Exchange 2019 Preferred Architecture

Ex2013 LogoMicrosoft has been promoting Docs as the new home of product documentation for a while now. And now a long awaited piece of Exchange 2019 documentation has been published, the Exchange 2019 Preferred Architecture.

The Preferred Architecture – or PA – contains information on how to plan and deploy Exchange 2019 using commodity hardware. It also contains more guidelines on deploying Exchange 2019 using its new Metacache database (MCDB) feature; SSDs to store meta data to speed up storage access, improving overall performance and user experience.

Still missing in the planning instruments is an updated Exchange role requirements calculator for Exchange 2019, incorporating things like the metacache database etc. I’m pretty sure that is being worked on to be released at a future date.

Also quiet convenient is that GitHub being the platform allows the team to provide a feed on Exchange content updates. Really nice to quickly see latest additions and changes in documentation.

Security Updates for Exchange 2016

A quick heads-up as Microsoft released security update for supported releases of Exchange Server 2016.

The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:

  • CVE-2018-8604: Microsoft Exchange Server Tampering Vulnerability
    A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data. An attacker who successfully exploited this vulnerability could modify a targeted user’s profile data.

You can download the security updates here:

Notes:

  • KB4468741 for Exchange Server 2016 CU10 supersedes KB4459266.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

Exchange 2019 released

Ex2013 LogoToday will be a day long remembered, as it has seen the release of Exchange Server 2019. After the Ignite event in September, release of Exchange 2019 was more or less imminent. Well now it’s out there – on Volume License Center to be exact – and while most details were announced at Ignite as well, there have been some features which didn’t make it in part or entirely to RTM.

To start with formalities: The version number of Exchange 2019 RTM is 15.2.221.12. After preparing your Active Directory forest, the schema version is 17000, while the forest and domain versions will become 16751 and 13236 respectively.

Looking at the VL requirement as well as the dimensioning, it’s clear Exchange server 2019 is positioned as a product for enterprises; small to medium-sized business should aim for Office 365.

Highlights
A detailed summary of Ignite announcements on Exchange 2019 was published earlier here. To recap, some major highlights:

  • Volume Licensing only, and no “Hybrid Server key”.
  • FFL 2012R2 and later.
  • Exchange Server 2019 on-premises is permanently branched from Exchange Online.
  • MetaCache Database (MCDB) storage tiering with SSD’s for improved UX and mailbox density (+20%). Recommended ratio SSD:HDD is 1:3.
  • Dynamic Database Cache to dynamically balance memory over active and passive copies cache.
  • Big Funnel search technology leveraging mailbox database for availability.
  • Supports up to 48 cores, recommended memory 128GB Mailbox/64GB Edge server roles to benefit scaling improvements. Maximum supported memory is 256GB.
  • Requires Windows Server 2019, desktop or core.
  • Requires .NET Framework 4.7.2, VC++ redistributable and UCMA (Mailbox only).
  • Co-existence support with Exchange 2013 and 2016.
  • UM role is gone.

Documentation
The official documentation can be found online on Docs here. For an overview of the sessions presented at Ignite on Exchange and related topics like calendaring, see here.

Notes
If you get a message when trying to install saying (desktop and core):

Setup can’t continue with the upgrade because the taskhostw (<PID>) has open files. Close the process, and then restart Setup. For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.ProcessNeedsToBeClosedOnUpgrade.aspx

You can close the process with taskkill /f /pid <PID>.

Other articles
Other articles on the release of Exchange Server 2019:

Do make sure you read the release notes, which contains important information on potential issues.

In other news
The following products were also released today:

Exchange Updates – October 2018

Ex2013 LogoThe Exchange Team released the October update for Exchange Server 2016. You may notice the absence of Exchange 2013, which is now in extended support phase and thus won’t receive regular updates. This heads-up was also given together with the updates of June.

