28 June 2016

Exchange 2013 CU12 failed to install error 1619

This has got to be the dumbest thing I've ever come across when dealing with Microsoft products.
When installing CU12 for Exchange 2013 last night, the setup failed and was presented with this error:

Configuring Microsoft Exchange Server

Language Files COMPLETED

Restoring Services COMPLETED

Language Configuration COMPLETED

Mailbox role: Transport service COMPLETED

Client Access role: Front End Transport service COMPLETED

Mailbox role: Client Access service COMPLETED

Mailbox role: Unified Messaging service COMPLETED

Mailbox role: Mailbox service FAILED

The following error was generated when "$error.Clear();

Install-MsiPackage `

-PackagePath ([System.IO.Path]::Combine($RoleLanguagePacksPath, "Setup\ServerRoles\UnifiedMessaging\MSSpeech

_SR_TELE.ca-ES.msi")) `

-PropertyValues ("ARPSYSTEMCOMPONENT=1 ALLUSERS=1") `

-LogFile ([System.IO.Path]::Combine($RoleSetupLoggingPath, "InstallSpeech-ca-ES.msilog"))

" was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: Couldn't open package 'C:\Program Files\Microsoft\Exchange Server\V15\bin\Setup\ServerRoles\UnifiedMessaging\MSSpeech_SR_TELE.ca-ES.msi'. This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package. Error code is 1619. ---> System.ComponentModel.Win32Exception: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package

--- End of inner exception stack trace ---

at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target,Boolean reThrow, String helpUrl)at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)at Microsoft.Exchange.Management.Deployment.InstallMsi.InternalBeginProcessing()at Microsoft.Exchange.Configuration.Tasks.Task.<BeginProcessing>b__5()at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the

<SystemDrive>:\ExchangeSetupLogs folder.

PS D:\Install\CU12>

I started the install with extracting the setup files to D:\Install\CU12, then ran the following command:
.\setup /mode:upgrade /iacceptexchangeserverlicenseterms
Looking in the exchangesetuplog file I saw that setup was looking for the missing file in this folder:
C:\Program Files\Microsoft\Exchange Server\V15\bin\Setup\ServerRoles\UnifiedMessaging\

Strange, because thats not where I extracted the setup files.
So copied the setup folder from the extracted folder:D:\Install\CU12 to C:\Program Files\Microsoft\Exchange Server\V15\bin\ to make sure the setup folder with install files where there, then started the install again from the D:\Install\CU12 folder and the everything went fine and without a glitch, I even think that it was a little bit faster. But maybe that's just wishful thinking because it was at 01:30 in the night....

According to this post from Peter de Tender I'm not the first to witness this, and sure as hell won't be the last.

22 June 2016

Installing Cumulative Updates for Exchange 2013 in production environments in combination with TrendMicro ScanMail

Installing Cumulative Updates for Exchange 2013 in production environments in combination with TrendMicro ScanMail:

1. Put the server in maintenance mode with the script on D:\Scripts\Start-ExchangeServerMaintenanceMode v1.8.ps1

- In an elevated PowerShell console : Start-ExchangeServerMaintenanceMode.ps1 -Server Servername -TargetServerFQDN servername.domain.lan
(-Server is the server that will be put in maintenance mode, -TargetServerFQDN is the server where all connections, queues etc. will be move to)

2. Stop the TrendMicro Services in the following order:

- ScanMail for Microsoft Exchange System Watcher
- ScanMail for Microsoft Exchange Remote Configuration Server
- ScanMail for Microsoft Exchange Master Service

3. Change the Startup type for the Trendmicro Services to “Disabled”

4. Check the status for the Exchange components in the Exchange PowerShell console:
- Get-ServerComponentState –Identity Servername

5. Reboot server

6. Stop the TrendMicro Service in the Task Manager under the tab "services" in the following order:
- ScanMail_RemoteConfig
- ScanMail_SystemWatcher
- Scanmail_Master

7. In an elevated PowerShell console;
- Go to the folder where the extracted CU files are, in that folder type:
- .\setup /mode:upgrade /iacceptexchangeserverlicenseterms (Attention -  make sure .\ is in front of setup)

8. After successful installation of the CU reboot the server

9. Change the startup type for the TrendMicro services “Automatic” (Except ScanMail EUQ Monitor)

10. Reboot the server

11. Stop Maintenance mode with the script on D:\Scripts\Stop-ExchangeServerMaintenanceMode v1.8.ps1

- In an elevated PowerShell console : Stop-ExchangeServerMaintenanceMode.ps1 -Server Servername

