Windows Updates issues on Server 2008, 2008 R2, 2012 Server

Home users: Please don’t try this at home! This article is intended for use by support agents and IT professionals. If you're looking for more information about Windows Update or Microsoft Update errors, go to the following Microsoft websites:

When you try to install an update to Windows, a Windows component, or a Microsoft or third-party software program, you experience one or more of the following symptoms:

• You cannot view Windows roles or features.
• A service pack installation fails.
• When you try to connect to the Windows Update or Microsoft Update website, one of the following error codes is logged in the Windows Update log (windowsupdate.log) or in the Component Based Servicing log (CBS.log):
  • 0xC80001FE
  • 0x80200010
  • 0x80070643
  • 0x80246002
  • 0x80070490
  • 0x80070420
  • 0x80073712
  • 0x80246007
  • 0x8000FFFF
  • 0x80070424
  • 0x80248007
  • 0x8007064C
  • 0x8024D00C
  • 0x8007066A
  • 0x80245003
  • 0x8024402C

Cause

This problem may occur if one or more of the following conditions are true:

• The Windows Update database is corrupted.
• Antivirus software is configured to scan the %Windir%\SoftwareDistribution folder.
• The Background Intelligent Transfer Service (BITS) service does not receive a content link header.
• A required system file is registered incorrectly.
• Windows Installer encountered an error.
• The Component Based Servicing (CBS) manifest is corrupted.
• The Windows Update service stops during the installation process.
• There's a file version conflict with Windows Update agent files.

Resolution

To resolve this problem, try each of the following methods. After each method, test to see whether the problem is resolved before you go on to the next method. If the problem is resolved by any method, you don't have to try the remaining methods.

Method 1: Run the Windows Update troubleshooter

To do this, go to the Windows Update troubleshooter.

Method 2: Download and manually install the update

To do this, follow these steps:

1. Determine the Microsoft Knowledge Base article number of the failed update. To do this, do one of the following: View the error code message.
   • View the error code message.
   • View the update history on the Windows Update website or on the Microsoft Update website. To do this, follow these steps:
     1. Go to the following Microsoft Update website:
        http://update.microsoft.com
     2. Under Options, click Review your update history.
     3. In the Update column, determine the Microsoft Knowledge Base article number of the failed update.
2. Go to the following Windows Download website:
   http://www.microsoft.com/windows/downloads/default.aspx
3. In the Search box on the Downloads webpage, type the article number that you located in step 1, and then click Go.
   Note Do not include the letters "kb" when you type the article number. For example, type "kb123456" as 123456.
4. Browse through the list of returned content to locate the Knowledge Base article that has a link to the download.
   Note You may be prompted to validate Windows. If you are prompted, follow the instructions to validate Windows, and then continue to download the update.
5. Click Download, and then click Save when you are prompted to save the download. Save the download to your desktop.
6. After the download is finished, click Open to install the update.
   Note The update installation may fail if the update is incorrect for your version of Windows.

Method 3: Restart your computer, and then try to install the updates again

Exit all programs that are running, restart your computer, and then try to install the updates again.

Note Restarting the computer will make sure that all previous installations have finished, and that no remaining processes require a system restart before they can finish.

Method 4: Run the System Update Readiness tool (CheckSur.exe)

Download and run the System Update Readiness tool. This tool runs a one-time scan for inconsistencies that may prevent future servicing operations. For more information about how to download and run the CheckSur.exe tool, see the following article in the Microsoft Knowledge Base:

Fix Windows corruption errors by using the DISM or System Update Readiness tool (https://support.microsoft.com/kb/947821)

Try to install updates again.

Note After you run the tool, the CheckSur.log file is saved in the following location:

%systemroot%\logs\cbs

Method 5: Run the System File Checker tool (SFC.exe)

To do this, follow these steps:

1. Open an administrative Command Prompt window.
2. At the command prompt, type sfc /scannow, and then press Enter.
3. After the scan is finished, try to install updates again.