Version Build KB Download UMLP Schema?
Exchange 2016 CU11 15.1.1591.10 KB4134118 Download UMLP No

This update contain the following important changes and notes:

  • Exchange 2016 CU11 – as well as Exchange 2013 CU21 – are supported with .NET Framework 4.7.2; at least .NET Framework 4.7.1 is required for both.
  • Exchange 2016 CU13 (the June 2019 release, December will be skipped) will start requiring .NET Framework 4.7.2, similar to the release of Exchange 2019; Windows Server 2019 will contain .NET Framework 4.7.2.
  • Exchange 2016 requires installation of VC++ 2012 runtime prior to installation. Additionally, when installing the Mailbox role, VC++ 2013 runtime needs to be installed as well.

Exchange 2016 CU11 fixes:

  • 4076516 Email message body is garbled when the Russian version of Outlook is used in Exchange Server 2016
  • 4095967 CultureNotFoundException when you select an LCID 4096 language in Exchange Server 2016
  • 4456225 The image in a signature that’s created in Outlook on the web isn’t visible to external users in Exchange Server 2016
  • 4456226 Require SSL setting of MAPI virtual directory is reset after you install a cumulative update of Exchange Server 2016
  • 4456227 ActiveSync clients cannot connect or synchronizing is delayed in an Exchange Server environment
  • 4456228 Add an option to control UseAscReqNoToken through app configuration for Exchange Server 2016
  • 4456229 Irrelevant management role entries without parameters are displayed in Exchange Server 2016
  • 4456230 Component/protocol level bypass option for InternetWebProxy to avoid unnecessary proxy traffic within internal networks
  • 4456231 AdvancedDataGovernanceLogs is created on the D drive after deploying Exchange Server 2016
  • 4456232 Outlook on the web enters an authentication loop when you use device registration in Exchange Server 2016
  • 4456234 Email can’t be delivered when the subject has an unknown character set in Exchange Server 2016
  • 4456240 “CrimsonProbe has been poisoned repeatedly” error when migrating mailboxes to Exchange Server 2016
  • 4456243 Hashed lines shown in scheduling assistant when Exchange Server 2016 tries to retrieve free/busy information across untrusted forests
  • 4456244 Public folder forwards the new item that you create in Exchange Server 2016
  • 4456245 Event ID 4999 and NullReferenceException when the New-MailboxRestoreRequest and New-MailboxExportRequest cmdlets fail in Exchange Server 2016
  • 4456247 StoreDriver.config validation fails then meeting reminder can’t be set to “None” in Exchange Server 2016
  • 4456249 Message tracking logs can’t be fully indexed in Exchange Server 2016
  • 4456250 Users can download and view attachments that exceed the maximum attachment size setting in mobile device mailbox policy in Exchange Server 2016
  • 4456259 Exchange Server 2016 user can’t access a shared calendar from Exchange Server 2013
  • 4456233 UAPStatisticsLog and RecordReview are created on the D drive after you deploy Exchange Server 2016
  • 4459847 Can’t send S/MIME encrypted mail or update the S/MIME control from Outlook on the web in Exchange Server 2016

Notes:

  • Exchange 2016 CU11 does not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Hybrid Configuration Wizard & F12

A small tip for those running the Exchange Hybrid Configuration Wizard. As announced at Ignite yesterday, a convenient feature was added to the HCW and is available now. Pressing F12 in the HCW will now open up a panel with shortcuts to the following tools and locations:

  • Exchange Management Shell
  • Exchange Online PowerShell
  • (current) Hybrid Configuration Wizard Log File
  • Create Support Package (to zip HCW logs for support)
  • Open Logging folder (of HCW)
  • Open Process Folder (of the HCW app)

Here is how it looks:

image

This might save you an occasional click or two.

Exchange Announcements @ Ignite

Ex2013 LogoUpdate Sep27th: Added Outlook 2013 to list of supported clients.

During Ignite 2018, details are announced to the public on Exchange Server 2019, Exchange Online, as well as Office 365 and related technologies. In this article I’ll try to summarize all the details in a readable format for your reference. The list is probably inconclusive; if you think anything is missing, let me know to I can update the article.

