What to do with public folders when moving to Exchange Online

Moving to Exchange online

Sometimes a migration to office 365 can be difficult when it comes to Public folders. When the plan is to migrate from for instance Exchange 2010 to office 365 Exchange Online a discussion must be made. What to do with the public folders? In my opinion there are 3 scenario’s that can be discussed. In this blog post i will write down these 3 scenario’s .

A little bit of history

For youngsters in IT like myself it is pretty hard to understand what public folders are and what they do. This comes because we never worked with them or have used them. Luckily there are lots of experienced Microsoft Professionals like my colleague Michel de Rooij.  Who can explain this perfectly.

So what is a public folder: According to TechTarget a public folder In Microsoft Outlook, a public folder is a folder created to share information with others. The owner of a public folder can set privileges so that only a select group of users have access to the folder, or the folder can be made available to everyone on the network who uses the same mail client. Public folders in Outlook can contain contacts, calendar items, messages, journal entries, or Outlook Forms.

What to do with Public Folder Scenario’s

In the scenario’s bellow i will write down 3 scenario’s what to do with public folders. In these options i will also keep notice that most companies want to get rid of their public folders.

Scenario 1: Migrate public folder to modern public folders

Microsoft has published a article on Technet on how to migrate legacy public folders to modern public folders on Office 365. In this case Microsoft just continues the support on public folders when they are migrated to Office 365.

The migration itself has some limitations which i will summarize bellow.

  • Exchange 2010 Sp3 or higher is needed
  • Legacy public folder cannot be larger the 2 GB
  • Public folder cannot contain \ or other strange symbols
  • Modern public folders are not accessible for legacy (on-premise) users
  • All users need to be migrated first
  • Max 1000 public folders allowed
  • Big bang migration with downtime

As you can see there are some limitations and difficulties. These difficulties are most of all in managing expectation at the business side cause public folders need to be cleaned or renamed.

Scenario 2: Migrate public folder to Office 365 groups

The second scenario is to migrate the legacy public folders to Office 365 groups. Microsoft has described this in the following Technet article. When moving public folders to Office 365 groups there are some difficulties that need to be managed first before you can start the migration.
One of these difficulties is that it is only possible to migrate the email and calendar items to an Office 365 group.

Bellow you find the summary of limitations.

  • All users must be migrated to Office 365 before you begin
  • Work process for end user will change ( they will use a office group instead of public folder)
  • Office 365 groups are not accessible for legacy users
  • Only mail and calendar items are supported
  • Maximum size of Public folder can be 25 GB to migrate
  • Phased migration is possible when using a > Exchange 2013 server
  • Downtime

Scenario 3: Do not migrate public folder to Office 365

When you have Exchange 2010 in a hybrid setup it is possible to configure the public folders co-existing. This means that the public folder stay where they are, but are accessible from on-premise and from online. There are some limitations, one of these limitations is that it is not possible to open this public folder from Outlook.office365.com/owa.

Remember i told you in the beginning that there is probably a scenario on how to get rid of the Public Folders? Well this is in my opinion the best and most business friendly way to do it.

Therefor just make sure the co-existing is in place. So next up you put the public folders in read only. and give the users a Shared mailbox, Office 365 group or even a team as their new place to collaborate from.

One last thing keep in mind that when you go for this option you have to keep your on-premise environment for a little bit longer before you decommission it.

Export all mailboxes with their sizes to TXT or CSV with Powershell

Export mailboxes

Most of the time when you are into a Mailbox migration project you have this phase that you need to inventory the amount of user mailboxes. With their size. Do you want to perform such action you need to use Exchange Powershell to be able to get these kind of data out of Exchange.


To export this mailbox data out of exchange you can use the command Get-MailboxStatistics -identity “sAMACCOUNTNAME” | fl. This will give you a complete list of the output matched with the j3rmeyer account/ mailbox in exchange.

If you look further you notice that there is actually only one useful unique attribute (so you can match this later on with Active Directory). That one attribute is the ‘MailboxGuid’.

To get this data i a useful way out of exchange the best thing to do is combine this data together with the DisplayName.

The script

In this script i will combine the Display name with the MailboxGuid and the total size of the mailbox in MB. This is not all i want i want to export all the mailboxes on that specified Exchange server. To do that you need to give in the Server name instead of the identity of the user.

Below you will find the script i use to export such data:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount > c:\temp\mailbox_sizes_


So when you want to change the output file into an Excel CSV file instead of TXT. It is possible use the Powershell script below to perform such action:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount | Out-File C:\temp\mailbox_sizes_emailserver.csv


Cheat sheet with all Ports and rules needed for a Skype 2015 Onpremise environment

Skype For Business Ports

As in my previous post i will share a cheat sheet with you. This time the cheat sheet refers to a Skype For Business Onpremise implementation. To make things easier for myself, I created an overview of all ports and ip adresses that hits firewalls and network of customers.

TThe document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.


There are always some requirements.