Method 6: Reset the content of the Catroot2 folder

To do this, follow these steps:

1. Open an administrative Command Prompt window.
2. Type the following commands, and press Enter after each command:
   • net stop cryptsvc
   • md %systemroot%\system32\catroot2.old
   • xcopy %systemroot%\system32\catroot2 %systemroot%\system32\catroot2.old /s
3. Delete all contents of the catroot2 folder, but do not delete the catroot2 folder.
4. Type the following command, and then press Enter:
   net start cryptsvc
5. Exit the Command Prompt window.

Method 7: Delete any incorrect registry values

Delete any incorrect values that may exist in the registry. To do this, follow these steps:

1. Click Start, and then type regedit in the Start Search box.
2. In the Programs list, click regedit.exe.
3. Locate and then select the following registry subkey:
   HKEY_LOCAL_MACHINE\COMPONENTS
4. Right-click COMPONENTS.
5. Click Export.
6. In the File Name box, type COMPONENTS.
7. In the Save in box, click Desktop, click Save, and then save the file to your desktop.
8. In the details pane, right-click PendingXmlIdentifier, and then click Delete. If this value does not exist, go to the next step.
9. In the details pane, right-click NextQueueEntryIndex, and then click Delete. If this value does not exist, go to the next step.
10. In the details pane, right-click AdvancedInstallersNeedResolving, and then click Delete. If the value does not exist, go to the next step.
11. Restart the computer.
12. Try to install the updates again.

Method 8: Register the Windows Update files

To do this, follow these steps:

1. Open an administrative Command Prompt window.
2. At the command prompt, type the following command:

   REGSVR32 WUPS2.DLL /S
   REGSVR32 WUPS.DLL /S
   REGSVR32 WUAUENG.DLL /S
   REGSVR32 WUAPI.DLL /S
   REGSVR32 WUCLTUX.DLL /S
   REGSVR32 WUWEBV.DLL /S
   REGSVR32 JSCRIPT.DLL /S
   REGSVR32 MSXML3.DLL /S

3. Try to install updates again.

Method 9: Make sure that your antivirus application does not scan certain files

Make sure that your antivirus application does not scan the files in the %windir% \SoftwareDistribution directory on any computer on which Windows Update Agent is installed.

For computers that are running Windows Server 2003, Microsoft Windows 2000, Windows XP, Windows Vista, or Windows Server 2008, do not scan the following files and folders.

Note These files are not at risk of infection. If you scan these files, serious performance problems may occur because some files may be locked. If a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any of these items based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as these files.

• Files that are related to Microsoft Windows Update or to Automatic Update
• The Windows Update database file or the Automatic Update database file
  
  Note This file (Datastore.edb) is located in the following directory:
  %windir%\SoftwareDistribution\Datastore
• The transaction log files
  
  Note These files are located in the following folder:
  %windir%\SoftwareDistribution\Datastore\Logs

Exclude the following files:

• Edb*.log
  
  Note The wildcard character indicates that there may be several files.
• Res1.log
• Res2.log
• Edb.chk
• Tmp.edb

Method 10: Rename the SoftwareDistribution folder

To do this, follow these steps:

1. Open an administrative Command Prompt window.
2. Run the following commands, and press Enter after each command:
   • Net stop wuauserv
   • cd %systemroot%
   • Ren SoftwareDistribution SoftwareDistribution.old
   • Net start wuauserv
3. Try to install updates again.

Important The following issues occur when you use this method:

• Updates that are currently downloaded but that have not yet been installed have to be downloaded again by using Windows Update or Microsoft Update.
• When you delete the Software Distribution folder, your download history is removed.
• If you currently receive updates from Microsoft Update and from Windows Update, you will have to reselect this option from the Windows Update website.

Note If the issue is resolved and you can successfully download and install updates, you can safely delete the SoftwareDistribution.old folder to recover disk space.