Exchange Server 2019

  • Distributed through Volume licensing only
    • Implication is that there will be no “Hybrid Server Key”
  • Release planned for later this year
  • Windows Server 2019 required
    • Windows Server Core recommended (security, smaller attack surface and disk footprint)
    • Exchange supports in-place upgrading of underlying operating system per Windows Server 2019.
  • Support for co-existence with n-2
    • Exchange Server 2016 and Exchange Server 2013.
    • Outlook 2013-Outlook 2019, Outlook 2016/Max and Outlook for Mac for Office 365.
  • Forest Functionality Level 2012R2 or later
  • Support for up to 48 CPU cores (Exchange 2016: 24)
  • Recommended minimum memory for Mailbox server 128GB, and 64GB for Edge Transport. Maximum memory is 256GB (Exchange 2016: 192GB). The reason for 128GB recommendation is that the .NET scaling benefits (see below) only work from around 100GB and up.
  • Page file 25% of installed memory (Exchange 2016: Maximized at 32GB).
  • .NET Framework 4.7.2, Visual C++ Redistributable and UCMA (Mailbox only)
  • Uses Server GC instead of Workstation GC for some IIS application pools. Better .NET memory management and improves CPU/memory scaling.
  • Will only use TLS 1.2 (there’s a transition mode supporting lower TLS versions, but for that all existing Exchange versions need to support 1.2 as well)
  • No more UM, options:
    • Move all users and mailboxes to Office 365
    • Migrate to Skype for Business Server 2019
    • Remain on Exchange 2016 (EOL 2026)
    • 3rd party VoiceMail solution
  • MetaCache Database uses storage tiering
    • Leverages SSD’s
    • Use SSD to spinning disk ratio 1:3
    • Caches indexes, mailbox folder structures and small items
    • Improves UX: faster logons, searches and small items retrieval
    • Allows for higher mailbox density per server (+20%
    • Utilize larger disks
  • Client Access Rules
    • Restrict external access to EAC and PowerShell
    • Evaluated at server level, so external connections need to hit Exchange 2019.
  • Additional perks for administration and end users
    • Remove-CalendarEvents to remove meetings from a person (e.g. leaver)
    • Recurring meetings will receive a default end date
    • Meetings can be restricted to prevent forwarding
    • Setting Out of Office in OWA allows for blocking calendar for that period, as well as decline current meetings and future meeting invites during that period.
  • Calculator and additional guidance on its way
  • On the Roadmap
    • On-premises Modern Authentication
    • Extending Client Access Rules to other protocols
    • Mailbox Encryption using Customer Keys
    • Monitoring and Analytics tools
    • Blocking legacy authentication methods
    • Removal of RPC/HTTP support (Outlook Anywhere)
    • Simplified Calendar Sharing

The Exchange Server 2019 documentation went live here. Some additional details were included in this list.

On another note: Greg Taylor gave an interview to Phoummala Schmitt (aka @ExchangeGodess) for Channel 9 on Exchange 2019. That replay can be watched here. Also, Scott Schnoll and JeffMealiffe as well as Greg Taylor and Ross Smith were interviewed by TheCube; those recordings can be watched here and here respectively.

Exchange Hybrid

  • Organization Configuration Transfer (OCT) version 2
    • Planned for October 2018
    • Adds the following to OCT v1 (current)
      • ActiveSync Device Access Rules
      • ActiveSync Organization Settings
      • Address Lists
      • DLP Policies
      • Malware Filter Policies
      • Policy Tips
      • Organization Config
    • Introduces conflict handling with review mode
    • Generates a script to undo changes
  • Exchange Hybrid deployment
    • Microsoft Hybrid Agent
    • Installed using HCW (‘Modern Hybrid’); ‘Classic Hybrid’ still an option
    • Hybrid Agent leverages Azure Application Proxy technology
      • Hybrid Proxy Service in the service will proxy requests between Exchange Online and Exchange on-premises.
      • No changes required to URLs or certificates
      • Hybrid Agent uses outbound connection only (port 80/443) to obfuscated unique URL (https://{GUID}.resource.{flow}.his.msappproxy.net. This URL is configured as TargetSharingEpr on the OrganizationalRelationship in Office 365
      • Running multiple agents is supported for availability and scaling
      • Outbound connections means less arrangements to make on (inbound) firewall rules (but another agent, like PTA, ADConnect Health Agent, regular Azure Application Proxy, to bypass security blockades may introduce other concerns)
    • Version 1 will support Free/Busy and MRSProxy and is in Private Preview now

The Exchange team published a quick blog on OCT and Hybrid Agent here.

