Think Twice Before Installing only the CAS Role for Exchange 2013

Microsoft’s recommendation when deploying Exchange is to install multi-role servers–it has been since Exchange 2010. This means that both Exchange 2013 client access (CAS) and mailbox roles are recommended to be installed on the same server, and not individually.*

*This is a very specific case focused on preparing environments for moving on premise mailboxes to Exchange Online via Exchange hybrid migration.

I was working with a customer recently who was planning to migrate their on premise environment to Office 365 Exchange Online.

They had several Exchange 2007 and 2013 servers. And of the Exchange 2013 servers, there was one server configured with the client access role only that was identified to be the hybrid server during the migration process. Not fully understanding the planning process prior to becoming involved with this project, I was a bit behind the eight ball when I found that this specific CAS-only server was identified as the “hybrid” server for the migration to Office 365.

As we may all know, in order to configure the hybrid, the on premise Exchange 2013 environment must have a public facing CAS and mailbox roles. They don’t have to be on the same server but it is much simpler when they are–and recommended to reduce implementation complexity. If they aren’t on the same server the there must be two ingress and egress points. And most customers being security-minded will not poke another hole in the firewall for email services.

With this specific project, we needed to install the mailbox role on the existing CAS-only role server. This is where things started to rapidly decline.

It was my understanding that we couldn’t install another role on a server that already had one, that it would be best to remove the existing role and then install both roles. However, from the MEC 2014 session titled “Experts Unplugged: Exchange Deployment” with a panel of Exchange powerhouses (Jeff Meallife, Greg Taylor, Scott Schnoll, Jeff Guillet and the late Andrew Ehrensing) the guidance is this…

"An individual role cannot be uninstalled when multi-role is installed;
All roles must be uninstalled to be able to install the single role you want; and
Multi-role is highly recommended in all situations."

Given this information, we should be fine to install the mailbox role on the target server. This specific Exchange 2013 server had CU7 installed along with the interim Exchange 2013 CU7 security patch KB3040856 (MS15-026).

We proceeded to go about installing the mailbox role on the CAS-only server. However, the install stopped immediately without any indication of why. The setup log was specific, however, to point out that the version installed was not the expected version. It wasn’t. The version of CU7 with the interim security patch was 15.00.1044.029 and we were trying to install CU7 (without the patch), which is version 15.00.1044.025. To find out what version of Exchange is installed in your environment, refer to this article.

The patch was removed, the server restarted, the install restarted and the same error was received.

This server role can't be installed because the following roles aren't current: ClientAccessRole

But this time we found a fix to adjust the registry based on the error that was received. Client Boessen provides a fix based on a similar experience here … This server role can’t be installed because the following roles aren’t current: AdminToolsRole.

The ClientAccessRole version for both the ConfiguredVersion and UnpackedVersion keys showed 15.0.995.29. This finding was odd because that version number is CU6. But the values for FrontendTransportRole, HubTransportRole and MailboxRole all show the version related to CU7 (without the interim patch). Therefore, the two values for ClientAccessRole\ConfiguredVersion and ClientAccessRole\UnpackedVersion were adjusted accordingly to reflect the CU7 version number, 15.0.1044.25.

The CU7 installation of the mailbox role was restarted and completed without error. The hybrid configuration wizard was also able to be completed.

However… Until later on in the day, it was discovered that ActiveSync users were experiencing intermittent disconnects and could not send or receive mail.

During additional investigation, it was discovered on the server that we added the mailbox role to that there were no virtual directories in IIS. The folder structure was on the server but it appeared that the setup did not actually complete the configuration of IIS for the mailbox role.

Because of this “failed” install, essentially the EAS request would occasionally be proxied to one of the other Exchange 2013 servers with a properly functioning mailbox role. The other times, the request would timeout because the local mailbox role wouldn’t respond.

Then, an attempted to install CU8 was made, which completed flawlessly I might add, but still did not update the components that the previous install lacked.

Time to call in reinforcements. Microsoft troubleshoot for a while but could not determine why the mailbox role did not properly, or completely, install when it should have.

Ultimately, both Exchange 2013 roles were removed from the server along with all of the IIS feature set. Then, the Exchange 2013 prerequisites were reinstalled followed by installing both client access and mailbox roles (at the same time) via the Exchange 2013 CU8 install media.

After that, a little configuration was performed to bring the server back into the mix. Finally, testing all aspects of Exchange with this “rebuilt” hybrid server functioned without further issues.

The moral of this story, always follow Microsoft’s recommendation deployment strategies and you won’t find yourself troubleshooting unnecessary issues.

My counsel to you…”Think twice before installing only the CAS role for Exchange 2013.

Good luck and have fun!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s