you to administer SCR in your organization

    1) Apply rollup 6 to all Exchange servers which have any of the following roles installed. Client Access, Edge Transport, Hub Transport, Mailbox or Unified Messaging.

    2) Install only the Exchange Server 2007 Management tools on a system (steps documented in http://technet.microsoft.com/en-us/library/bb232090.aspx). Apply Update Rollup 4 for Exchange 2007 SP1 to this system. (This is just a best practice so that you will get any admin fixes we have made.) Use this system to administer your Exchange organization remotely. Do not apply Update rollup 5 for Exchange 2007 SP1 or Update rollup 6 for Exchange 2007 SP1 on this server. The security issue does not affect a system which has only Exchange Server 2007 Management tools. So your system will still be secure.

  9. Steve says:

    Just installed Update Rollup 6 for my EX2007 SVR.

    OWA is now stuffed (I have made no changes to the factory settings).

    Great work guys – back to Rollup #5 for me!

  10. alexk3 says:

    Ananth : Are you guys going to fix the WSUS issue? some exchange server might set to auto apply patches, in that case WSUS won’t push the UR6 to CCR mailbox servers.

    I applied UR6 to 4 CAS+HT servers, I used windows updates for the first 2, and rest of 2, I used downloaded UR6. First 2 successfully got the UR6, but the last 2 CAS+HT servers, after the update, all exchange related services were set to disabled.

    Am I the only one just having so much trouble?, or you M$ fired too many people? and don’t have enough QA people?

  11. Ananth Ramanathan says:

    Steve/AlexK,

    Can you check the install logs for the systems where your update failed?

    Logs should be in %SYSTEMDRIVE%exchangesetuplogs folder.

    UpdateOWA.log is for OWA and ServiceControl.log is for the services.

    If you need to post the logs, use the forums at http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/threads/.

  12. Dvord Direwood says:

    Steve, how is OWA effected?  

    This is one of a number of things I cannot afford a test environment for.  

    Thank you for the licensing advice, I was aware I’d be able to use the evaluation copy for testing, but that’s only part of the testing equation.  I have no budget for any hardware whatsoever; not even some cheap dual core box or even a VM host.  Not to mention what’s necessary to emulate a client-host connection over the internet to this test box.

    Again thanks, and I’m looking forward to seeing some positive production update experiences.

  13. Dvord Direwood says:

    Entourage:  Does this address any of those problems?  I just went back through all the posts I can find on the previous rollups and this is one critical part of Exchange for us.  I MUST have my Mac users able to use Entourage.

  14. Dvord Direwood says:

    I apologize, these are Entourage 2004 clients.  Thank you.

  15. Kurt Phillips (MSFT) says:

    Dvord – have a look at the KB link in the post above, it describes the fixes in this rollup.  And no –  nothing specific to Entourage.

  16. alexk3 says:

    After CAS got UR6, I found something strange, if you try to login to OWA for the first time after the UR6 applied to CAS, users will get

    "Your session has timed out. To Protect your account from unauthorized access, Outlook Web Access automatically closed its connection to your mailbox after a period of inactivity. Please re-enter your name and password"

    If users re-enter username and password, OWA opens up and let the user in. If you logout and try to log back in it does not show the same behavior, you can close the IE and you can log back in without any problem, however if you reboot your PC and try to login again you will get the "Your session has timed out." notice and you will have to re-enter your user name and password.

  17. Henryk2 says:

    After applying the rollup 6, getting this error every 15minutes

    It is on the transport, client access server. Any ideal?

    Log Name:      Application

    Source:        MSExchange ADAccess

    Date:          2/11/2009 1:59:30 PM

    Event ID:      2601

    Task Category: General

    Level:         Warning

    Keywords:      Classic

    User:          N/A

    Computer:      mta.ad.mydomain.com

    Description:

    Process MSEXCHANGEADTOPOLOGY (PID=1976). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=DC1301662F547445B9C490A52961F8FC,CN=Microsoft Exchange,CN=Services,CN=Configuration,…> – Error code=8007077f.

