Exchange Server 2019 mid 2018 and Skype for Business 2019 late 2018
Category: Microsoft
Exchange Server 2016 Cumulative Update 7 (KB4018115) and Exchange Server 2013 Cumulative Update 18 (KB4022631)
The latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013 are now available on the download center. These releases include fixes to customer reported issues, all previously reported security/quality issues and updated functionality.
Minimum supported Forest Functional Level is now 2008R2
In our blog post, Active Directory Forest Functional Levels for Exchange Server 2016, we informed customers that Exchange Server 2016 would enforce a minimum 2008R2 Forest Functional Level requirement for Active Directory. Cumulative Update 7 for Exchange Server 2016 will now enforce this requirement. This change will require all domain controllers in a forest where Exchange is installed to be running Windows Server 2008R2 or higher. Active Directory support for Exchange Server 2013 remains unchanged at this time.
Support for latest .NET Framework
The .NET team is preparing to release a new update to the framework, .NET Framework 4.7.1. The Exchange Team will include support for .NET Framework 4.7.1 in our December Quarterly updates for Exchange Server 2013 and 2016, at which point it will be optional. .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases. Customers should plan to upgrade to .NET Framework 4.7.1 between the December 2017 and June 2018 quarterly releases.
The Exchange team has decided to skip supporting .NET 4.7.0 with Exchange Server. We have done this not because of problems with the 4.7.0 version of the Framework, rather as an optimization to encourage adoption of the latest version.
Known unresolved issues in these releases
The following known issues exist in these releases and will be resolved in a future update:
- Online Archive Folders created in O365 will not appear in the Outlook on the Web UI
- Information protected e-Mails may show hyperlinks which are not fully translated to a supported, local language
Release Details
KB articles that describe the fixes in each release are available as follows:
- Exchange Server 2016 Cumulative Update 7 (KB4018115), Download, UM Lang Packs
- Exchange Server 2013 Cumulative Update 18 (KB4022631), Download, UM Lang Packs
Exchange Server 2016 Cumulative Update 7 does not include new updates to Active Directory Schema. If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current.
Exchange Server 2013 Cumulative Update 18 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 18. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.
Additional Information
Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.
Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.
Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU18, 2016 CU7) or the prior (e.g., 2013 CU17, 2016 CU6) Cumulative Update release.
For the latest information on Exchange Server and product announcements please see What’s New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.
Note: Documentation may not be fully available at the time this post is published.
Exchange 2010-2016 Security Fixes
Microsoft released security updates to fix a remote code execution vulnerability in
Exchange Server. The related knowledge base article is KB4018588.
More information is contained in the following Common Vulnerabilities and Exposures articles:
- CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
- CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
- CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability
Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:
- Exchange 2010 SP3
Rollup 18 For Exchange 2010 SP3 (KB4018588), v14.3.361.1 - Exchange 2013 SP1
Security Update For Exchange Server 2013 SP1 (KB4018588), v15.0.847.55 - Exchange 2013 CU16
Security Update For Exchange Server 2013 CU16 (KB4018588), v15.0.1293.4 - Exchange 2016 CU5
Security Update For Exchange Server 2016 CU5 (KB4018588), v15.1.845.36
As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.
The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.
Exchange Server 2016 online training courses now available
Microsoft announced the release of four new edX online training courses for Microsoft Exchange Server 2016. If you plan to implement Exchange Server 2016 or Exchange Online, or if you want to make sure that your implementation was done right, the Exchange Server 2016 online training courses are for you.
Course offerings include:
- CLD208.1x: Microsoft Exchange Server 2016 Infrastructure—Learn how to plan, configure and manage Active Directory infrastructure requirements for Microsoft Exchange Server 2016.
- CLD208.2x: Microsoft Exchange Server 2016 Client Access Services—Find out how to plan and implement mobile messaging, Outlook and secure Internet access to improve client access services.
- CLD208.3x: Microsoft Exchange Server 2016 Mailbox Databases—Get the details on planning and configuring mailbox databases, including backup, recovery and restoration.
- CLD208.4x: Microsoft Exchange Server 2016 Transport Services—Explore planning and configuring message transport services, including antivirus, malware detection and spam-filtering solutions.