Method 11: Clear the BITS queue of any current jobs

To do this, follow these steps:

1. Open an administrative Command Prompt window.
2. At the command prompt, type the following commands, and press Enter after each command:
   
   

   Net stop bits
   Net stop wuauserv
   Ipconfig /flushdns
   cd \documents and settings\all users\application data\microsoft\network\downloader
   Del qmgr0.dat
   Del qmgr1.dat
   Net start bits
   Net start wuauserv

   Note After you complete these steps, the BITS queue is cleared.
3. Try to install updates again.

Method 12: Rename Pending.xml

To do this, follow these steps:

1. Open an administrative Command Prompt window.
2. At the command prompt, type the following command:

   takeown /f C:\Windows\winsxs\pending.xml

3. Rename the c:\windows\winsxs\pending.xml path by using the following command:

Ren c:\windows\winsxs\pending.xml pending.old

Method 13: Run Chkdsk on the Windows partition

To do this, follow these steps:

1. Open an administrative Command Prompt window.
2. At the command prompt, type the following command:

   Chkdsk volume: /f /r

Properties

Article ID: 2509997 - Last Review: 06/25/2015 21:29:00 - Revision: 8.0

Applies to

• Windows Vista Business
• Windows Vista Enterprise
• Windows Vista Home Basic
• Windows Vista Home Premium
• Windows Vista Starter
• Windows Vista Ultimate
• Windows 7 Enterprise
• Windows 7 Home Basic
• Windows 7 Home Premium
• Windows 7 Professional
• Windows 7 Starter
• Windows 7 Ultimate
• Windows Server 2008 Datacenter
• Windows Server 2008 Enterprise
• Windows Server 2008 Foundation
• Windows Server 2008 R2 Datacenter
• Windows Server 2008 R2 Enterprise
• Windows Server 2008 R2 Foundation
• Windows Server 2008 R2 Standard
• Windows Server 2008 Standard

How to check exchange 2013 Email queue

Use Queue Viewer in the Exchange Toolbox to view the properties of a message

1. Click Start > All Programs > Microsoft Exchange 2013 > Exchange Toolbox.
   
2. In the Mail flow tools section, double-click Queue Viewer to open the tool in a new window.
   
3. In Queue Viewer, select the Messages tab to see the list of messages that are currently queued for delivery in your organization.
   
4. Right-click the message whose properties you want to view and then select Properties.
   
5. The General tab displays the following detailed information about the message:
   
   • Identity   This field shows the integer that represents a particular message. The message identity is assigned by the queuing database when the message is received for processing. You can include an optional server and queue identity to identify a unique instance of the message.
     
   • Subject   This field shows the subject of a message and is expressed as a text string. The value is taken from the Subject: header field.
     
   • Internet Message ID   This field shows the value of the MessageID: header field. The value of this property is expressed as a GUID followed by the SMTP address of the sending server, as in this example: 67D754D6103DC4FB3BA6BC7205DACABA61231@exchange.contoso.com
     
   • From Address   This field shows the SMTP address of the sender of the message. This value is taken from MAIL FROM: in the message envelope.
     
   • Status   This field shows the current message status. A message can have one of the following status values:
     
     • Active   If the message is in a delivery queue, the message is being delivered to its destination. If the message is in the Submission queue, the message is being processed by the categorizer.
       
     • Pending Remove   The message was deleted by the administrator but was already in delivery. The message will be deleted if the delivery ends in an error that causes the message to re-enter the queue. Otherwise, delivery will continue.
       
     • Pending Suspend   The message was suspended by the administrator but was already in delivery. The message will be suspended if the delivery ends in an error that causes the message to re-enter the queue. Otherwise, delivery will continue.
       
     • Ready   The message is waiting in the queue and is ready to be processed.
       
     • Retry   The last connection attempt failed for the queue in which this message is located. The message is waiting for the next queue retry.
       
     • Suspended   The message was suspended by the administrator.
       