    The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"&gt;

     <System>

       <Provider Name="MSExchange ADAccess" />

       <EventID Qualifiers="32772">2601</EventID>

       <Level>3</Level>

       <Task>1</Task>

       <Keywords>0x80000000000000</Keywords>

       <TimeCreated SystemTime="2009-02-11T21:59:30.000Z" />

       <EventRecordID>95401</EventRecordID>

       <Channel>Application</Channel>

       <Computer>mta.ad.mydomain.com</Computer>

       <Security />

     </System>

     <EventData>

       <Data>MSEXCHANGEADTOPOLOGY</Data>

       <Data>1976</Data>

       <Data>&lt;WKGUID=DC1301662F547445B9C490A52961F8FC,CN=Microsoft Exchange,CN=Services,CN=Configuration,…&gt;</Data>

       <Data>8007077f</Data>

     </EventData>

    </Event>

  18. Magnus says:

    Just want you guys to get feedback that it works too…

    I have updated 2 CAS/HUB (detected by WU) and 2 CCR-nodes today and it worked fine, I also updated a server with MBX/CAS/HUB and the only thing I saw was that the transport-service didn’t autostart after update, but after a rebbot it did.

  19. Yanuar says:

    Today I am update to RU6 but OWA get error. Then we must rollback tu RU5. Thank you Microsoft :)

    This captured from EV:
    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 2/12/2009 7:48:11 AM
    Event time (UTC): 2/12/2009 12:48:11 AM
    Event ID: dc35bfc28ed84592a607e39ae2c15f3c
    Event sequence: 2
    Event occurrence: 1
    Event detail code: 0

    Application information:
       Application domain: /LM/W3SVC/1/ROOT/owa-6-128788732904857490
       Trust level: Full
       Application Virtual Path: /owa
       Application Path: C:Program FilesMicrosoftExchange ServerClientAccessowa
       Machine name: xxxxxx

    Process information:
       Process ID: 1892
       Process name: w3wp.exe
       Account name: NT AUTHORITYSYSTEM

    Exception information:
       Exception type: FileNotFoundException
       Exception message: Could not load file or assembly ‘Microsoft.Exchange.UM.ClientAccess, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

    Request information:
       Request URL:
    https://webmail.thexxxxxxx.com:443/owa/auth/logon.aspx?url=https://webmail.thexxxxxxx.com/owa/logon.css&reason=0

       Request path: /owa/auth/logon.aspx
       User host address: 172.xxx.xxx.xxxx
       User:  
       Is authenticated: False
       Authentication Type:  
       Thread account name: NT AUTHORITYSYSTEM

    Thread information:
       Thread ID: 7
       Thread account name: NT AUTHORITYSYSTEM
       Is impersonating: False
       Stack trace:    at Microsoft.Exchange.Clients.Owa.Core.Globals.InitializeApplication()

      at Microsoft.Exchange.Clients.Owa.Core.Global.ExecuteApplicationStart(Object sender, EventArgs e)

  20. Pete Jones says:

    Why don’t clustered mailboxes pick up that they need the rollups?

  21. Butsch says:

    SCR Update OK with Rollup6

    I just did the Rollup 6 on following three Server without any Problems. Please make sure the account you INSTALL the Update is member of the Group "Exchange Organization Administrators" otehrwise CAS Udpate may fail. (Because he dopes not see the CAS role installed).

    English OS/English Exchange 2007

    – Server 2008, with SCR (Standby Master), Hub, Mailbox

    – Server 2008, with SCR (Standy Target), Hub, Mailbox

    – Server 2003, R02, CAS Server

    On all 3 Servers the Update was sucessfull and there was no reboot required.

    I had problems with the Rollup5 on CAS/IIS last time (User permission OK) on a german Server 2003 R02 and CAS Role WHICH had RSA security plugin installed. Icons/Pics on Logon screen where not there all other pics there. After a reinstall of the Rollup5 everything was fine.

  22. Leo Siepel says:

    Have some troubles with this RU6 as some others. Alle services regarding exchange and IIS where disabled. Nothing worked.

