Exchange 2010 SP1 installation notes
Released date of Exchange 2010 SP1 is on September 2010
The
starting point for SP1 setup/upgrade should be the What’s New in SP1, SP1 Release Notes, and Prerequisites docs. As with any new release, there are some frequently
asked deployment questions, and known issues, or issues reported by some
customers. You may not face these in your environment, but we’re posting these
here along with some workarounds so you’re aware of them as you test and deploy
SP1
Caution: |
After you upgrade to Exchange 2010 SP1, you can’t uninstall the service pack to revert to Exchange 2010 RTM. If you uninstall Exchange 2010 SP1, you remove Exchange from the server. |
- 1. Exchange 2010 SP1
Prerequisites
Exchange 2010 SP1 requires the installation
of 4-5 hotfixes, depending on the operating system – Windows Server 2008, or
Windows Server 2008 R2. To install the Exchange 2010 SP1 administration tools
on Windows 7 and Windows Vista, you requires 2 hotfixes.
Update 2/11/2011: Windows 2008 R2
SP1 includes all the required hotfixes listed in this
table — 979744, 983440, 979099, 982867 and 977020. If you’re installing
Exchange 2010 SP1 on a server running Windows 2008 R2 SP1, you don’t need to
install these hotfixes separately. For a complete list of all updates included
in Windows 2008 R2 SP1, see Updates in Win7 and WS08R2 SP1.xls.
- 1. Upgrade order
The order of upgrade from
Exchange 2010 RTM to SP1 hasn’t changed from what was done in Exchange 2007.
Upgrade server roles in the following order:
- Client Access server
- Hub Transport server
- Unified Messaging server
- Mailbox server
The Edge Transport server
role can be upgraded at any time; however, we recommend upgrading Edge
Transport either before all other server roles have been upgraded or after all
other server roles have been upgraded. For more details, see Upgrade from Exchange 2010 RTM to
Exchange 2010 SP1 in the documenation.
Permissions
To perform the following procedures, the account you use must be a
member of the Delegated Setup management role group or the Organization
Management management role group.
To upgrade an Exchange 2010 RTM server that has the Edge Transport
server role installed to Exchange 2010 SP1, the account you use must be a
member of the local Administrators group on that computer.
To upgrade a computer that has only the Exchange management tools
installed, you must log on using an account that’s a member of the local
Administrators group on that computer.
Prepare Active Directory
and Domains
Applies to: Exchange Server 2010 SP1
Topic Last Modified: 2011-01-25
Before you install Microsoft Exchange Server 2010 on any servers
in your organization, you must prepare Active Directory and domains.
For information about preparing your domains with legacy Exchange
permissions, see Prepare
Legacy Exchange 2003 Permissions.
Prerequisites
- The computers on which you plan to
install Exchange 2010 must meet the system requirements. For details, see Exchange 2010 System Requirements. - Your domains and the domain
controllers must meet the system requirements in “Network and
Directory Servers” in Exchange 2010 System Requirements. - In each domain in which you
install Exchange 2010, you must have at least one domain controller
running any of the following:
-
Windows Server 2003
Standard Edition with Service Pack 1 (SP1) or later (32-bit or 64-bit) -
Windows Server 2003 Enterprise
Edition with SP1 or later (32-bit or 64-bit) -
Windows Server 2008
Standard or Enterprise (32-bit or 64-bit) -
Windows Server 2008 R2
Standard or Enterprise -
Run the /Prepare* commands
from an Active Directory site with an Active Directory server from every
domain. -
Run the first server role
installation or Exchange 2010 service pack upgrade from an Active Directory
site with a writeable global catalog server from every domain. -
Verify that replication of
objects from the preceding actions is completed on the global catalog server in
the Active Directory site before installing the first Exchange 2010 server (or
SP1 upgrade) to that site. -
Windows Server 2003
Standard Edition with SP1 or later (32-bit or 64-bit) -
Windows Server 2003
Enterprise Edition with SP1 or later (32-bit or 64-bit) -
Windows Server 2008
Standard or Enterprise (32-bit or 64-bit) -
Windows Server 2008 R2
Standard or Enterprise
- For multiple domain organizations
running the following /Prepare* commands, we recommend the following:
- If you’re running the release to
manufacturing (RTM) version of Exchange 2010 Setup.com, in each domain
(including child domains) where you have the Exchange Enterprise Servers
and Exchange Domains Servers security groups (and therefore must run Setup
/PrepareLegacyExchangePermissions), you must have at least one domain
controller running any of the following:
- If you run the Exchange 2010 Setup
wizard with an account that has the permissions required (Schema Admins,
Domain Admins, and Enterprise Admins) to prepare Active Directory and the
domain, the wizard will automatically prepare Active Directory and the
domain. For more information, see Install Exchange Server 2010.
