Exchange 2010-2013 Migration and OAB

Ex2013 LogoLast year, Exchange fellows Andrew Higginbotham, Paul Cunningham as well as the Exchange Team reported on checking, and when necessary configuring, your Offline Address Book (OAB) in your current Exchange Server 2010 environment, prior to installing Exchange Server 2013. Not doing so could result in a complete download of the Offline Address Book created by Exchange Server 2013, titled ‘Default Offline Address List (Ex2013)’.

Today I received a report that there is a different symptom of configuration absence. In this case, the customer reported on the inability to download the offline address book, and upon further inspection the Autodiscover server did not report back on the offline address book URL to use. In other words, OAB information was absent from the Autodiscover response, and Outlook gets confused. Note that this issue was reported in Outlook 2010 after installing Exchange Server 2013 Cumulative Update 10. I’m not sure if this change in behavior was introduced in these later builds of Exchange 2013 or Outlook, but it’s still a good thing to know.

The remedy here of course is to configure any (Exchange 2010) mailbox database with unconfigured Offline Address Book setting, and point them to the default offline address book using:

Get-MailboxDatabase | Where-Object {$_.OfflineAddressBook -eq $Null} | Set-MailboxDatabase -OfflineAddressBook (Get-OfflineAddressBook | Where-Object {$_.IsDefault -eq $True})

Exchange 2016 goes RTM!

Ex2013 LogoUpdate (4nov2015): You can block creating mixed DAGs using Cmdlet Extension Agents, I blogged about that here.

Today, the Exchange Team reached a milestone for the On-Premises by releasing Exchange Server 2016. The official announcement contains information on new features and enhancements.The version number of Exchange 2016 RTM is After extending it, the schema version should report 15317, and the forest and domain versions after preparing Active Directory should read 16210 and 13236, respectively.

Much of what’s new or requirements for coexistence scenarios were already announced during the release of the Exchange 2016 Preview, a little over 2 months ago. I did a write-up on that here. However, some features didn’t make it for the RTM release. For example, the feature that makes Search Indexer use Passive Database Copies for indexing, instead of copying indexes from the active copy, is to be expected in a later Cumulative Update. Also, the auto-expanding Archive feature, available in the Preview, has not made it in the RTM version.

Also make sure you read the Release Notes, which contain important information on potential issues. For example, Exchange 2016 does not prevent you from adding Exchange 2013 Mailbox servers to an Exchange 2016 Database Availability Group, or vice-versa. This ability is also not blocked by the Exchange Admin Center console. This is totally unsupported (the database structure is different), but more importantly also puts your data at risk. Just don’t.

Some links to get you started:

The first Cumulative Updated is to be expected in Q1’16.

Accompanying the launch, Microsoft also published a number of videos highlighting certain aspects or features. One of them is the ever charming Greg Taylor talking about Exchange Server 2016 – Performance, architecture and compliance updates:

Other videos from the Exchange Team and Office Garage:

Exchange Server 2016 Preview is here!

Ex2013 LogoAnd so it begins. Few moments ago, the Exchange team published the public preview of Exchange 2016. The build number of the preview version is (yes, 15.1.*, not 16.*). Exchange 2016 Preview raises schema to version 15317.

The team’s post contains information on the changes and features introduced in Exchange 2016. Many of these were already announced at Ignite earlier this year. An earlier blog post on these announcements can be found here.

With this Exchange 2016 Preview, there are important deviations from announcements made at Ignite 2015:

  • Minimum required Forest Functional Level (FFL) and Domain Functional Level (DFL) is Windows Server 2008. At Ignite is was announced Windows Server 2008 R2 FFL/DFL would be required.
  • Supported Operating Systems will be Windows Server 2012 and Windows Server 2012 R2. At Ignite, it was announced Windows Server 2012 was not going to be supported. Note that Windows Server 10 (Windows Server 2016) is currently in preview, is not (yet) supported, but likely will be at or shortly after both reach RTM status.
  • Coexistence requires  Exchange Server 2013 Cumulative Update 8 or Exchange Server 2010 Service Pack 3 Rollup 9. This is lower than Exchange 2013 CU10+ or Exchange 2010 SP3 RU11+ as was mentioned at Ignite.
  • Exchange 2016 Preview works with Outlook 2013, Outlook 2010 with KB2965295, or Outlook 2016 (currently in Preview). This is a lower requirement than Outlook 2010 SP2 with KB2956191 and KB2965295 or Outlook 2013 SP1 with KB3020812 as announced at Ignite. Note that Mac users can utilize Outlook for Mac for Office 365 or Outlook for Mac 2011.
  • Not mentioned at Ignite, but something which recently was introduced in Exchange Online, is the introduction of auto-expanding In-Place Archives in Exchange 2016 Preview. After filling up the initial archive with 100 GB (default quota), Exchange will create auxiliary archives in chunks of 50 GB. To the end user using Outlook 2016 or Outlook for the web (the new Outlook WebApp branding), these archives will appear as a single archive. Downlevel Outlook clients will only display the initial 100 GB archive.

Meanwhile, the TechNet technical library has been updated with information on Exchange 2016. Be advised that this documentation may be incomplete and subject to change, and in fact may even be not on par with the preview product. However, as the product reaches RTM, the documentation should become more complete and final.

Some links to get you started:

  • The official announcement from the Exchange Team can be found here
  • Preliminary documentation for Exchange 2016 can be found on TechNet here
  • Documentation on Active Directory schema changes for Exchange 2016 can be found here

Needless to say, this is a preview. It’s great to play with in a lab, but don’t install it in your production environment unless you are part of the TAP program.

You can download the Exchange 2016 Preview here

HCW fails on intra-organization configuration

o365logoFor my lab, I often have to recreate the Exchange Hybrid configuration for a fresh setup of Exchange On-Premises using formerly used namespaces. Normally you would just run the Exchange Hybrid Configuration Wizard (HCW) after configuring certificates and endpoint URLs. If you don’t clean up the previous configuration information from your tenant upfront, you may then run in the following error message when running the HCW:

Updating hybrid configuration failed with error ‎’Subtask Configure execution failed: Configure IntraOrganization Connector Execution of the Get-IntraOrganizationConfiguration cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Multiple OnPremises configuration objects were found. Please use the OrganizationGuid parameter to select a specific OnPremises configuration object.

Multiple OnPremises configuration objects indicates there are multiple intra-organization objects defined in your tenant. You can clean up previous intra-organization configuration objects from your tenant as follows:

  1. First, in your Exchange On-Premises environment, run the Get-OrganizationConfig cmdlet from the Exchange Management Shell:
  2. Copy the Guid value, in the example 1a95d446-ff56-4399-a95e-8ab46c30912b.
  3. Connect to Exchange Online (instruction here).
  4. Check the existing On-Premises definitions in your tenant by running Get-OnPremisesOrganization. There should be more than 1 entry.
  5. To remove the orphaned objects, remove all the objects that don’t match the Organization Guid you retrieved from your On-Premises environment earlier, e.g.:Get-OnPremisesOrganization | Where { $_.OrganizationGuid –ne ‘1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OnPremisesOrganization
  6. Now you could try re-running the HCW immediately, but chances are you will run in another error caused by orphaned intra-organization connectors (IOC). In those cases, when the HCW tries to run New-IntraOrganizationConnector, it will fail as the namespace defined by TargetAddressDomains is already in use by an existing connector, and ‘The domain <domain> already exists in another intra-organization connector’ is reported. Those connectors, named ‘HybridIOC – ’, where GUID is the Guid of previously used organizations, exist in your tenant. In your Exchange Online session, run the following cmdlet to remove orphaned connector definitions:Get-IntraOrganizationConnector | Where { $_.Identity –ne ‘HybridIOC – 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-IntraOrganizationConnector
  7. While you’re at it, you also might want to remove previously created connectors. Again, in your Exchange Online session, run the following cmdlets to remove orphaned inbound and outbound connectors (again, using the previously noted Organization GUID):
    Get-OutboundConnector | Where { $_.Identity –ne ‘Outbound to 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OutboundConnector
    Get-InboundConnector | Where { $_.Identity –ne ‘Inbound from 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-InboundConnector

After removing these orphaned objects, you should be able to run the HCW succesfully.