Exchange Sessions @ Ignite 2018

ignite2018Among all the announcements of upcoming products and changes in the service, more details will also be revealed of Exchange Server 2019 and related products at Ignite next week. To those who are not able to attend, like yours truly: do not despair as Microsoft will be live streaming all keynote, breakout and community theater sessions.

The place to view those streams is through the Tech Community portal, and likely the session info pages will be used to embed the streams or provide links as they become available.

For this purpose, I made a short list of Exchange Server related sessions scheduled at Ignite 2018 for reference and easy access next week:

Session When Title Speakers
THR3024 9/24 3:00PM How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less Jeff Guillet
BRK2176 9/24 16:00 PM Welcome to Exchange Server 2019! Greg Taylor, Brent Alinger
BRK3148 9/25 10:45 AM Securing Exchange Online from modern threats Brandon Koeller
BRK3375 9/25 2:15 PM Notes from the field: How a large global bank moved to Office 365 Erik Knoppert, Michael Van Horenbeeck
BRK2165 9/25 3:15 PM What’s new in Groups in Outlook Ravin Sachdeva, Sri Ramya Mallipudi
THR3123 9/25 4:00 PM Getting stuff done: Solving Office 365 problems with PowerShell Tony Redmond
BRK3128 9/25 4:00 PM Outlook on the web: What’s new and why you should care Joey Masterson, Charlie Chung, Gabriel Valdez Malpartida, Cindy Kwan
THR3076 9/25 11:05 PM Azure Information Protection and Exchange Online – better together Michael Van Horenbeeck
BRK3129 9/26 9:00 AM Turbo charge your Exchange on-premises and hybrid environment: Notes from the field Steve Goodman
BRK3143 9/26 10:00 AM Hybrid Exchange: Making it easier and faster to move to the cloud Jeff Kizner
THR2129 9/26 11:20 AM Office 365: Five important lessons learned during a one million mailbox migration J. Peter Bruzzese
BRK2177 9/26 12:00 PM Outlook mobile for the enterprise Tali Roth, Michael Palermiti, David Pearson
THR3025 9/26 15:00 PM Preparing to move (or remove) those public folders to the cloud Michael Van Horenbeeck
BRK3130 9/26 16:00 PM Email search in a flash! Accelerating Exchange 2019 with SSDs Tobias Klima, Damon Gilkerson
BRK3146 9/27 9:00 AM What’s amazing and new in calendaring in Outlook! Julia Foran, Jennifer Lu, Will Holmes
BRK3145 9/27 10:00 AM Deploying Outlook mobile securely in the enterprise Ross Smith IV
THR2044 9/27 10:45 AM The top six PowerShell commands you need to know to manage Office 365 Steve Goodman
THR2392 9/27 11:00 AM Executive impersonators & fraudsters be gone! Using active defense & predictive artificial intelligence to secure your Office 365 email environment Vidur Apparao
BRK3131 9/27 12:45 PM Office 365: Marriages, divorces, and adoptions Steve Goodman
BRK3258 9/27 2:00 PM Panel discussion: Microsoft Exchange/Calendar/OWA Damon Gilkerson, Brent Alinger, Julia Foran, Jeff Kizner, Brandon Koeller, Joey Masterson, Brian Day, Robin Thomas
THR3024R 9/27 15:00 PM How to add MFA to your Exchange on-premises or Exchange Online mailboxes in 20 minutes or less (REPEAT) Jeff Guillet
THR2145 9/27 16:00 PM Why do we need to keep an Exchange Server on-premises when we move to the cloud? Brian Reid
BRK3279 9/28 9:00AM So long and thanks for all the (email) phish Brian Reid
BRK3147 9/28 12:00 PM Scott Schnoll’s Exchange and Office 365 tips and tricks Scott Schnoll

Note that the table above was constructed using the Get-EventSession script. That script has been updated recently so it can also download on-demand sessions when downloadable video contents aren’t available (e.g. Inspire). I’ll be closely monitoring next week to check if the script can cope with the way Ignite contents will be published.