   • Size (KB)   This field shows the size of the message rounded up to the nearest kilobyte (KB).
     
   • Message Source Name   This field shows the name of the component that submitted this message to the queue.
     
   • Source IP   This field shows the IP address of the external server that submitted the message to the Exchange organization.
     
   • SCL   This field shows the spam confidence Level (SCL) rating of the message. Valid SCL entries are integers 0 through 9 or -1. An empty SCL entry indicates that the message hasn't been processed by the Content Filter agent.
     
   • Date Received   This field shows the date-time when the message was received by the server that holds the queue in which the message is located.
     
   • Expiration Time   This field shows the date-time when the message will expire and will be deleted from the queue if the message can't be delivered.
     
   • Last Error   This field shows the last error that was recorded for a message.
     
   • Queue ID   This field shows the identity of the queue that holds the message. The queue identity is expressed in the form Server\destination, where destination is a delivery group, routing destination, persistent queue name, or the queue database identifier. The queue database identifier is represented as an integer and can be determined by viewing the message properties.
     
   • Recipients   This field shows the list of recipients to which the message is addressed.
     
   • Retry Count   This field shows the number of times that delivery of a message to a destination was tried.
     
6. The Recipient Information tab displays the following information about the message recipients:
   
   • Address   This field shows the SMTP address of the recipient of the message. This value is taken from RCPT TO: in the message envelope.
     
   • Status   This field shows the current message status. A message can have one of the following status values:
     
     • Active   If the message is in a delivery queue, the message is being delivered to its destination. If the message is in the Submission queue, the message is being processed by the categorizer.
       
     • Pending Remove   The message has been deleted by the administrator but was already in delivery. The message will be deleted if the delivery ends in an error that causes the message to re-enter the queue. Otherwise, delivery will continue.
       
     • Pending Suspend   The message has been suspended by the administrator but was already in delivery. The message will be suspended if the delivery ends in an error that causes the message to re-enter the queue. Otherwise, delivery will continue.
       
     • Ready   The message is waiting in the queue and is ready to be processed.
       
     • Retry   The last connection attempt failed for the queue in which this message is located. The message is waiting for the next queue retry.
       
     • Suspended   The message has been suspended by the administrator.
       
   • Last Error   This field shows the last error that was recorded for a message.
     

Use the Shell to view the properties of a message

You use the Get-Message cmdlet to view the properties of a message that is currently queued for delivery. The following example tabulates the sender address, recipients, subject, and received date information for all messages that are currently in retry state:

Get-Message -IncludeRecipientInfo -Filter {Status -eq "Retry"} | Format-Table FromAddress,Recipients,Subject,DateReceived

For detailed syntax and parameter information, see Get-Message.

How to reset IIS with the IIS Reset command

You may need to restart Internet Information Services (IIS) before certain configuration changes take effect, or when applications become unavailable. IIS is the web server on your GearHost CloudServer. Often, the first step in troubleshooting issues with your website is to restart IIS. Follow the instructions below to restart IIS.

 

1. From the Start menu, click Run.

 

2. In the Open box, type cmd, and click OK.

 

3. At the command prompt, type iisreset /stop. IIS will attempt to stop all services and will return confirmation once all services have been stopped.

4. At the command prompt, type iisreset /start. 

5. That’s it! IIS has been restarted.

Tips

• Typing iisreset directly from the run command window will reset IIS.
• iisreset /status will show the current status of IIS
• iisreset /noforce will prevent the server from forcing close applications and process. This can cause IIS to reset slower but is more graceful.