Official 70-341 and 70-342 Preparation Books

mcse-messagingFor those striving for Exchange certification, there is nothing like good written material to prepare you for the exam at hand. Of course, hands-on experience is invaluable, but it could be you don’t know where to start, and find TechNet contents great for reference but more written with the support audience in mind. In those cases, you may need more guidance through the exam subjects, as with a regular course.

In this situation, the following two recently released Microsoft Press titles may be of interest:

Both books are the official preparation material for the exams, and they written by authors with proper field experience. Also, both Bhargav and Reid teached on the Microsoft Certified Master (MCM/MCSM) program at Microsoft in Redmond. If getting certified for Exchange 2013 is on your personal roadmap, be sure to check out these titles.

On another note, fellow Exchange MVP’s Tony Redmond, Michael van Horenbeeck and Paul Cunningham, together Jeff Guillet in the role of technical editor, will self-publish an e-book-only title, called “Office 365 for Exchange Professionals”. Intention of self-publishing an e-book-only title is to be able to incorporate Office 365 service changes more often. They plan to have it ready before Microsoft Ignite in 2 weeks time.

If you are looking for titles on Exchange or Exchange-related subject such as PowerShell or Active Directory, be sure to check out my section of recommended titles here.

iOS 8.3 Exchange-related fixes

iPhone 6 iOSToday, Apple released an update for iOS which supposedly fixes, amongst other things, some Exchange-related issues. The release notes of iOS 8.3 mentions the following Exchange-related fixes:

  • Exchange out-of-office message can now be edited separately for external replies.
  • Improves recovery of Exchange accounts from temporary connection problems.
  • Fixes an issue that caused Exchange meetings with long notes to be truncated.

As for any update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to allowing access to your production environment. Apart from potentially blocking the new iOS, monitor the support forums from Apple and Microsoft for related issues. To block a specific version of iOS, consult this page.

More information on known issues with Exchange ActiveSync and 3rd party devices can be found in KB2563324.

iOS 8.2 fixes Exchange-related issues

iPhone iOSToday, Apple released an update for iOS which supposedly fixes, amongst other things, some Exchange-related issues. The release notes of iOS 8.2 mention the following Exchange-related fixes:

  • Fixes stability of Mail
  • Addresses an issue that caused certain events in a custom reoccurring meeting to drop from Exchange calendar
  • Fixes an certificate error that prevented configuring an Exchange account behind a third-party gateway
  • Fixes an issue that could cause an organizer’s Exchange meeting notes to be overwritten
  • Resolves an issue that prevented some Calendar events from automatically showing as “busy” after accepting an invite.

However, some existing complaints are not resolved by this update, such as the WiFi performance issue.

It is a natural law that for every bug that is fixed, new ones are introduced. So, some organizations may therefor want to test and accept this iOS update before giving it the green light for their Exchange environment. To block a specific version of iOS, consult this page.

More information on current issues with Exchange ActiveSync and 3rd party devices can be found in support article KB2563324.

Impersonation: To be, or pretend to be

imageAs frequent readers of this blog may know, I made several Exchange-related scripts available to the community. Some of these scripts make use of what is called Exchange Web Services (EWS). I receive lots of questions via e-mail and through the comments about configuring impersonation or permission-related issues when running those scripts, which support delegated access as well as impersonation, against mailboxes. This blog shows how can configure delegation, why you should use impersonation, and how to configure impersonation on Exchange 2007 up to Exchange 2013 and Exchange Online in Office 365.


EWS provides functionality to allow client applications, such as Outlook or OWA apps, tools, or in my case scripts, to communicate with Exchange server. Even Exchange itself makes uses of EWS when performing Free/Busy lookups by the Availability services for example. EWS was introduced in Exchange Server 2007 back in December 2006, which now seems decades ago.

Some of these EWS scripts or tools access or even manipulate mailbox contents. In the MAPI era, in order for you to access a mailbox that’s not yours, you required delegated full access permissions. These permissions could be granted at the mailbox, mailbox database or mailbox server level. The latter would grant you access to all mailboxes hosted in that mailbox database. For example, to grant an account Archibald full access permission on the mailbox of Nestor, you would typically use something like:

Add-MailboxPermission –Identity Nestor –User Archibald –AccessRights FullAccess –InheritanceType All

Note: Specifying InheritanceType is sometimes overlooked. Not specifying it only configures an Access Control Entry (ACE) on the top level folder (InheritanceType None), resulting in symptoms like scripts not processing subfolders for example.