However, if you’re deploying a new Exchange organization, and you’re
preparing your Active Directory schema and domains using a computer
running Windows Server 2008, you must first install the Active Directory
management tools on the Windows Server 2008 computer prior to preparing
the schema or domains. To do this, run the following command.
ServerManagerCmd -i RSAT-ADDS
Prepare
Active Directory and domains
To track the progress of Active Directory replication, you can use
the Active Directory Replication Monitor tool (replmon.exe), which is installed
as part of the Windows Server 2003 Support Tools Setup. By default, it’s
located at %programfiles%\support tools\. Add your domain controllers as
monitored servers so that you can track the progress of replication throughout
the domain.
-
If you have any computers
in your organization running Microsoft Exchange Server 2003, open a Command
Prompt window, and then run one of the following commands:
-
To prepare legacy Exchange
permissions in every domain in the forest that contains the Exchange Enterprise
Servers and Exchange Domain Servers groups, run the following command.setup /PrepareLegacyExchangePermissions or setup /pl
-
To prepare legacy Exchange
permissions in a specific domain, run the following command.setup /PrepareLegacyExchangePermissions:<FQDN of domain you want
to prepare> or setup /pl:<FQDN of domain you want to
prepare>
Note: |
You can skip this step and prepare the legacy Exchange permissions as part of Step 2 or Step 3. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step. |
- Note the following:
-
To run this command to
prepare every domain in the forest, you must be a member of the Enterprise
Admins group. To run this command to prepare a specific domain, or if the
forest has only one domain, you must be delegated the Exchange Organization
Management role, and you must be a member of the Domain Admins group in the
domain that you will prepare. -
If you don’t specify a
domain, the domain in which you run this command must be able to contact all
domains in the forest. If the server can’t contact a domain that must have
legacy Exchange permissions prepared, it prepares the domains that it can
contact, and then returns an error message that it was unable to contact some
domains. -
You can run this command
from any Windows Server 2008 server in the forest. -
You must run this command
on a computer in the same domain and in the same Active Directory site as the
schema master. Setup will make all configuration changes to the schema master
to avoid conflicts because of replication latency. For more information, see Identify the schema master. -
After you run this command,
you must wait for the permissions to replicate across your Exchange
organization before continuing to the next step. If the permissions haven’t
replicated, the Recipient Update Service on your Exchange 2003 computers could
fail. The amount of time that replication takes depends on your Active
Directory site topology. -
For detailed information
about the permissions set by this command, see Prepare Legacy Exchange 2003 Permissions.
-
From a Command Prompt
window, run the following command.setup /PrepareSchema or setup /ps
Note: |
You can skip this step and prepare the schema as part of Step 3. |
Important: |
Don’t run this command in a forest in which you don’t plan to run setup /PrepareAD. If you do, the forest will be configured incorrectly, and you won’t be able to read some attributes on user objects. |
Note: |
It isn’t supported to use the LDIF Directory Exchange tool (LDIFDE) to manually import the Exchange 2010 schema changes. You must use Setup to update the schema. |
-
This command performs the
following tasks:
-
Connects to the schema
master and imports LDAP Data Interchange Format (LDIF) files to update the
schema with Exchange 2010 specific attributes. The LDIF files are copied to the
Temp directory, and then deleted after they are imported into the schema.
Note the following:
-
To run this command, you
must be a member of the Schema Admins group and the Enterprise Admins group. -
You must run this command
on a 64-bit computer in the same domain and in the same Active Directory site
as the schema master. -
If you haven’t completed
Step 1, setup /PrepareSchema will automatically perform the PrepareLegacyExchangePermissions
step. To complete the PrepareLegacyExchangePermissions step, the domain
in which you run this command must be able to contact all domains in the
forest. The advantages of running each step separately are that you can run
each step with an account that has the minimum permissions required for that
step, and you can verify completion, success, and replication before continuing
to the next step. -
If you use the /DomainController
parameter with this command, you must specify the domain controller that is the
schema master. -
After you run this command,
you should wait for the changes to replicate across your Exchange organization
before continuing to the next step. The amount of time this takes is dependent
upon your Active Directory site topology. - For more information, see Exchange Server Changes to the Active Directory Schema.