1. C:\>iisreset /stop
2.  
3. Attempting stop...
4. Internet services successfully stopped

VSS Troubleshooting Guide – Failed VSS Writers

• Title

  VSS Troubleshooting Guide – Failed VSS Writers

• Description

  AppAssure 5 uses VSS as part of the recovery point creation process.
  If the VSS subsystem isn’t functioning properly, AppAssure will not be able to complete the backups.
  The following sections are designed to help remedy specific VSS issues that may occur within your system.
  Please note additional VSS troubleshooting details can be found in Microsoft’s TechNet article “Troubleshooting the Volume Shadow Copy Service.” Microsoft’s document provides additional troubleshooting steps that go beyond the scope of this article.
  

• Resolution

  Before moving on to the steps below, ensure that all service packs, hotfixes and and updates have been applied to the system.
  Should the problem still persist after applying all available service packs, hotfixes and and updates, please complete the following steps.
  

  1. Reboot your agent server. Servers that have not been rebooted in a while may cause VSS to malfunction. You should reboot your server regularly as a preventive and cleanup measure for your system.
     
     
  2. Reset the writers to a stable state.
     • Open vssadmin from the command line (run cmd prompt as administrator). Run the following command:
       • vssadmin list writers
     • If any writer is noted as failed or has an error, or any writers’ states are not listed as stable, run the following:
       • For Replay4: C:\Program Files (x86)\AppAssure Software\Replay Agent\Utils64 > vshadow <drive letter:>
       • For AppAssure 5, open a command prompt from the following location: C:\Program Files\apprecovery\agent
         • Run vShadow <drive letter:>
     • List the writers again to check their stability: vssadmin list writers
     • If there are still any writers that are listed as failed or have an error, please continue to the next step.
       
       
  3. Clear any existing shadows.
     • VSS has a limit on the number of snapshots that can be kept on the system; furthermore, these snapshots take up space on the drive that is needed to take these snapshots. The following will clear this space.
       
       
       • Open vssadmin from the command line (run cmd as administrator).
       • Enter vssadmin delete shadows /all
       • This will clean up the VSS snapshots. 
       • Some defective systems accumulate VSS snapshots that persist in the system.
       • Enter vssadmin list writers and check for errors.
       • If there are still any writers that are listed as Failed or have an error, or any writers’ states are not listed as Stable, please continue to the next step.
         
       • If you have recieved the following error:
         "Error: Snapshots were found, but they were outside of your allowed context. Try removing them with the backup application which created them."
         
         
         • Return to the elevated cmd prompt
         • Enter wmic
         • Enter shadowcopy delete
         • For each shadow copy it lists, enter Y
           
           
  4. Restart the services.
     • Open Services.msc and restart the following services:
       
       
       • COM+ Event System.
       • COM+ System Application Service. This may not be started (if not, start it).
       • Distributed Transaction Coordinator Service.
       • Volume Shadow Copy Service.
       • If possible please also restart the affected VSS writer service, for example Virtual Server 2005 VSS writer or the Hyper-V VM manager Service to the Hyper-V VSS writer.
         
         
     • Check the Event Viewer for any additional error information logged by that VSS writer.
     • Run vssadmin list writerst once more.
     • If there are any writers that are listed as failed or have an error, please continue to the next step.
       
       
  5. As noted above, VSS has a limit to the amount of space that is set to keep and take snapshots on occasion the default value 5% of the total size of the volume is not large enough. Please run the following command to set the size to have no limit.
     • vssadmin Resize ShadowStorage /For=<drive letter:> /On=<drive letter:> /MaxSize=UNBOUNDED
       Example:  vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=UNBOUNDED
       
       
  6. On systems running a desktop operating system, the above command is the only way to set the size of the VSS Snapshot save location. On Windows Server Operating systems, the GUI can be used.
     • Open Disk Management: Click Start , click Run , type diskmgmt.msc and then click OK.
     • Right Click on the First Volume
     • Select Properties
     • Select the Shadow Copies Tab
     • Select The First Disk in the List
     • Select Settings
     • Select No Limit
     • Click OK
       
       
  7. If you don’t get any VSS writer errors when using vssadmin list writers, but the system isn’t able to create a new VSS snapshot (and you have deleted all existing snapshots), please continue to the next step.
     