EWS enables you to use another access method besides delegation, which is impersonation. Impersonation, as the many online available dictionaries may tell to you, is ‘an act of pretending to be another person for the purpose of entertainment or fraud’ or something along those lines. In the Exchange world, this means you can have an account which has the permission to pretend to be the owner of the mailbox, including being subject to the same effective permissions. So, if for some reason the owner only has Read permission on a certain folder, so will the impersonator. Typical use cases for impersonation are for example applications for archiving, reporting or migration, but also scheduled scripts that need to process mailboxes could be one.

Before we dive into the configuration itself, first some of the reasons why you should should prefer Impersonation over delegated access:

  • No mailbox needed for the account requesting access.
  • Throttling benefits, since the operation is subject to the throttling policy settings configured on the mailbox accessed, not the throttling policy configured on the mailbox requesting access. To bypass these delegate limits, one had to configure and assign a separate throttling policy with no limits for the account. Of course, a bad behaving application could then run without boundaries from a resource perspective, something throttling policies try to limit.
  • In Exchange 2010 and up, impersonation leverages Role Based Access Control, which is better manageable than a collection of distributed  ACEs.
  • Actions performed by the impersonator are on behalf of the impersonated. This may complicate auditing, as logging will come up with actions performed by the impersonated user, not the impersonator.

Note that where ‘user’ is specified below with regards to granting permissions, one could also specify a security group as well unless mentioned otherwise.

Impersonation on Exchange 2007

On Exchange 2007, you configure impersonation by granting the following two permissions:

  • The ms-Exch-EPI-Impersonation permission grants the impersonator the right to submit impersonation calls. It is configured on Client Access Servers. This does not grant the impersonation right, just the right the make the call through a CAS server.
  • The ms-Exch-EPI-May-Impersonate when granted, allows the impersonator to impersonate selected accounts.

To configure these permissions in your Exchange 2007 environment, use:

Get-ClientAccessServer | Add-AdPermission –User svcExchangeScripts –ExtendedRights ms-Exch-EPI-Impersonation

Then, we can configure impersonation permission on the mailbox level:

Get-Mailbox Tintin| Add-ADPermission –User svcExchangeScripts –ExtendedRights ms-Exch-EPI-May-Impersonate

on the database level:

Get-MailboxDatabase MailboxDB1 | Add-ADPermission –User svcExchangeScripts –ExtendedRights ms-Exch-EPI-May-Impersonate

or mailbox server level:

Get-MailboxServer MailboxServer1 | Add-ADPermission –User svcExchangeScripts –ExtendedRights ms-Exch-EPI-May-Impersonate

Be advised that members of the various built-in Admin groups are by default explicitly denied impersonation permissions on the server and database level, and deny overrules allow. You will notice this when querying impersonation configuration settings, for example on the database level (in the screenshot example, olrik was granted impersonation permissions):

Get-MailboxDatabase | Get-AdPermission | Where { $_.ExtendedRights –like ‘ms-Exch-EPI-Impersonation’} | Format-Table Identity, User, Deny, IsInherited, ExtendedRights –AutoSize


Note that permissions assigned on the mailbox may not immediately be reflected as you are administering them in Active Directory. Changes in Active Directory are subject to AD replication, and the Exchange Information Store caches information for up to 2 hours, so worst case it may take up to 2 hours and 15 minutes for new permission settings to be re-read from Active Directory.

Impersonation on Exchange 2010 and 2013

Exchange 2010 introduced Role Based Access Control, better known by its acronym RBAC. For a quick introduction to RBAC, see one of my earlier blogs here. There is a management role associated with impersonation, which is ApplicationImpersonation.

To enable a user impersonation rights, create a new assignment for ApplicationImpersonation and assign it to the user:

New-ManagementRoleAssignment –Name 'AIsvcExchangeScripts' –Role ApplicationImpersonation –User svcExchangeScripts

Note that if we want to assign these permissions to a security group, we need to use the SecurityGroup parameter instead of User, specifying the group name.

