This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 39%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
I have a question related to the current Exchange vulnerabilities: I run an Exchange server 2016 with CU15. Since the installation of the security patch required a more recent CU, I tried to install CU19 but the system threw a "System.UnauthorizedAccessException” at step 16 of 18 which is “Mailbox role: client access front end service”. I already tried to reinstall CU19 but it does not seem to be possible. Since CU19 was not successfully installed, I still cannot install the security patch.
Since a few days, there is also a security patch for CU15 available. However, the system detects CU19 so I am also unable to install this patch.
Is there any option to repair CU19 or how would you suggest proceeding? The ultima ratio would be to fully reinstall the entire Exchange server but cannot imagine that is the most efficient way.
I suspect your server may already be compromised.
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
Run through this doc and use the Safety Scanner as well:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
If so, a rebuild may be necessary regardless.
You can use the RecoverServer switch
Thank you for the quick reply. I directly disconnected the servers’ internet connection on Wednesday a week ago when the vulnerabilities have first been published. This was not a problem since the server has not been used as a productive system. So it is not compromised.
I would still verify that. That permissions error is one indicator.
Regardless, consider rebuilding it if you can't get the CU update to run:
See this thread for some possible solutions on the permissions issue:
https://learn.microsoft.com/en-us/answers/questions/307762/cu-update-install-failing-with-error-1603.html?childToView=313033#answer-313033
Yesterday I have verified again that the server is not compromised.
Thank you for the link. This link might have helped me when I tried to install CU19 for the first time. Obviously, I should have set the permission as suggested in the link (for whatever reason).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
Hi,
Did you run prepare AD steps before the setup?
Does the DC that your server connects to have FSMO roles?
Is the account you log in a member of schema admins, domain admins and exchange organization management?
Run the following command and check if any components are inactive:
Get-ServerComponentState –Identity <ServerID>
Check the Exchange setup log if the update fails again.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for your answer! I interpret your link in the way that preparing the AD schema is only relevant "if you have a large Active Directory deployment, or if a separate team manages Active Directory". I have a very small AD so I used the Setup wizard that does not require preparing the AD schema if I see it correctly. The same opinion is held in another thread [2]. But please correct me if I'm wrong!
I also think that I should make my user a schema and domain admin. However, I'm afraid this would only help after I have reinstalled the entire Exchange server since I have already unsuccessfully installed the CU. What would you suggest as the next step?
[1] https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019
[2] https://learn.microsoft.com/en-us/answers/questions/307762/cu-update-install-failing-with-error-1603.html?childToView=313033#answer-313033
I have never tested with a user account that does not belong to schema and domain admin so I can't make a conclusion, but I found a saying:
if the account you are using is part of schema admins,domain admins and enterprise admins groups, running setup will automatically does that for you in the backend.. if you don't have those permissions then the person with these permissions has to run /prepareschema and /preparead against setup.exe manually
Normally we use the domain account with all permissions and then run the setup without Prepare AD steps, that's OK. Since you've got an issue now, you might need to try those steps.
I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.