     
  8. Uninstall all backup software on your computer, including Windows Backup if it is installed. You don’t need to uninstall Replay, because Replay doesn’t contain or install any VSS writers; however, we have seen VSS writers of other backup software manufacturers cause system instability and errors.
     
     
  9. After all other backup tools have been uninstalled, open the Registry Editor (regedit) as an administrator and check the following branch:
     
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Providers
     
     
  10. After all other backup tools have been uninstalled, open Regedit as an administrator and check the following branch:
      
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Providers
      
      
  11. Underneath that key you should only find Microsoft Software Shadow Copy Provider. If you do find another, it may be a residual registry entry from a previous backup software installation. You can save the entry by exporting the entire registry to a file (right click and select Export) and then it’s safe to delete the entire branch entry underneath.
      
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Providers
      
      
  12. Reboot and run vssadmin list writers to confirm the problem has been resolved.
      
      WARNING:  Before making any changes to the registry, please export a copy of the registry to a memorable location so you can re-import it if necessary
      
      
  13. If the PC or server you are using is a virtual machine host, you need to install the latest VMware Tools (for VMware), Virtual Machine Additions (Virtual Server), and integration tools (Hyper-V) on each virtual machine.
      
      
  14. If you have completed all the above noted steps and you are still getting either VSS errors or unable to complete a snapshot, we recommend that you contact Microsoft Technical Support, as the issue is related to a malfunction within VSS or the Windows operating system.

How to manually restart all VSS writers when in a failed state without rebooting

• Title

  How to manually restart all VSS writers when in a failed state without rebooting

• Description

  There are instances when snapshots are failing due to an agent's VSS writers being in a failed state but it is impossible or not desirable to restart the server until at least after business hours.

• Cause

  The VSS writers may be in a failed state for many different reasons. Once they are in a failed state, it is usually necessary to restart the server.

• Resolution

  An alternative solution other than restarting the server is to restart each of the associated services for each of the VSS writers showing up in a failed state by following the steps below:
  

  • Find each of the VSS writers in a failed state by issuing this command in an elevated command prompt - vssadmin list writers.
  • Make a list of all the failed VSS writers or take a screenshot.
  • Find the VSS writer's associated Service Display Name in the table below and restart the service.
  • Issue the command again to confirm the status has changed Stable with no Error - vssadmin list writers.
  • Attempt to perform another snapshot.
  • If the VSS writers fail again, it will be necessary to restart the server.

  VSS Writer	Service Name	Service Display Name
  ASR Writer	VSS	Volume Shadow Copy
  BITS Writer	BITS	Background Intelligent Transfer Service
  COM+ REGDB Writer	VSS	Volume Shadow Copy
  DFS Replication service writer	DFSR	DFS Replication
  DHCP Jet Writer	DHCPServer	DHCP Server
  FRS Writer	NtFrs	File Replication
  FSRM writer	srmsvc	File Server Resource Manager
  IIS Config Writer	AppHostSvc	Application Host Helper Service
  IIS Metabase Writer	IISADMIN	IIS Admin Service
  Microsoft Exchange Writer	MSExchangeIS	Microsoft Exchange Information Store
  Microsoft Hyper-V VSS Writer	vmms	Hyper-V Virtual Machine Management
  NTDS	NTDS	Active Directory Domain Services
  OSearch VSS Writer	OSearch	Office SharePoint Server Search
  OSearch14 VSS Writer	OSearch14	SharePoint Server Search 14
  Registry Writer	VSS	Volume Shadow Copy
  Shadow Copy Optimization Writer	VSS	Volume Shadow Copy
  SPSearch VSS Writer	SPSearch	Windows SharePoint Services Search
  SPSearch4 VSS Writer	SPSearch4	SharePoint Foundation Search V4
  SqlServerWriter	SQLWriter	SQL Server VSS Writer
  System Writer	CryptSvc	Cryptographic Services
  TermServLicensing	TermServLicensing	Remote Desktop Licensing
  WINS Jet Writer	WINS	Windows Internet Name Service (WINS)
  WMI Writer	Winmgmt	Windows Management Instrumentation