12. Check the status for the Exchange components in the Exchange PowerShell console:
- Get-ServerComponentState –Identity Servername

13. Now the server is active and will be accepting connections and the database copies will be updated

21 June 2016

Exchange 2013 Default IIS Settings

These are the default IIS settings for the Front End Website and the Exchange Back End Website, taken from a fresh installed Exchange 2013 CU12 server:

Default Web Site (Front End)
Virtual directory
Default IIS Authentication methods
SSL settings
Default authentication methods
Exchange Admin Center (EAC)
AuthenticationMethods
Exchange Management Shell (EMS)
Sites \ Default Web Site
As shown in Internet Information Services (IIS) Manager
 Available through EAC
 Internal
 External
Autodiscover
• Anonymous authentication
• Basic authentication
• Windows authentication
 • SSL required
• Integrated Windows authentication
• Basic authentication
Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth
Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth
ECP (Exchange Control Panel)
• Anonymous authentication
• Basic authentication
 • SSL required
• Use-forms-based authentication
 Basic, Fba
 Fba
EWS (Exchange Web Services)
• Anonymous authentication
• Basic authentication
 • SSL required
• Integrated Windows authentication
Ntlm, WindowsIntegrated, WSSecurity, OAuth
Ntlm, WindowsIntegrated, WSSecurity, OAuth
Mapi
 • Windows authentication
 • SSL required
 Not available in EAC
Ntlm, OAuth, Negotiate
Not configured
Microsoft-Server-Active-Sync
• Basic authentication
 • SSL required
• Basic authentication
• Ignore client certificate
Not set *
All methods can be used.
Not set *
All methods can be used.
OAB (Offline Address Book)
• Windows authentication
None available
WindowsIntegrated, OAuth
WindowsIntegrated, OAuth
OWA (Outlook Web App)
• Basic authentication
• SSL required
 • Use-forms-based authentication
• Domain\user name
 Basic, Fba
 Basic, Fba
OWA\Calendar
• Anonymous authentication
• Ignore client certificates
None available
OWA\Integrated
• Windows authentication
• SSL required
• Ignore client certificates
None available
OWA\oma (Outlook Mobile Access)
• Basic authentication
• Ignore client certificates
None available
PowerShell
• Windows authentication
• Not Required
 None set
 {}
 {}
* The InternalAuthenticationMethods/ExternalAuthenticationMethods  parameter specifies the authentication methods supported by the server that contains the virtual directory when access is requested from inside the network firewall. If this parameter isn’t set, all authentication methods can be used.
Aside from the above listed Virtual Directories, which you can find in the EAC, you also have the following directories to manage through IIS or EMS:
Virtual directory
Authentication method
SSL settings
Management method
Default Website
• Anonymous authentication
• SSL required
IIS Management Console*
This virtual directory can’t be configured by the user*
aspnet_client
• Anonymous authentication
• SSL required
IIS management console
Rpc
• Basic authentication
• Windows authentication
• SSL required
Exchange Management Shell (EMS)
* Indicates difference between multirole and Mailbox role server. You can’t configure this if the server only has the Mailbox role

Exchange Back End Website
Virtual directory
IIS Default Authentication methods
IIS SSL settings
Exchange Back End
• Anonymous authentication
• SSL required
• Ignore client certificates
Autodiscover
• Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
 ecp
• Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
 EWS
• Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
 Exchange
• SSL required
• Ignore client certificates
 Exchweb
• SSL required
• Ignore client certificates
 mapi
• Anonymous authentication
• SSL required
• Ignore client certificates
 Microsoft-Server-ActiveSync
• Basic authentication
• SSL required
• Ignore client certificates
 OAB
• Windows authentication
• SSL required
• Ignore client certificates
owa
• Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
owa\Calender
• Anonymous authentication
• Ignore client certificates
PopImap
• Anonymous authentication
• SSL required
• Ignore client certificates
 PowerShell
• Windows authentication
 • SSL required
• Accept client certificates
PowerShell-Proxy

• SSL required
• Ignore client certificates
Public
• SSL required
• Ignore client certificates
 PushNotifications
• Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
Quarantine
• Anonymous authentication
• SSL required
• Ignore client certificates
ReportingWebService
• Anonymous authentication
• SSL required
• Ignore client certificates
Reports
• Anonymous authentication
• SSL required
• Ignore client certificates
 Rpc
• Windows authentication
• Ignore client certificates
RpcProxy
• Anonymous authentication
• SSL required
• Ignore client certificates
 RpcWithCert
• Windows authentication
• Ignore client certificates
Sync

• SSL required
• Ignore client certificates
Ucc
• Anonymous authentication
• SSL required
• Ignore client certificates