The first step is to remove the server that is about to be updated from the Network Load Balancing (NLB) cluster.

There are two ways to take a CAS array member our of the NLB cluster:

  • Issue a Stop command to the server
  • Issue a Drainstop command to the server

The difference between the two is that Stop will immediately stop the server regardless of who is currently connected to it, while Drainstop will put the server in a state where it will not accept new connections but will continue serving existing connections until they disconnect.

For urgent updates a Stop command may be necessary, but for planned maintenance a Drainstop has the least potential impact on active client connections to the CAS array.

To issue a Drainstop launch Network Load Balancing Manager, right-click on the desired server, choose Control Host and then Drainstop.



When the server has no more active connections it will be in a stopped state.



Right click the server and choose Properties. Set the default state of the server to Stopped. This will prevent it from automatically starting and accepting client connections after any reboots that the updates require, to allow you time to verify the updates were successful first before rejoining the NLB cluster


Stop Conflicting Services


The Client Access Server role is often installed on the same server as the Hub Transport server role, even when deployed as a CAS array.


Hub Transport servers often run additional applications such as antivirus and anti-spam software that hooks into the Exchange Server services. These can cause conflicts with Exchange Server updates, for example if a third party application tries to automatically restart a service that it depends on that has been stopped by the update process.


Forefront is one example of this, so for servers running Forefront Protection for Exchange those services can be stopped using FSUtility.


C:\> fsutility /disable


Disabling Monitoring


If the CAS array members are monitored using SCOM or another system this should also be disabled, or placed into maintenance mode before the update is performed. This prevents unnecessary alarms in the monitoring system due to stopped services or server restarts, and also prevents the monitoring agent from trying to perform any automatic remediation such as restarting services.


Backing Up the Server


Some organizations will require an ad-hoc backup be run of at least one CAS array member before updates are applied. Others will be happy to rely on the latest scheduled backup instead. And some will even be satisfied that multiple CAS array members exist and so if a bad update puts one of them out of action there is no outage to end users, and the server can simply be manually reinstalled.


Updating the Server


Install the update following the procedure for that update type.


Update rollups come in the form of a .MSP file (Windows Installer Patch) that is applied to the server. Simply double-click the file or launch it from a command line window.


Service packs are a complete reissue of the Exchange Server setup files and are installed by running setup in upgrade mode, which can be run in either graphical or command line mode.


C:\> setup /m:upgrade


Both update rollups and service packs can take some time to install, so plan a large window of time for these updates.


Verifying the Update


After the update has completed, and if necessary the server rebooted, you should check the server’s health before placing it back into production in the CAS array.


Event Logs – look for error or warning events that have started since the update was applied.


Setup Logs – service packs write a complete setup log file to C:\ExchangeSetupLogs


Services – check the Exchange services are running (or at least those that you expect to be running, some such as IMAP and POP will be stopped if you have not explicitly enabled them)


[PS] C:\>get-service *exchange*




Status   Name               DisplayName


——   —-               ———–


Running  MSExchangeAB       Microsoft Exchange Address Book


Running  MSExchangeADTop… Microsoft Exchange Active Directory…


Running  MSExchangeAntis… Microsoft Exchange Anti-spam Update


Running  MSExchangeEdgeSync Microsoft Exchange EdgeSync


Running  MSExchangeFBA      Microsoft Exchange Forms-Based Auth…


Running  MSExchangeFDS      Microsoft Exchange File Distribution


Stopped  MSExchangeImap4    Microsoft Exchange IMAP4


Running  MSExchangeMailb… Microsoft Exchange Mailbox Replication


Stopped  MSExchangeMonit… Microsoft Exchange Monitoring


Stopped  MSExchangePop3     Microsoft Exchange POP3


Running  MSExchangeProte… Microsoft Exchange Protected Servic…


Running  MSExchangeRPC      Microsoft Exchange RPC Client Access


Running  MSExchangeServi… Microsoft Exchange Service Host


Running  MSExchangeTrans… Microsoft Exchange Transport


Running  MSExchangeTrans… Microsoft Exchange Transport Log Se…


Stopped  msftesql-Exchange  Microsoft Search  (Exchange)


Running  vmickvpexchange    Hyper-V Data Exchange Service


Returning the Server to Production


If the update was successful and the server healthy then it can be placed back into production.


Re-enable services such as Forefront Protection for Exchange.


C:\> fsutility /enable


Start the server in the NLB cluster.