Security Updates for Exchange 2016, 2013 and 2010

Ex2013 LogoA quick heads-up as during my vacation Microsoft released security updates for supported releases of Exchange Server 2016 and 2013 as well as Exchange Server 2010.

The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:

  • CVE-2018-8302 Microsoft Exchange Memory Corruption Vulnerability
  • CVE-2018-8374 Microsoft Exchange Server Tampering Vulnerability (Exchange 2016 only)

You can download the security updates here:

Notes:

  • Be advised that Exchange 2010 SP3 Rollup 23, like recent Cumulative Updates of Exchange 2016 and 2013, requires Visual C++ Redistributable Packages for Visual Studio 2013 (download).
  • KB4340731 supersedes the previous security update KB4092041 for Exchange 2016 and Exchange 2013.

Be advised that for Exchange 2013 and 2016, Security Updates are Cumulative Update level specific. While the downloaded security updates may carry the same name, the files are different and you cannot apply the downloaded security update file for Exchange 2016 CU8 to Exchange 2016 CU9. I suggest adding some form of identification of the Cumulative Update to the file name when you archive it, e.g. Exchange2016-KB4340731-x64-en-CU10.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

Exchange Server 2019 Preview is here!

Ex2013 LogoToday, long after its announcement at Ignite 2017, finally Exchange Server 2019 Public Preview was released. The Product Groups’ post contains information on the changes and features introduced with this Exchange 2019 Public Preview version, some of which were already teased at at Ignite 2017, e.g. session BRK3222 (announcement) and BRK3249 (Modern Authentication on-premises).

The most noticeable changes included in this Public Preview are summarized below. But before continuing, you can start downloading the Exchange 2019 Public Preview bits here.

Deployment
No official statement on required Forest and Domain Functional Levels, so it’s the same for Exchange 2019 Preview as for Exchange 2016, which is Windows Server 2008 R2 minimum. That might change at release time though, as Windows Server 2008 R2 is already in extended support. With WS2012 going out of mainstream support in October, WS2012 R2 is the most likely FFL/DFL requirement.

The build number of the preview is 15.2.191.1; the schema version for Exchange 2019 Public Preview is the same as Exchange 2016 CU7 and later, 15332.

Operating Systems
Exchange 2019 Public Preview can be installed on Windows Server 2016 as well as Windows Server 2019 Preview, both Desktop Experience and Core editions. Yes, Exchange 2019 runs on Server Core! In fact, the Exchange team really want you to try running it on Server Core. Also, by running on Server Core, you are reducing the potential attack surface, which makes it more secure system.

Scaling
Exchange 2019 can take advantage of hardware developments, and will support a larger number of cores as well as memory. Where Exchange 2016 scaling support was limited to 24 cores and 192GB of memory, Exchange 2019 will happily support up to 48 CPU cores and 256GB of memory.

Search and Indexing
Search will leverage yet another a new engine, Big Funnel, which is already being used for Exchange Online. Result of this change is that indexes will no longer be a separate ecosystem of files per database copy, but will be stored within the mailbox database. The advantages of this are that indexes will leverage the existing replication mechanism and protection offered by the Database Availability Group, and as indexes replicate with the data, this also means no more rebuilding of unhealthy indexes or trailing content indexes. This is also beneficial for fail-over times.

Storage
Exchange 2019 will support tiering of storage using SSD’s at release time, but that is currently not enabled for the Public Preview release. SSD’s are going to be used to store (read/write) hot data in a sort of intelligent cache, lowering overall latency and in the end benefitting user experience.

Calendaring
imageThe new Calendar Sharing model from Office 365 will be ported to Exchange on-premises. More information on this feature in Exchange Online here.

Also in the ported functionality department, it will be possible for meeting organizers to set Do not Forward for meeting requests, preventing attendees from forwarding those meeting requests to others.