Setup Wizard for Exchange Update Rollup ended prematurely

The issue is well-known, but I never got around to share it myself and just recently saw it once again at a customer, who experienced the problem.
This blog post will cover how to install and the Exchange Rollup Update successfully without getting the “Ended prematurely” error.
The Setup Wizard for Update Rollup fails with the error “ended prematurely”. It has been the same issue for Update Rollups for both Exchange 2007 and Exchange 2010.
The installer fails with the information:

Setup Wizard for Update Rollup 5 for Exchange Server 2010 Service Pack 3 (KB2917508) ended prematurely because of an error. Your system has not been modified. To install this program at a later time, please run the installation again.

The screen dump below also shows what error look like:

The reason for the error and why the Update Rollup installer is “ended prematurely” is because the server has User Access Control (UAC) activated on the server. For good reason, it is not recommended to disable the UAC.
The error is also shown in the event log, as Event ID: 1024 and with error code 1603.

How to Install the Update Rollup

The recommended process for installing Update Rollups on the server, is using an elevated command prompt (Open a CMD with Run As Administrator) and make sure the Update Rollup is located on a local drive of the server and start the installer using:
SYNTAX example: msiexec /update <UPDATE .MSP FILE>
How to Start Setup Wizard:

msiexec /update Exchange2010-KB2917508-x64-en.msp

How to install the Update Rollup unattended (silent) add the following parameter (/quiet):

msiexec /update Exchange2010-KB2917508-x64-en.msp /quiet

Example as elevated command prompt starting the Update Rollup installer:

This will start the Setup Wizard and you can now walk your way through the installer and install the Update Rollup and when it has been installed, you should see the following:

Other reasons for failing

The above is the most obvious reason for why the Update Rollup fails with “ended prematurely”, but if you see error codes 1603 or 1635 in the event log, there could be other reasons.

Allow IP in SMTP Replay Exchange 2013

In Exchange 2013, I am utilizing a multi-role server that has both the Client Access Server and Mailbox Server roles. We’ll want to head to the mail flow section in the Exchange Administration Center (EAC) that you can access by going to https://OWA.domain.com/ECP.

Once in this mail flow section, we’ll click the tab called receive connectors which will allow us to see all receive connectors that exist.

As you can see, there are connectors for FrontendTransport and connectors for HubTransport.  FrontEndTransport belongs to the Client Access Server Role and the HubTransport role belongs to the Mailbox Server role.
Let’s take a look at the “Default B-E15DAG1″ receive connector that belongs to the HubTransport role  as well as the “Default Frontend B-E15DAG1″ that belongs to the FrontendTransport role.
Taking a look at the “Default FrontEnd B-E15DAG1″, we can see that the connector listens on port 25 as we would expect.

Taking a look at the “Default B-E15DAG1″ receive connector, we can see it listens on port 2525 which is something we haven’t seen before.

All mail flow should come into the Frontend Transport which then delivers it to the appropriate mailbox server where the mailboxes exist.  On a multi-role server, these two roles cannot utilize the same ports as they are two different services.  What this means is, when creating a relay connector, this connector must be created on the Client Access Server role that owns the Frontend Transport because this service is the service that owns port 25.  If you try to create a receive connector on the Mailbox Server role that owns the HubTransport service, mail flow may work temporarily, but it will eventually fail due to both the FrontendTransport and HubTransport services fighting each other for port 25.  Obviously if the Client Access Server and Mailbox Server roles are on different servers, it’s not an issue.
To create our relay connector, we’ll choose the + symbol to create a new Receive Connector.

Give the connector a name and be sure to choose Frontend Transport and Custom. Click Next.

The default settings here are fine.  We want port 25 due to what I mentioned above. Click Next.

