arghosrho
asked on
Exchange 2016 CU22 upgrade Broke ECP
Dwar Experts.
we are facing some issues on our Exchange 2016 environment after installing CU22
since the install we have faced some issues with OWA that we were able to fix through certificate regenration but we are still facing an issue with ECP, whenever someone tries to go to ECP we get this error
Service Unavailable
HTTP Error 503. The service is unavailable.
OWA works perfectly fine just ECP doesnt.
any help will be appreciated to remedy the situation
First step please follow steps in this articles. If the issue persists please let us know.
Blank-Page-Screen-In-OWA-EAC-Exchange-2013-2016-2019-Server
This-page-can't-be-displayed-Exchange-OWA-ECP
Blank-Page-Screen-In-OWA-EAC-Exchange-2013-2016-2019-Server
This-page-can't-be-displayed-Exchange-OWA-ECP
ASKER
yes this is all confirmed and OWA works perfectly fine, its just ECP that gives
Service Unavailable
HTTP Error 503. The service is unavailable.
Service Unavailable
HTTP Error 503. The service is unavailable.
ASKER
really any help would be appriciated i tried everything even recreating the ECP folder. all servers in the organization even 2 servers without the Updates have the ECP broken now
ASKER
to explan a little more.
i can acess the ECP page for login its when i login that i get this HTTP Error 503. The service is unavailable. message
i can acess the ECP page for login its when i login that i get this HTTP Error 503. The service is unavailable. message
Did you reset IIS and check?
ASKER
yes sir. i have multiple times.
Please try updating cas
C:\Program Files\Microsoft\Exchange Server\V15\Bin>.\UpdateCas.ps1
C:\Program Files\Microsoft\Exchange Server\V15\Bin>.\UpdateCas.ps1
ASKER
did that too sir.
no effect
no effect
ASKER
I'm not sure if this sounds right. but how can ECP get broken even on servers that hasnt been patched? we have two 2019 servers in the organization they are not internet facing basically internal work only on a secured Vlan. even these two i cant reach the ECP on them. any idea how can something like that happen?
Is it only for the administrator that /ECP is broken ?
The admin access can be broken (on all servers) when the administrator has no mailbox and/or when "arbitration accounts" cannot be accessed.
Can you verify that you still have all arbitration mailboxes alive ?
get-mailbox -arbitration
Their databases are mounted?
The admin access can be broken (on all servers) when the administrator has no mailbox and/or when "arbitration accounts" cannot be accessed.
Can you verify that you still have all arbitration mailboxes alive ?
get-mailbox -arbitration
Their databases are mounted?
ASKER
Name Alias ServerName ProhibitSendQuota
---- ----- ---------- -----------------
SystemMailbox{1f05a927... SystemMailbox{1f0... exhdb01 Unlimited
SystemMailbox{bb558c35... SystemMailbox{bb5... exhdb01 Unlimited
SystemMailbox{e0dc1c29... SystemMailbox{e0d... exhdb01 Unlimited
Migration.8f3e7716-201... Migration.8f3e771... exhdb01 300 MB (314,572,800 bytes)
FederatedEmail.4c1f4d8... FederatedEmail.4c... exhdb01 1 MB (1,048,576 bytes)
SystemMailbox{D0E409A0... SystemMailbox{D0E... exhdb01 Unlimited
SystemMailbox{2CE34405... SystemMailbox{2CE... exhdb01 Unlimited
---- ----- ---------- -----------------
SystemMailbox{1f05a927... SystemMailbox{1f0... exhdb01 Unlimited
SystemMailbox{bb558c35... SystemMailbox{bb5... exhdb01 Unlimited
SystemMailbox{e0dc1c29... SystemMailbox{e0d... exhdb01 Unlimited
Migration.8f3e7716-201... Migration.8f3e771... exhdb01 300 MB (314,572,800 bytes)
FederatedEmail.4c1f4d8... FederatedEmail.4c... exhdb01 1 MB (1,048,576 bytes)
SystemMailbox{D0E409A0... SystemMailbox{D0E... exhdb01 Unlimited
SystemMailbox{2CE34405... SystemMailbox{2CE... exhdb01 Unlimited
ASKER
and actually ECP is broken for everybody, whenever u try to access ECP from whichever the account it just doesnt work
ASKER
may be its worth mentioning one of the exchange 2016 was compromised with a 0 day attack and i ended up running the microsoft mitigation scripts on all servers after which i installed CU22 and then the last security fix.
can that be a contributing reason? as nothing else has changed?
can that be a contributing reason? as nothing else has changed?
Seems to me cu update got corrupted. You might need to rebuild the server with recovery switch. Or open case with Microsoft.
Agree with Amit your next option to recover the server with Setup.exe /Mode:RecoverServer switch.
disaster-recovery/recover-exchange-servers?view=exchserver-
disaster-recovery/recover-exchange-servers?view=exchserver-
ASKER
so the update corrupted each and every server? its happening on all my servers.
ASKER
the Exchange 2019 that arent patched at all these are internal test servers also cant access the ECP! how can this all be reconciled?
Did you try updating Windows along with Exchange Oct/Nov security update?
https://support.microsoft.com/help/5007409
Security-update-for-microsoft-exchange-server-2019-and-2016
https://support.microsoft.com/help/5007409
Security-update-for-microsoft-exchange-server-2019-and-2016
ASKER
i think this has somethign to do with it.
Description: This mitigation will disable the Exchange Control Panel (ECP) Virtual Directory. Microsoft Exchange Managed Availability services are also disabled to prevent mitigation regression.
Impact: The Exchange Control Panel will no longer be available. All Exchange Administration can be done via Remote PowerShell while the Exchange Control Panel is disabled. The advanced monitoring capabilities of Exchange are also disabled, due to disabling Microsoft Exchange Managed Availability services.
so yes i have installed these updates and everything is fully patched now. how do i renable it then?
ECP Application Pool Mitigation
Applies To: CVE-2021-27065 & CVE-2021-26858Description: This mitigation will disable the Exchange Control Panel (ECP) Virtual Directory. Microsoft Exchange Managed Availability services are also disabled to prevent mitigation regression.
Impact: The Exchange Control Panel will no longer be available. All Exchange Administration can be done via Remote PowerShell while the Exchange Control Panel is disabled. The advanced monitoring capabilities of Exchange are also disabled, due to disabling Microsoft Exchange Managed Availability services.
so yes i have installed these updates and everything is fully patched now. how do i renable it then?
ASKER
will this command do anything usefull?
Set-ECPVirtualDirectory -Identity "srv\ecp (default web site)" -AdminEnabled $true
Set-ECPVirtualDirectory -Identity "srv\ecp (default web site)" -AdminEnabled $true
ASKER
Set-ECPVirtualDirectory -Identity "srv\ecp (default web site)" -AdminEnabled $true tried that and didnt help.
the ECP is somehow disabled!
the ECP is somehow disabled!
As your server were effected with zero day attack Chances of corruption are very high. All my clients who got impacted I installed new servers and moved mailboxes and decom all effected servers.
ASKER
well this is becoming a more likely option to be honest, so just new servers and move mailboxes? however i have 2 unaffected servrers the 2019 ones they are untouched by any attack and they are suffering this issue too
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would advise you to open case with Microsoft, before you try anything.
have you verified that the web site "Exchange Back End" and its certificate are operational in IIS?
Administration and ECP options are based on this site.