Exchange 2016 CU7 Released


Exchange 2016 CU7 has been released to the Microsoft download centre!  Exchange 2016 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.    CUs are a complete installation of Exchange 2016 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 has the same servicing methodology.

Exchange 2016 CU7 Download

This is build 15.01.1261.035 of Exchange 2016 and the update is helpfully named ExchangeServer2016-x64-CU7.iso which allows us to easily identify the update.  Details for the release are contained in KB 4018115.

No Exchange 2010 updates were released today since Exchange 2010 is in extended support.  Updates will be released as per the extended support lifecycle policy.

Exchange 2007 is no longer supported, updates are not provided once a product has exited out of extended support.

Update 12-9-2017: Corrected line regarding schema changes

Updates Of Particular Note

.NET Framework 4.7 is not supported at the time of writing.  Note that the focus will be placed upon supporting .NET Framework 4.7.1 with the next Exchange CU released for Exchange 2013 and Exchange 2016.

CU7 contains AD DS schema changes - please plan accordingly.

Advanced notification is provided so that administrators can proactively plan to update .NET between the release next Exchange CU and the subsequent CU.  This is similar to the approach with .NET 4.6.2 - Please see Exchange 2013 CU16 and Exchange 2016 CU5 .NET Framework Requirement for more details.

As per Active Directory Forest Functional Levels for Exchange Server 2016, it was announced that Exchange Server 2016 would enforce a minimum 2008R2 Forest Functional Level requirement for Active Directory.  Cumulative Update 7 for Exchange Server 2016 will now enforce this AD DS requirement.

Issues Resolved

KB 4040754 "Update UseDatabaseQuotaDefaults to false" error occurs when you change settings of user mailbox in Exchange Server 2016

KB 4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode

Some Items For Consideration

Exchange 2016 follows the same servicing paradigm for Exchange 2013 which was previously discussed on the blog.  The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2016 installation to this CU.  Cumulative Updates are well, cumulative.  What else can I say…

For customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).

  • Test the CU in a lab which is representative of your environment
  • Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server
  • Follow your organisation’s change management process, and factor the approval time into your change request
  • Provide appropriate notifications as per your process.  This may be to IT teams, or to end users.
  • After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange 2016. If you uninstall this cumulative update package, Exchange 2016 is removed from the server.

  • Place the server into SCOM maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

  • Place the server into Exchange maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

  • I personally like to restart prior to installing CU.  This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations.  3rd party AV products are often guilty of this

  • Restart the server after installing the CU

  • Ensure that all the relevant services are running

  • Ensure that event logs are clean, with no errors

  • Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment.  This includes archive, backup, mobility and management services.

  • Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application.  FIM and 3rd party user provisioning solutions are examples of the latter.

  • Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  See KB981474.

  • Disable file system antivirus prior to installing. Do this through the appropriate console.  Typically this will be a central admin console, not the local machine.

  • Verify file system antivirus is actually disabled

  • Once server has been restarted, re-enable file system antivirus.

  • Note that customised configuration files are overwritten on installation.  Make sure you have any changes fully documented!

  • CU7 does contain new AD Schema updates for your organisation.

Please enjoy the update responsibly!

What do I mean by that?  Well, you need to ensure that you are fully informed about the caveats with the CU  and are aware of all of the changes that it will make within your environment.  Additionally you will need to test the CU your lab which is representative of your production environment.

Cheers,

Rhoderick

Comments (31)

  1. Turbomcp says:

    The FFL isn’t a requirement if upgrading right?
    thats the way it should be in previous articles
    Thanks

    1. Post coming out on that later this week. Exchange 2016 CU7 will check for Windows Server 2008 R2 FFL.

      Cheers,
      Rhoderick

  2. Thanks for the update !!

  3. Ben says:

    Has this been fully tested to avoid the issues being faced by people installing CU6??

    https://social.technet.microsoft.com/Forums/en-US/5e6badad-6f5b-4f98-bd80-aa38eebfe0dd/kb4036108-patch-fails-the-term-stopsetupservice-is-not-recognized?forum=Exch2016SD

    I have no desire to brick by server!

  4. Fred Proos says:

    Hi

    After Exchange 2016 CU6 install users couldnt Access OWA. (ASP.NET Event ID 1309 event code 3005)
    More details in your previous blog post comments: https://blogs.technet.microsoft.com/rmilne/2017/06/27/exchange-2016-cu6-released/

    Has this issue been fixed in CU7

    Tthanks

    1. Andrey Polyakov says:

      I have established, everything is good! owa works

    2. MSchueler says:

      Hi Fred,

      since CU6 and I also think CU7, Exchange Services checks for the existence of the “Microsoft Exchange Server Auth Certificate”.