-
From a Command Prompt
window, run the following command.setup /PrepareAD [/OrganizationName:<organization name>]
or setup /p [/on:<organization name>]This command performs the following tasks:
-
If the Microsoft Exchange container
doesn’t exist, this command creates it under
CN=Services,CN=Configuration,DC=<root domain>. -
If no Exchange organization
container exists under CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain >, you must
specify an organization name using the /OrganizationName parameter. The
organization container will be created with the name that you specify.The Exchange organization name can contain only the following characters:
A through Z
a through z
0 through 9
Space (not leading or trailing)
Hyphen or dash
The organization name can’t contain more than 64 characters. The organization
name can’t be blank. If the organization name contains spaces, you must enclose
the name in quotation marks (“). -
Verifies that the schema
has been updated and that the organization is up to date by checking the objectVersion
property in Active Directory. The objectVersion property is in the
CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain> container. The objectVersion
value for Exchange 2010 RTM is 12640. The objectVersion value for
Exchange 2010 SP1 is 13214. -
If the containers don’t
exist, creates the following containers and objects under CN=<Organization
Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root
domain>, which are required for Exchange 2010:CN=Address Lists Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=Addressing,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=Client Access,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=Connections,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=ELC Folders,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=ELC Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root
domain>CN=Global Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=Mobile Mailbox Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=Recipient Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=System Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=Transport Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=UM AutoAttendant,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=UM DialPlan,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=UM IPGateway,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>CN=UM Mailbox Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain> -
If it doesn’t exist,
creates the default Accepted Domains entry, based on the forest root namespace,
under CN=Transport Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain>. -
Assigns specific
permissions throughout the configuration partition. -
Imports the Rights.ldf
file. This adds the extended rights required for Exchange to install into
Active Directory. -
Creates the Microsoft
Exchange Security Groups organizational unit (OU) in the root domain of the
forest and assigns specific permissions on this OU. -
Creates the following
management role groups within the Microsoft Exchange Security Groups OU:Exchange Organization Management
Exchange Recipient Management
Exchange Server Management
Exchange View-Only Organization Management
Exchange Public Folder Management
Exchange UM Management
Exchange Hygiene Management
Exchange Records Management
Exchange Discovery Management
Exchange Delegated Setup
-
Adds the new universal
security groups (USGs) that are within the Microsoft Exchange Security Groups
OU to the otherWellKnownObjects attribute stored on the CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<root domain> container. -
Creates the Unified
Messaging Voice Originator contact in the Microsoft Exchange System Objects
container of the root domain. -
Prepares the local domain
for Exchange 2010. For information about what tasks are completed to prepare a
domain, see Step 4.
Note the following:
-
To run this command, you
must be a member of the Enterprise Admins group. -
The computer where you run
this command must be able to contact all domains in the forest on port 389. -
You must run this command
on a computer in the same domain and in the same Active Directory site as the
schema master. Setup will make all configuration changes to the schema master
to avoid conflicts because of replication latency. -
If you haven’t completed
Step 1, setup /PrepareAD will automatically perform the PrepareLegacyExchangePermissions
step. To complete the PrepareLegacyExchangePermissions step, the domain
in which you run this command must be able to contact all domains in the
forest. If you’re also a member of the Schema Admins group, and if you haven’t
completed Step 2, setup /PrepareAD will automatically perform the
PrepareSchema step. The advantages of running each step separately are that you
can run each step with an account that has the minimum permissions required for
that step, and you can verify completion, success, and replication before
continuing to the next step. -
After you run this command,
you should wait for the changes to replicate across your Exchange organization
before continuing to the next step. The amount of time this takes is dependent
upon your Active Directory site topology. -
To verify that this step
completed successfully, make sure that there is a new OU in the root domain
called Microsoft Exchange Security Groups. This OU should contain the
following new Exchange USGs:Exchange Security Groups OU:
Exchange Organization Management
Exchange Recipient Management
Exchange Server Management
Exchange View-Only Organization Management
Exchange Public Folder Management
Exchange UM Management
Exchange Hygiene Management
Exchange Records Management
Exchange Discovery Management
Exchange Delegated Setup
ExchangeLegacyInterop
-
From a Command Prompt
window, run one of the following commands:
-
Run setup /PrepareDomain
or setup /pd to prepare the local domain. You don’t need to run this in
the domain where you ran Step 3. Running setup /PrepareAD prepares the
local domain. -
Run setup
/PrepareDomain:<FQDN of domain you want to prepare> to prepare
a specific domain. -
Run setup
/PrepareAllDomains or setup /pad to prepare all domains in your
organization.