Now be careful, when used like this you will have granted that user or group permission to impersonate all users in your Exchange organization. Here is where RBAC comes into play, or more specific the RBAC feature named management role scopes. With write scopes for example, you can limit the scope of where you can make changes in Active Directory. For more information on management role scopes, see here.

Let  us assume we want to limit the scope to a distribution group named ‘All Employees’, using New-ManagementScope in combination with RecipientRestrictionFilter. Note that when specifying MemberOfGroup in the filter, you need to use the distinguishedName of the group:

New-ManagementScope –Name 'Employee Mailboxes' –RecipientRestrictionFilter { MemberOfGroup –eq 'CN=All Employees,OU=Distribution Groups,OU=NL,DC=contoso,DC=com'} 

We can then apply this scope to the assignment created earlier:

Set-ManagementRoleAssignment –Identity 'AIsvcExchangeScripts' –CustomWriteScope 'Employee Mailboxes'

Be advised that in a multi-forest environment, impersonation doesn’t work when you assign permissions to cross-forest accounts. You either need to assign impersonation permissions to an account residing in the same forest as Exchange, or create a linked role group.

Impersonation on Exchange Online

Impersonation is available in most Office 365 plans, but currently not in the small business plans.  To configure Impersonation in Exchange Online we need to connect anyway, so we’ll first open a remote PowerShell session to Exchange Online:

$EXO= New-PsSession -ConfigurationName Microsoft.Exchange -ConnectionUri -AllowRedirection -Authentication Basic
Import-PsSession $EXO

Provide tenant administrator credentials when prompted. You can then see if you have the ApplicationImpersonation role at your disposal using:

Get-ManagementRole –Identity ApplicationImpersonation

If nothing is returned, you may need to resort to delegate access permissions.

Configuring impersonation is identical to configuring it in Exchange 2013. Nonetheless, some people may be more comfortable using the Exchange Admin Center. If so:

  1. Open up Exchange Admin Center.
  2. Navigate to Permissions > Admin Roles
  3. Now we can’t directly assign a management role through EAC, so assume we’ll create a role group for our application account by clicking New (+).
  4. Enter a name for your role group, e.g. ExchangeMaintenanceScripts.
  5. Add the role ApplicationImpersonation.
  6. Add the accounts which need Impersonation permissions, e.g. svcExchangeScript.
  7. Optionally, you can also select a Write Scope, which you need to create upfront through Exchange Management Shell.
  8. In Exchange on-premises, instead of a Write Scope you will have the option to select a a specific OU instead (scope filter RecipientRoot parameter) .
  9. When done, Save.


One word of caution: scopes are not automatically updated when objects referenced are relocated or change names. Now, for your own environment you may have this under control through some form of change management process. For Exchange Online however, your tenant might get relocated without notice. Therefor, should impersonation fail, verify any management scopes you may have defined for distinguishedName references, and check if they require updating, e.g.

Set-ManagementScope -Name 'All Employees' -RecipientRestrictionFilter { MemberOfGroup -eq 'CN=All Employees,,OU=Microsoft Exchange Hosted Organizations,DC=EURPR05A001,DC=prod,DC=outlook,DC=com'}

Final words

Note that many EWS-based scripts or tools do not natively support EWS but make use of the Exchange Web Services Managed API. This installable package consists of support files (e.g. DLL’s) which provide EWS functions to your PowerShell environment. You can download the current version of EWS Managed API here (2.2). You can read more on developing with EWS Managed API here, or you can have a peek at the source of code of one of my EWS scripts or the ones published by Exchange MVP-fellow Glen Scales’ here.

Clearing AutoComplete and other Recipient Caches

Exchange 2010 LogoAnyone who has participated in migrations or transitions to Exchange has most likely encountered or has had to work around potential issues caused by the nickname cache. A “cache,” also known by its file extension, NK2 in older Outlook clients, is a convenience feature in Outlook and Outlook WebApp (OWA) which lets users pick recipients from a list of frequently-used recipients. This list is displayed when the end user types in the first few letters.