      For me, the (ASP.NET Event ID 1309 event code 3005) OWA Problem could be solved, if you check for the “OAuth Certificate” with friendly name “Microsoft Exchange Server Auth Certificate” and creates them again if is not present

      See my comment CU5
      https://blogs.technet.microsoft.com/rmilne/2017/06/27/exchange-2016-cu6-released/#comment-105985

  5. mushfiqul says:

    I have installed CU7 into my production environment and working smoothly.

  6. David Sheetz says:

    CU7 broke ECP/OWA/MAPI authentication again!, same problem when I installed CU6! I am going to have to script repairing authentication if it happens again

    1. David – I assume you are referring to the Exchange Auth Certificate not being present?

      Cheers,
      Rhoderick

  7. MSchueler says:

    Only for information.

    Schema Update at CU7 are:

    classSchema: ms-Exch-Http-Delivery-Connector
    attributeSchema: ms-Exch-Immutable-Sid

    1. Hi Manfred,

      Yes – since there are now changes in CU7 (aside from updating rangeUpper) the docs were updated to reflect this:

      https://technet.microsoft.com/en-us/library/bb738144(v=exchg.160).aspx

      Cheers,
      Rhoderick

  8. MSchueler says:

    Hi Rhoderick,

    I don’t know if there is only a CU7 problem, but users are amazed about an additional folder “archive” (“Archiv”) in there outlook folder structure, which constantly being restored, if mailbox user move or delete this folder.

    This behavior occurs only after update CU7.

    A problem or an update or new feature?

    Found information about known unresolved issues “Online Archive Folders created in O365 will not appear in the Outlook on the Web UI” … Perhaps there is a connection here?

    1. Hi Manfred,

      I suspect I know where this is coming from. Not so much the Online Archive issue from above but something else. I’m heading out now for the long weekend.

      Will take a peek when I’m back midweek.

      Cheers,
      Rhoderick

      1. MSchueler says:

        Hi Rhoderick,

        for me it loooks like, this folder is definitely created by Exchange service >> “FolderType=Archive”

        Get-MailboxFolderStatistics -Identity ExAlias | select FolderPath, FolderType | Sort-Object FolderPath | Group-Object FolderType

        Count Name Group
        —– —- —–
        1 Archive {@{FolderPath=/Archiv; FolderType=Archive}}
        1 Audits {@{FolderPath=/Audits; FolderType=Audits}}
        1 Tasks {@{FolderPath=/Aufgaben; FolderType=Tasks}}
        1 CommunicatorHistory {@{FolderPath=/Aufgezeichnete Unterhaltungen; FolderType=CommunicatorHistory}}
        1 CalendarLogging {@{FolderPath=/Calendar Logging; FolderType=CalendarLogging}}
        1 ConversationActions {@{FolderPath=/Conversation Action Settings; FolderType=ConversationActions}}
        15 User Created {@{FolderPath=/Conversation History; FolderType=User Created}, @{FolderPath=/DiscoverySearchMailbox; FolderType=User Created}, @{FolderPath=/Ei…
        1 RecoverableItemsDeletions {@{FolderPath=/Deletions; FolderType=RecoverableItemsDeletions}}
        1 Drafts {@{FolderPath=/Entwürfe; FolderType=Drafts}}
        1 ExternalContacts {@{FolderPath=/ExternalContacts; FolderType=ExternalContacts}}
        1 Files {@{FolderPath=/Files; FolderType=Files}}
        1 DeletedItems {@{FolderPath=/Gelöschte Elemente; FolderType=DeletedItems}}
        1 SentItems {@{FolderPath=/Gesendete Elemente; FolderType=SentItems}}
        1 Journal {@{FolderPath=/Journal; FolderType=Journal}}
        1 JunkEmail {@{FolderPath=/Junk-E-Mail; FolderType=JunkEmail}}
        1 Calendar {@{FolderPath=/Kalender; FolderType=Calendar}}

        1. Hi Manfred – thanks for reminding me!

          I’m thinking this is related to the same folder that is now automatically created in Exchange Online. That was a previous change in the service.

          Cheers,
          Rhoderick

  9. MSchueler says:

    I can also notice, after CU7 installation …

    The “Microsoft Exchange Diagnostics service” is set with startup type “Automatic” and after Exchange Server complete restart, the service dont starts directly?!