In the remote network settings, it is important to ensure that you remove 0.0.0.0-255.255.255.255.  We want to explicitly define what servers are allowed to relay to ensure our server does not turn into an open relay for everybody.  In my case, I am going to add 192.168.50.2 which may be a printer, custom application, etc…  But the server that owns 192.168.50.2 would need to relay.  Once this is done, click Finish.

Once the relay connector is created, open its properties, go to security, and make sure you check Anonymous Users.

So what really happens when you place a check mark in the Anonymous users group in the above screenshot?  A lot of people are afraid to place a checkmark in that box in fear that anonymous users will be able to relay off your Exchange Server.  This is NOT the case.
When you place a checkmark in that box, the following permissions are given to the Anonymous Logon group:

• Ms-Exch-SMTP-Submit
• Ms-Exch-SMTP-Accept-Any-Sender
• Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
• Ms-Exch-Accept-Headers-Routing

So, as you can see, there is no Ms-Exch-SMTP-Accept-Any-Recipient permission added by default.  Because of this, users will NOT be able to relay off your Exchange Server by default.
To activate Anonymous users to use this connector for relaying, you must issue the following command: Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
The command should be easy enough to read, but what it essentially does is retrieve the receive connector that you created, add a permission into Active Directory for the Anonymous Logon group, and assign that group the Ms-Exch-SMTP-Accept-Any-Recipient permission for that group on that connector.  Once this is done, any server IPs you added to the Remote Network settings will be allowed to relay off your server utilizing port 25.

Now you may be thinking, why should I create this new connector?  Well, Exchange will always look to see how specific you are on a connector.  So let’s say we have a SharePoint Server at 192.168.119.150.  We would create a relay connector and allow ONLY 192.168.119.150 to relay.  So when Exchange receives SMTP from an address of 192.168.119.150, it will see there are a few connectors.  One being the Default Receive Connector and one being the Relay Connector.  The Default Receive Connector allows connections from any IP Address while the Relay Connector only allows connections from 192.168.119.150.  Because you explicitly set the address on your Relay Connector, that is given higher preference in serving that SMTP connection from SharePoint and your SharePoint Server will now be able to relay off of Exchange (even though you can configure SharePoint to authenticate, but still just giving an example).
Now, for servers that will have a lot of relay traffic, there are some more steps you need to do on your Receive Connector.  If you see that you have mail flow issues where things periodically work with relaying and sometimes they don’t, it’s recommended to run the following commands on your Relay Connector.
Set-ReceiveConnector -identity “Relay Connector Name” -TarpitInterval 00:00:00
Set-ReceiveConnector -identity “Relay Connector Name” -ConnectionTimeout 00:30:00
Set-ReceiveConnector -identity “Relay Connector Name” -ConnectionInactivityTimeout 00:20:00
Set-ReceiveConnector -identity “Relay Connector Name” -MaxAcknowledgementDelay 00:00:00
Set-ReceiveConnector -identity “Relay Connector Name” -MaxInboundConnection 10000
Set-ReceiveConnector -identity “Relay Connector Name” -MaxInboundConnectionPercentagePerSource 100
Set-ReceiveConnector -identity “Relay Connector Name” -MaxInboundConnectionPerSource unlimited
So in my case, I would run the following command which would allow me to do Get-ReceiveConnector and pipe into Set-ReceiveConnector to make all the modifications in one command:
Get-ReceiveConnector -Identity “Relay Connector Name” | Set-ReceiveConnector -TarpitInterval 00:00:00 -ConnectionTimeout 00:30:00 -ConnectionInactivityTimeout 00:20:00 -MaxAcknowledgementDelay 00:00:00 -MaxInboundConnection 10000 -MaxInboundConnectionPercentagePerSource 100 -MaxInboundConnectionPerSource unlimited

If you are wondering what the default settings were, I ran the following to view the defaults before running Set-ReceiveConnector.