These commands perform the following tasks:
-
If this is a new
organization, creates the Microsoft Exchange System Objects container in the
root domain partition in Active Directory and sets permissions on this
container for the Exchange Servers, Exchange Organization Administrators, and
Authenticated Users groups. This container is used to store public folder proxy
objects and Exchange-related system objects, such as the mailbox database’s
mailbox. -
Sets the objectVersion
property in the Microsoft Exchange System Objects container under DC=<root
domain>. This objectVersion property contains the version of
domain preparation. The version for Exchange 2010 RTM is 12640. The version for
Exchange 2010 RTM is 13040. -
Creates a domain global
group in the current domain called Exchange Install Domain Servers. The command
places this group in the Microsoft Exchange System Objects container. It also
adds the Exchange Install Domain Servers group to the Exchange Servers USG in
the root domain.
Note: |
The Exchange Install Domain Servers group is used if you install Exchange 2010 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships haven’t replicated to the child domain. |
-
Assigns permissions at the
domain level for the Exchange Servers USG and the Exchange Recipient
Administrators USG.
Note the following:
-
To run setup
/PrepareAllDomains, you must be a member of the Enterprise Admins group. -
To run setup
/PrepareDomain, if the domain that you’re preparing existed before you ran setup
/PrepareAD, you must be a member of the Domain Admins group in the domain.
If the domain that you’re preparing was created after you ran setup
/PrepareAD, you must be a member of the Exchange Organization
Administrators group, and you must be a member of the Domain Admins group in
the domain. -
For domains in an Active
Directory site other than the root domain, /PrepareDomain might fail
with the following messages:“PrepareDomain for domain <YourDomain> has partially
completed. Because of the Active Directory site configuration, you must wait at
least 15 minutes for replication to occur, and run PrepareDomain for <YourDomain>
again.”“Active Directory operation failed on <YourServer>. This
error is not retriable. Additional information: The specified group type is
invalid.Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003
(WILL_NOT_PERFORM), data 0The server cannot handle directory requests.”
If you see these messages, wait for or force Active Directory replication between
this domain and the root domain, and then run /PrepareDomain again. -
You must run this command
in every domain in which you will install Exchange 2010. You must also run this
command in every domain that will contain mail-enabled users, even if the domain
doesn’t have Exchange 2010 installed.
To verify that this step completed successfully, confirm the
following:
-
You have a new global group
in the Microsoft Exchange System Objects container called Exchange Install
Domain Servers.
Note: |
To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features. |
-
The Exchange Install Domain
Servers group is a member of the Exchange Servers USG in the root domain. -
On each domain controller
in a domain in which you will install Exchange 2010, the Exchange Servers USG
has permissions on the Domain Controller Security Policy\Local Policies\User
Rights Assignment\Manage Auditing and Security Log policy.
Upgrade database availability group members
When upgrading a database availability group (DAG) member to
Exchange 2010 SP1, you need to consider and plan for some specific issues.
Before upgrading any DAG members to Exchange 2010 SP1, consider the following:
- Upgrade only passive servers
Before applying Exchange 2010 SP1 to a DAG member, move all active mailbox
database copies off the server to be upgraded and configure the server to
be blocked from activation. If the server to be upgraded currently holds
the primary Active Manager role, move the role to another DAG member prior
to performing the upgrade. You can determine which DAG member holds the
primary Active Manager role by running Get-DatabaseAvailabilityGroup
-Status | Format-List PrimaryActiveManager. - Place server in maintenance mode
Before applying Exchange 2010 SP1 to any DAG member, you may want to
adjust monitoring applications that are in use so that the server doesn’t
generate alerts or alarms during the upgrade. For example, if you’re using
Microsoft System Center Operations Manager 2007 to monitor your DAG
members, you should put the DAG member to be upgraded in maintenance mode
prior to performing the upgrade. - Stop any processes that might
interfere with the upgrade Stop any
scheduled tasks or other processes running on the DAG member or within
that DAG that could adversely affect the DAG member being upgraded or the
upgrade process. - Verify the DAG is healthy
Before applying Exchange 2010 SP1 to any DAG member, we recommend that you
verify the health of the DAG and its mailbox database copies. A healthy
DAG will pass MAPI connectivity tests to all active databases in the DAG,
will have mailbox database copies with a copy queue length and replay
queue length that’s very low, if not 0, as well as a copy status and
content index state of Healthy. - Be aware of other implications of
the upgrade A DAG member running the RTM
version of Exchange 2010 can move its active databases to a DAG member
running Exchange 2010 SP1, but not the reverse. After a DAG member has
been upgraded to Exchange 2010 SP1, its active database copies can’t be
moved to another DAG member running the RTM version.