Each Exchange course is targeted to the IT professional audience, with hands-on labs that reinforce student learning. Students are graded on completing each module, as well as on module assessment exams and a final course exam. A Certificate can be earned by completing each course with a passing grade. Courses are self-paced, allowing IT professionals to build Exchange skills at their own pace as their schedules permit.
The first course, CLD208.1x: Microsoft Exchange Server 2016 Infrastructure, is free. The remaining three courses are for-fee courses at $49 USD per course.
edX is a massive open online course (MOOC) provider that was developed by MIT and Harvard University. The Microsoft Learning Experiences team has created a wide range of online training courses for edX, and these four Exchange courses are the team’s latest Office releases. They are the first of seven courses that cover the core skills an Exchange administrator needs to proficiently design, implement and manage an Exchange 2016 and Exchange Online implementation.
CPU usage is high when you use RPC over HTTP protocol in Windows 8.1 or Windows Server 2012 R2
Consider the following scenario that takes Microsoft Exchange Server 2013 as an example:
- The Mailbox server role is enabled in Exchange Server 2013.
- Exchange mailboxes use extended MAPI to communicate with the Exchange Server.
- The extended MAPI uses Microsoft RPC over HTTP (remote procedure call over HTTP) protocol.
- Many clients (such as mobile devices) are dropping connections to the Exchange Server.
In this scenario, the CPU usage on the Exchange server may reach 100 percent.\
Hotfix: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3041832&kbln=en-US
Important update for Azure Active Directory Connect – Version 1.1.553.0
Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.
The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.
Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.
- If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
- If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
- It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.
EXCHANGE 2013 CU17 AND EXCHANGE 2016 CU6
On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.
A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26)
Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).
The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.
Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).
When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.
.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.
Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.
The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.
KB articles that describe the fixes, features and information in each release are available as follows:
|
Version |
Build |
KB Article |
Download |
UMLP |
Schema Changes |
|
Exchange 2016 CU6 |
15.1.1034.26 |
Yes |
|||
|
Exchange 2013 CU17 |
15.0.1320.4 |
No |
Source: jaapwesselius
New MVA learning paths for IT pros
Learn about the new paths for IT pros:
- PowerShell: Beginner. Step up your IT pro game with foundational knowledge of PowerShell. Learn to use the command line to solve an issue, automate your infrastructure, and more.
- PowerShell: Advanced. Go beyond the basics with scripting, reusable tools, and cmdlets—all taught by the architect and inventor of PowerShell, Jeffrey Snover.
- Security for IT Pros. Beef up your security know-how with practical tips and tricks from the Microsoft security team.
- DevOps for IT Pros. Your devs need you! Learn more about application performance and support monitoring with Microsoft Azure.
- Introduction to Windows Server 2012 R2. Command this leading-edge server with tutorials on installation, roles, Microsoft Active Directory, storage, performance management, and maintenance.
- Windows Server 2012 R2 Security and Identity. Build upon your security knowledge with Windows Server 2016 fundamentals, like Active Directory, basic PKI, and BYOD concepts.
- Windows Server 2012 R2 Compute. Discover everything you need to know about virtualization and storage with courses on IP address management, server networking, Microsoft Hyper-V, and more.
CleanUp Old Active Sync Devices
Overview older than 30 Days:
Get-MobileDevice | Get-MobileDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)} | out-gridview
Delete active sync devices older then 30 days
Get-MobileDevice | Get-MobileDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)} | Remove-MobileDevice -Confirm:$false
Some handy URL for SQL Maintenance
2 Handy SQL Scripts
ForceDatabaseOffline:
USE master
GO
ALTER DATABASE YourDatabaseName
SET OFFLINE WITH ROLLBACK IMMEDIATE
GO
ShowOpenConnections:
SELECT
DB_NAME(dbid) as DBName,
COUNT(dbid) as NumberOfConnections,
loginame as LoginName
FROM
sys.sysprocesses
WHERE
dbid > 0
GROUP BY
dbid, loginame
;
The Tool that is love is SP_Blitz
httpv://www.youtube.com/watch?v=5QAL9itupMA
Do need to do some SQL Maintenance, i have for you some handy URLs:
https://ola.hallengren.com/
https://www.brentozar.com/