And last but not least, administrators will receive some convenient PowerShell cmdlets to manage Calendars, such as Remove-CalendarEvents for cancelling future meetings on attendee and resource calendars, and Add-MailboxFolderPermission gets the SharingPermissionFlags parameter to assign delegate permissions.

Unified Messaging
Exchange 2019 will no longer support Unified Messaging. If you’re using a 3rd party PBX or Skype for Business Server, that will no longer work with Exchange 2019. In those circumstances, apart from staying on or migrating to Exchange 2016 for the time being depending on your scenario, steps to take when you want to migrate to Exchange 2019 in those circumstances will be:

  • Migrate to Skype for Business Server 2019 using Cloud Voice-Mail.
  • Migrate to Office 365 with Cloud Voice-Mail.

Co-existence
No official statement yet, but if the policy set by Exchange 2016 and Exchange 2013 continues, only Exchange major version n-2 will be supported for co-existence, meaning Exchange 2013 and later for co-existence, and the need to leverage Exchange 2016 when migrating from Exchange 2010 (EOL April 2020).

.NET Framework
No word yet on supportability, so assume the same policy as for the latest Exchange 2013 and Exchange 2016 CU’s, which require .NET Framework 4.7.1. No information yet if .NET Framework 4.7.2 is or will be supported.

UCMA
The required UCMA for Server Core is provided with the ISO, and is located in the UCMAredist subfolder.

Concluding
Of course, with Ignite coming up end of September, it is expected a lot more will be disclosed on the new Exchange release, such as guidance on the deprecation of UM, deploying Modern Authentication, storage tiering and Core support.

Needless to say, this is a preview. It’s great to play with in a lab, but don’t install it in your production environment unless you are part of the TAP program. I repeat, this is not intended for your production deployment.

Apart from Exchange 2019 Preview, other previews of wave 2019 products were also released today (or earlier):

Finally, the update of the Hybrid Configuration Wizard app with integrated Licensing feature was released today as well. You can access it at http://aka.ms/HybridWizard.

Issues with July Updates of Windows

bandaidLast Update July 19th: Corrected Update information.

About a week ago, Microsoft released the July Updates for Windows systems. Unfortunately, something must have gone wrong in quality control, because people were reporting all sorts of issues, mostly related to IIS and Exchange servers.

The issue is created at the operating system level, probably due to changes in networking as mentioned in the July update notes. Therefor, symptoms can be experienced on systems running Exchange Server 2016 or even back to Exchange Server 2007.

Some of the symptoms are:

  • The World Wide Web Publishing Service – W3SVC – won’t come up, remains in a “stopping” state, but cannot fully stop or it cannot be restarted.
  • Exchange Transport and SMTP services becomes unresponsive or stops, causing mail flow issues (Source).

The issues were serious enough to have the Exchange PG publish a notice.

Meanwhile, Microsoft has released a superseding update for Windows Server 2016, and updates for older operating systems. However, looking at the information provided with updates for older operating systems, there are fixes for the original security updates, and (previews of) Monthly Rollups for the July updates. Replacements and updates may manifest themselves in Windows Update only after installing the original – faulty – update, meaning you might have to go through more than one Windows Update cycle (and possibly reboot) for the updates to become visible and installable. This applies to the Monthly Rollups as well.

The table below contains information on the original rollups and updates, the update you need to apply, and the type of update.

Operating System Original Update Update Type Comments
Windows Server 2016 KB4338814 KB4345418 Monthly Rollup Replacement
Windows Server 2012 R2 KB4338815 KB4338831 Monthly Rollup Replacement
KB4338824 KB4345424 Security Update Update for v1
Windows Server 2012 KB4338830 KB4338816 Monthly Rollup Replacement
KB4338820 KB4345425 Security Update Update for v1
Windows Server 2008 R2 KB4338823 KB4345459 Security Update Update for v1
KB4338818 KB4338821 Monthly Rollup Replacement
Windows Server 2008 KB4295656 KB4345397 Security Update Update for v1

Finally, apart from adopting a less aggressive updating strategy, this again shows unfortunately that having a separate production environment next to your test environment is no frivolous luxury.