    1. jayuw says:

      I’ve noticed this as well. The Diagnostics Service doesn’t start, with Service Manager citing a service timeout (after as little as 1 second). I’m also getting EventID 4999 from MSExchangeCommon, with this error:
      Watson report about to be sent for process id: 7324, with parameters: E12IIS, c-RTL-AMD64, 15.01.1261.035, M.E.Diagnostics.Service, M.E.Diagnostics.Service, M.E.D.S.DiagnosticsService.SetPhysicalMemorySizeInRegistry, System.NullReferenceException, 4d30-dumptidset, 15.01.1261.035.
      ErrorReportingEnabled: False

  10. Simon says:

    I just had the worst CU upgrade experience by far.

    The initial upgrade to CU7 in our test environment goes smoothly, without any issues. As result I scheduled the production upgrade for this weekend, and all goes to hell.

    The upgrade itself completed fine, but after the server rebooted, the Mailbox Transport Delivery service was stuck in a reboot loop and EdgeTransport.exe was also starting/stopping throwing errors like the below into the event log.

    “Watson report about to be sent for process id: 18460, with parameters: E12IIS, c-RTL-AMD64, 15.01.1261.035, edgetransport, mscorlib, M.W.RegistryKey.CreateSubKeyInternal, System.UnauthorizedAccessException, ae99-dumptidset, 04.07.2110.000.
    ErrorReportingEnabled: False”

    The culprit (tracked down with the lifesaver that is Procmon) was a permissions issue on: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\WorkerTaskFramework\IdStore\ProbeDefinitionIDConflicts

    Once a new permission entry was created on the above key, all transport services stayed up and mail flow was restored.

    I don’t understand how this issue didn’t get picked up in the test environment, which is essentially an offline clone of our production system. Has anyone else had similar issues when applying this update?

    1. Great troubleshooting Simon, not so good you had to do that.

      I have done dozens of CU7 fresh installs and updates in the last week and not experienced that issue.

      What were the permissions set onto the reg key?

      Cheers,
      Rhoderick

      1. Simon says:

        The only permissions were the Inherited permissions, full control to only CREATOR OWNER, SYSTEM and Managed Availability Servers. Adding NETWORK SERVICE resolved the issue for us.

  11. Jacob says:

    The command “Set-FederatedOrganizationIdentifier” is broken in CU7. After deploying a fresh install of Exchange 2016 CU7 to setup a Hybrid deployment to Office 365, I could not federate to Office 365 using the HCW. After much trial and error, I learned HCW is trying to use the cmdlet Set-FederatedOrganizationIdentifier”. Opening a ticket with MS support they too try the command in their lab environment and confirmed that with the install of CU7 this command does not work. Because of this, I’m having to deploying another Exchange 2016 server this time running CU6 just so I can federate to O365. Lesson learned, do not deploy CU7 if you plan on setting up a Hybrid deployment.

    1. Jacob says:

      Also, Microsoft support confirmed that this cmdlet breaks in their lab when doing an upgrade to CU7. So for those that are currently federating to O365, I would wait until a hotfix comes out or until CU8 comes out as this could paint you into a corner if you had to recreate the trust to O365 and couldn’t after an upgrade.

      1. Hi Jacob, can you send me the case # for that using the contact author form on the side of the blog please

        Cheers,
        Rhoderick

        1. Alexx says:

          Same problem here with CU7 and not being able to enable federation through the HCW. Make you wonder what kind of testing is undergone before a CU is released. Why require people to upgrade to the latest or N-1 if the basic requirements for hybrid are not tested properly!

        2. Jacob says:

          Hello Rhoderick, the MS case # is: 117101216486966. Thanks.

    2. Rob says:

      Same issue here, Jacob. I just came across this today trying to setup the same scenario as you.

  12. Juan Martinez says:

    Hi, Please note the distribution comes with an error in one on it’s scripts. The script Install-AntispamAgents.ps1 has an error in its line 50
    install-TransportAgent -Name:$name -TransportAgentFactory:$factory -AssemblyPath:$agentAssembly -TransportService $transportService -EscalationTeam “AntiSpam”; > $null
    The ; at the end of the command would need to be removed

    1. Jeremy Oger says:

      Hi,

      it seems, the parameter -EscalationTeam is not recognized too. I’m unable to install antispam agents at all.
      Set-EngineUpdateCommonSettings command seems broken too

      1. Alexx says:

        I still had a server with CU6 and used it scripts to install the anti spam agents and it worked fine. The one from CU7 gave me the same error!

Skip to main content