The potential issue revolves around end users using those lists to send messages, as the list contains cached recipient information. Because this information is static, it may become invalid at some point. Thus, when users pick recipients when sending messages, they may be sending messages to non-existent recipients or invalid e-mail addresses, which create issues like non-delivery of e-mail.

Read the full article over on ENow Solutions Engine blog.


Using the script mentioned in the article, which can be used to clear cached recipient information, is straightforward. It requires Exchange 2010 or later and Exchange Web Services Managed API 1.2 (or later) which you can download here. Alternatively, you can copy the Microsoft.Exchange.WebServices.DLL with the script as it will also look for it in the current folder.

The script Clean-AutoComplete.ps1 has the following syntax:

Clear-AutoComplete.ps1 [-Mailbox] <String> [-Server <String>] [-Impersonation] [-Credentials <PSCredential>] [-Type <Array>]


  • Mailbox is the name or e-mail address of the mailbox.
  • Server is the name of the Client Access Server to access for Exchange Web Services. When omitted, the script will use AutoDiscover.
  • Switch Impersonation specifies if impersonation will be used for mailbox access, otherwise the current user context will be used.
  • Credentials specifies the user credentials to use.
  • Type specifies what cached recipient information to clear. Options are Outlook  (Outlook AutoComplete stream), OWA (OWA Autocomplete stream), SuggestedContacts, RecipientCache or All. Default is Outlook,OWA.

So for example, suppose you want to clear the Autocomplete stream used by Outlook on a mailbox, you can use:

Clear-AutoComplete.ps1 -Mailbox Olrik -Type Outlook -Verbose

ScreenCapTo remove the Autocomplete stream used by OWA on your Office 365 account, you can use:

Clear-AutoComplete.ps1 -Mailbox –Credentials (Get-Credential) –Type OWA

Feedback is welcomed through the comments. If you got scripting suggestions or questions, do not hesitate using the contact form.

You can download the script from my Technet Gallery here.

Revision History
See Technet Gallery page.



Exchange 2010 SP3 Rollup 5

Exchange 2010 LogoToday the Exchange Team also released Rollup 5 for Exchange Server 2010 Service Pack 3 (KB2917508). This update raises Exchange 2010 version number to

This Rollup also adds support for using Windows Server 2012 R12 domain controllers in your Exchange 2010 SP3 RU5 environment as well as support for running Windows Server 2012 R2 forest and domain functional levels.

This Rollup includes the following fixes:

  • 2887459 Public folder expiry time is set incorrectly in Exchange Server 2010 SP3
  • 2892257 Email items are lost when you move items between shared folders by using EWS delegate access
  • 2897935 “Cannot save the object ‘\FolderName'” error message when you try to replicate Exchange Server 2010 public folders
  • 2898908 EdgeTransport.exe crashes if the From field is empty in an email message
  • 2903831 Only a single character is allowed in the disclaimer content in ECP
  • 2904459 RPC Client Access service crashes if you add “Signed By” or “Send From” column in Outlook online mode
  • 2913413 RPC Client Access service crashes with an exception in Exchange Server 2010
  • 2913999 Meeting request body and instructions are lost in delegate’s auto-forwarded meeting request
  • 2916836 EdgeTransport.exe crashes when a transport rule sends a rejection message to an empty address
  • 2919513 Memory leak or memory corruption occurs in Exchange Server 2010
  • 2924971 RPC Client Access service stops when you select an inactive search folder in Outlook 2007 in an Exchange Server 2010 SP3 environment
  • 2926057 EdgeTransport.exe crashes if seek operation failed in Exchange Server 2010
  • 2927856 Incorrect recurring meeting if disclaimer transport rule is enabled in Exchange Server 2010


  • As of Service Pack 2 Rollup 4, its no longer required to disable/re-enable ForeFront Protection for Exchange using the fscutility to be able to install the Rollup properly. However, if you want to remain in control, you can disable ForeFront before installing the Rollup using fscutility /disable and re-enable it afterwards using fscutility /enable.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • If you got a DAG and want to properly update the DAG members, check the instructions here.
  • Rollups are cumulative, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP3 Rollup 5 here.