    After i manually put them on auto start. It worked again, except for OWA.

    OWA Showed a blank page. The html source states and error that the client had to enable scripting in the browser.

    Just rolled back. (other RU never caused troubles, but this is a pain)

  23. jeremy says:

    We had the same issue with Rollup6 as Leo.  OWA showed a blank page.  We had to roll back to 5.

    What is the fix for this?

  24. alexk3 says:

    Failed to install UR6 on CAS server using downloaded UR6

    [01:10:16] ***********************************************

    [01:10:16] * UpdateOwa.ps1: 2/11/2009 1:10:16 AM

    [01:11:07] Updating OWA on server server1

    [01:11:07] Finding OWA install path on the filesystem

    [01:11:08] Updating OWA to version 8.1.340.0

    [01:11:08] Copying files from ‘C:Program FilesMicrosoftExchange ServerClientAccessowaCurrent’ to ‘C:Program FilesMicrosoftExchange ServerClientAccessowa8.1.340.0’

    [01:11:27] Getting all Exchange 2007 OWA virtual directories

    [01:11:31] There are no Exchange 2007 OWA virtual directories.  Aborting.

    Try to reinstall UR6

    [18:23:03] ***********************************************

    [18:23:04] * UpdateOwa.ps1: 2/11/2009 6:23:04 PM

    [18:23:46] Updating OWA on server server1

    [18:23:46] Finding OWA install path on the filesystem

    [18:23:46] Updating OWA to version 8.1.340.0

    [18:23:46] Copying files from ‘C:Program FilesMicrosoftExchange ServerClientAccessowaCurrent’ to ‘C:Program FilesMicrosoftExchange ServerClientAccessowa8.1.340.0’

    [18:23:55] Getting all Exchange 2007 OWA virtual directories

    [18:23:57] There are no Exchange 2007 OWA virtual directories.  Aborting.

    Uninstalled UR6 and reinstalled it.

    [01:21:16] ***********************************************

    [01:21:16] * UpdateOwa.ps1: 2/12/2009 1:21:16 AM

    [01:21:50] Updating OWA on server server1

    [01:21:50] Finding OWA install path on the filesystem

    [01:21:50] Updating OWA to version 8.1.340.0

    [01:21:50] Copying files from ‘C:Program FilesMicrosoftExchange ServerClientAccessowaCurrent’ to ‘C:Program FilesMicrosoftExchange ServerClientAccessowa8.1.340.0’

    [01:21:53] Getting all Exchange 2007 OWA virtual directories

    [01:21:53] There are no Exchange 2007 OWA virtual directories.  Aborting.

  25. Ananth Ramanathan says:

    If you had OWA issues, please check the account you used to install the rollup.

    You must an account which is a member of "Exchange Organization Administrators" group (http://technet.microsoft.com/en-us/library/aa996881.aspx) to install/uninstall rollups. The powershell scripts which run as part of the rollup installation/uninstallation make calls which require higher privileges than a local administrator on the system.

  26. Sean says:

    I just applied RU6 hoping to solve the IE8 woes we have encountered.

    Still no dice. IE8 running on multiple cores still fails anytime a new window must be instantiated.

    And, as a bonus, the code we have in place to post our credentials directly to the owaauth.dll is now broken in IE7 (but now works in IE8).

  27. Joey - MSFT says:

    All – please direct any specific technical errors and issues you are seeing to the UR forum located here:

    http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/threads/

    This forum is set up with engineers monitoring the issues you are seeing and people are ready to assist and troubleshoot with you there!

    Thanks all

  28. KCotreau says:

    I doubt there is anything you can do other than uninstall the rollup, but Exchange 2007 SP1 Rollup 6 causes an e00002fe error when backing up using Backup Exec.

  29. xbyt says:

    Just another "almost perfect" here.

    Updated 2 Edge, 2 CAS/HUB and 2 SCR-nodes this weekend and it worked fine, the only thing is that Forefront stoped working on one of the CAS/HUB.

