Update Servers/Microsoft Exchange/Upgrading Considerations.md
This commit is contained in:
@ -1,22 +1,92 @@
|
||||
**Purpose**:
|
||||
This document is meant to be an abstract guide on what to do before upgrading Microsoft Exchange Server (2013/2016/2019). There are a few considerations that need to be made ahead of time. You have to be logged in with a domain user that possesses the following domain group memberships:
|
||||
This document is meant to be an abstract guide on what to do before upgrading Microsoft Exchange Server (2013/2016/2019). There are a few considerations that need to be made ahead of time.
|
||||
|
||||
!!! abstract "Overview"
|
||||
We are looking to add an administrative user to several domain security groups, adjust local security policy to put them into the "Manage Auditing and Security Logs" security policy, and run the setup.exe included on the Cumulative Update ISO images within a `SeSecurityPrivilege` operational context.
|
||||
|
||||
## Domain Group Membership
|
||||
You have to be logged in with a domain user that possesses the following domain group memberships, if these group memberships are missing, the upgrade process will fail.
|
||||
|
||||
- `Enterprise Admins`
|
||||
- `Schema Admins`
|
||||
- `Organization Management`
|
||||
|
||||
Secondly, you have to run the installer in a specific way:
|
||||
## User Rights Management
|
||||
You have to be part of the "**Local Policies > User Rights Assignment > "Manage Auditing and Security Logs**" security policy. You can set this via group policy management or locally on the Exchange server via `secpol.msc`. This is required for the "Monitoring Tools" portion of the upgrade.
|
||||
|
||||
!!! warning "Invoke `Setup.exe` via Administrative Command Prompt"
|
||||
There are known issues with running the upgrade process that can only be resolved by launching setup.exe from an admin command prompt. Firstly, log in as the above user with the security group memberships mentioned, then run setup.exe. An example is below:
|
||||
It's recommended to reboot the server after making this change to be triple-sure that everything was applied correctly.
|
||||
|
||||
## Example Command Invocation
|
||||
``` sh
|
||||
whoami # (1)
|
||||
D: # (2)
|
||||
setup.exe # (3)
|
||||
!!! note "Security Policy Only Required on Exchange Server"
|
||||
While the `Enterprise Admins`, `Schema Admins`, and `Organization Management` security group memberships are required on a domain-wide level, the security policy membership for "Manage Auditing and Security Logs" mentioned above is only required on the Exchange Server itself. You can create a group policy that only targets the Exchange Server to add this, or you can make your user a domain-wide member of "Manage Auditing and Security Logs" (Optional). If no existing policies are in-place affecting the Exchange server, you can just use `secpol.msc` to manually add your user to this security policy for the duration of the upgrade/update (or leave it there for future updates).
|
||||
|
||||
## `SeSecurityPrivilege` Operational Context
|
||||
At this point, you would technically be ready to invoke `setup.exe` on the Cumulative Update ISO image to launch the upgrade process, but we are going to go the extra mile to manually "Enable" the `SeSecurityPrivilege` within a Powershell session, then use that same session to invoke the `setup.exe` so the updater runs within that context. This is not really necessary, but something I added as a "hail mary" to make the upgrade successful.
|
||||
|
||||
### Open Powershell ISE (As Administrator)
|
||||
The first thing we are going to do, is open the Powershell ISE so we can copy/paste the following powershell script, this script will explicitely enable `SeSecurityPrivilege` for anyone who holds that privilege within the powershell session.
|
||||
|
||||
```powershell title="SeSecurityPrivilege Enablement Script"
|
||||
# Create a privilege adjustment
|
||||
$definition = @"
|
||||
using System;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
public class Privilege
|
||||
{
|
||||
const int SE_PRIVILEGE_ENABLED = 0x00000002;
|
||||
const int TOKEN_ADJUST_PRIVILEGES = 0x0020;
|
||||
const int TOKEN_QUERY = 0x0008;
|
||||
const string SE_SECURITY_NAME = "SeSecurityPrivilege";
|
||||
|
||||
[DllImport("advapi32.dll", SetLastError = true)]
|
||||
public static extern bool OpenProcessToken(IntPtr ProcessHandle, int DesiredAccess, out IntPtr TokenHandle);
|
||||
|
||||
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
|
||||
public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);
|
||||
|
||||
[DllImport("advapi32.dll", SetLastError = true)]
|
||||
public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges, ref TOKEN_PRIVILEGES NewState, int BufferLength, IntPtr PreviousState, IntPtr ReturnLength);
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct TOKEN_PRIVILEGES
|
||||
{
|
||||
public int PrivilegeCount;
|
||||
public long Luid;
|
||||
public int Attributes;
|
||||
}
|
||||
|
||||
public static bool EnablePrivilege()
|
||||
{
|
||||
IntPtr tokenHandle;
|
||||
TOKEN_PRIVILEGES tokenPrivileges;
|
||||
|
||||
if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out tokenHandle))
|
||||
return false;
|
||||
|
||||
if (!LookupPrivilegeValue(null, SE_SECURITY_NAME, out tokenPrivileges.Luid))
|
||||
return false;
|
||||
|
||||
tokenPrivileges.PrivilegeCount = 1;
|
||||
tokenPrivileges.Attributes = SE_PRIVILEGE_ENABLED;
|
||||
|
||||
return AdjustTokenPrivileges(tokenHandle, false, ref tokenPrivileges, 0, IntPtr.Zero, IntPtr.Zero);
|
||||
}
|
||||
}
|
||||
"@
|
||||
|
||||
Add-Type -TypeDefinition $definition
|
||||
[Privilege]::EnablePrivilege()
|
||||
```
|
||||
|
||||
1. This will validate that you are using the `domain\user` of an administrative domain user.
|
||||
2. This changes the directory to whatever the drive letter of the mounted cumulative update ISO file is.
|
||||
3. This will invoke setup.exe as you with administrative privileges.
|
||||
### Validate Privilege
|
||||
At this point, we now have a powershell session operating with the `SeSecurityPrivilege` privilege enabled. We want to confirm this by running the following commands:
|
||||
|
||||
```powershell
|
||||
whoami # Output Similar to "bunny-lab\nicole.rappe"
|
||||
whoami /priv # See the below table to validate the privilege is enabled
|
||||
```
|
||||
|
||||
| **Privilege Name** | **Description** | **State** |
|
||||
| :--- | :--- | :--- |
|
||||
| `SeSecurityPrivilege` | Manage auditing and security log | Enabled |
|
||||
|
||||
|
||||
Reference in New Issue
Block a user