  30. Ram Karthik says:

    After applying RU6 on the Edge servers the Credential service failed to start. Set the logging level to expert doesnt fetch any results. App log didnt show anything. After changing the service to start with admin permissions it started fine. App log showed interesting information that the

    Event Type:        Information

    Event Source:    MSExchange Message Security

    Event Category:                EdgeCredentialService

    Event ID:              1008

    Date:                     2/16/2009

    Time:                     11:04:48 AM

    User:                     N/A

    Computer:          XXXXXXXXX

    Description:

    The Edge Credential service successfully updated the password for the ADAM account cn=XXXXXXX,CN=Services,CN=Configuration,CN = XXXXXX. The new password has a hash of XXXXXXXXXXX. The new password will start being used on 2/8/2009 7:29:18 AM.

    Any idea what is happening and why is credential service trying to change the ADAM password?

  31. Willy Ceppi says:

    Should the Build number on the servers version be updated by the RU6?

    In my organization I have some servers that show Build 240.6 and some others that show 263.1

    What is the correct build number? Shouldn´t it be updated by the Rollup?

    Thank you

  32. Ananth Ramanathan says:

    Willy Ceppi,

    Update Rollups do not update the version number of the server. Checking in Add/Remove programs is the correct way to validate successful installation of a rollup (similar to the validation of successful installation of any other Hotfix/Update for other Microsoft products).

  33. Seth Wanlass says:

    There is a major flaw with relying on add/remove programs (or the patches registry key).  When Exchange is installed, it goes out and grabs the lastest updates.  So, if a machine was built between Rollup 5 and Rollup 6 then no rollups are displayed in add/remove.  And, if it is a clustered mailbox server (I currently have 24 for which I’m trying to identify rollup levels) then Microsoft update doesn’t show available rollups either so I can’t see if rollup 6 is currently installed or not.

  34. Seth Wanlass says:

    I stand corrected.  I inaccurately assumed that the Exchange 2007 installation slipstreamed the rollups.  We reached this conclusion because the installation process ends with a recommendation to check for updates.  The corresponding action opened Microsoft Update, which, for SCC nodes, reported no necessary updates. With our first dozen mailbox server builds, we didn’t know that SCC nodes are now treated differently (they weren’t in Exchange 2003) and concluded that our newly installed servers were in a fully patched state.  For future reference, nobody that we’ve contacted through PSS seems to know what the "check for updates" option that is checked by default as part of the installation process actually does, but it does not slipstream.

  35. KCotreau says:

    Hey Exchange Team guys, any news or updates on fixes? It really seems like this rollup should not have been released.

  36. Yasir Kuttiady says:

    Hi ExTeam,

    After applying the Rollup 6, my OWA shows the following info. Can you please shed some light on it?

    Outlook Web Access version: 8.1.340.0

    Microsoft Exchange Client Access server version: 8.1.240.0

    Mailbox server Microsoft Exchange version: 8.1.240.0

  37. Erik Dierks says:

    We applied this to our environment and I loved the CCR failover. Total actual downtime was 0 for application of the RU.

    Carrying over whatever broke the ability to configure SCR on new storage groups from RU5 is a big disappointment though and is really messing up our rollout. I just spent 3 hours with support only to be told that my options are to wait for RU7 to fix this or to peel off RU6, pray that nothing breaks, configure SCR for the new DBs, reapply RU6 and repeat my prayer.

  38. m3Rlin says:

    OWA broken, once again! It becomes a big problem when you really rely on it!

  39. jtwbnx says:

    Does this rollup address the lack of public folders problem in OWA Light? If not, when will that get fixed?

  40. suriya says:

    Yes, after this update appled. The owa unaccessible.

    Error: Done, problem with some error

    No OWA log on menu shown.

  41. FragglePete says:

    Just installed RU6 on a freshly installed machine (Server 2008) and just about to start configuring Exchange 2007, and it suceeded in stopping all my exchange services.

    Uninstalled the update, and tried it again.  But now it just seems stuck on the install.  Will remove and will not allow it to install.

    Wasted half a day of my time this has.  Not happy.

Comments are closed.

Skip to main content