  • External IP adresses for remote Subdomains
  • Access to EXternal DNS
  • This Drawing does not contain the Office webapp server

Skype Ports

Please let me know if you are missing some things.

Cheat sheet with all Ports and rules needed for a Exchange Hybrid Infrastructure

Exchange Hybrid Ports

Sometimes I come to clients who already have a hybrid exchange configured environment. In many cases this is when the hybrid configuration does not work. To make things easier for myself, I created an overview that eliminates the pain of firewalls and networks.

To help you guys out in these situations i share my ports overview document with you, The document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.


There are always some requirements.

  • External IP for a seperate Hybrid flow that resolves to hybrid.domain.nl
  • You need to be sure that the hybrid server is part of the mail environment
  • The Exchange server which is used for the Hybrid configuration needs to be in the LAN
  • Do NOT forget the Exchange online and Exchange online protection URL’s
  • If you do not have an external IP use the external IP of the autodiscover.



Monitor Windows AD and Azure AD Health with Microsoft OMS

What is Microsoft Operation Management Suite (OMS)

Oms (Microsoft Operations Management Suite) is Microsoft’s cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. In this case we will use OMS to monitor and sort of “manage” Azure AD connect and Azure AD identities.

Before we start with OMS

Bore we start there are some requirements.

  1.  We need a Valid OMS Subscription – OMS has different level of subscriptions. It is depending on the OMS services you use and amount of data you uploaded. Ther is a free version which provides 500mb daily upload and 7-days of data retention.
  2. Direct Connection to Azure AD
  3. Domain Administrator Account in order to install the agent in the domain controllers we need to have Domain Administrator privileges.
  4. Global admin account to perform some actions in Azure AD

How to enable OMS as an AD Solutions 

Log in to OMS https://login.mms.microsoft.com/signin.aspx?ref=ms_mms as OMS administrator

Click on Solution Gallery

By default, AD Assessment solution is enabled. In order to enable AD Replication Status  click on the tile from the solution list and then click on Add.

Install OMS Agents 
Next step of the configuration is to install monitoring agent in domain controllers and get them connected with OMS.
1. Log in to the domain controller as domain administrator
2. Log in to OMS portal
3. Go to Settings > Connected Sources > Windows Servers > click on Download Windows Agent (64bit). it will download the monitoring agent to the system.
4. Once it is download, double click on the setup and start the installation process.
5. In first windows of the wizard click Next to begin the installation.
6. In next window read and accept the licenses terms.
7. In next window, we can select where it should install. If there is on changes click Next to Continue.
8. In next window, it asks where it will connect to. In our scenario, it will connect to OMS directly.
9. In next window, it asks about OMS Workspace ID and Key. it can be found in OMS portal in Settings > Connected Sources > Windows Servers. if this server is behind proxy server, we also can specify the proxy setting in this window. Once relevant info provided click on Next to continue.
 10. In next window, it asks how I need to check agent updates. It is recommended to use windows updates option. Once selection has made, Click Next.
11. In confirmation page, click Install to begin the installation.
12. Follow same steps for other domain controllers.
13. After few minutes, we can see the newly added servers are connected as data source under Settings > Connected Sources > Windows Servers

How to view analyzed Data

After a few minutes, OMS will start to collect data and virtualize the findings. To view this data, log in to OMS portal and click on relevant solution gallery tile in home page. You will find your analysed/ assessed servers there. You also get a quick overview and some recommendations for these servers.
Once click on the tile it brings you to a page where it displays more details about its findings. You will get a nice overview with all the collected data and it even provides you some fixes

 How to collect Windows logs for Analysis

Using OMS, we also can collect windows logs and use OMS analyzing capabilities to analyze those. When this enabled, OMS space usage and bandwidth usage on organization end will be higher. In order to collect logs,
1. Log in to OMS portal
2. Go to Settings > Data > Windows Event Logs
3. In the box, you can search for the relevant log file name and add it to the list. We also can select which type of events to extract. Once selection is made click Save.
After few minutes, you can start to see the events under log search option. In their using queries we can filter out the data. Also, we can setup email alerts based on the specific events.
*source http://www.rebeladmin.com/

Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information

Co-management with Intune and System Center (SCCM)

What is Co-management

Since a couple of weeks Microsoft has introduced Co-management with Intune and System Center Configuration manager. So what does co management means?  Co-management enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads to the cloud. Where they first used sccm.

As an example you can move the workload for Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr yet for other workloads such as software distribution and device security configurations.

In simple words, SCCM Intune co-management is a dual management capability offered for Windows 10 1709 (Fall Creators Update) devices.


To use Co-management you must make sure your environment has the following prequisites.

  • Your system center environment (sccm) must be updated to SCCM CB 1709
  • The Windows 10 devices must be rolled out with the fall creators update Windows 10 1709
  • You need an active Intune with  subscription
  • You need an active Azure ad Premium with subscription

If you have the prequisites from above you can start configuring the setup.

Setting up Co-management

When you have installed verion 1709 of system center you can start configuring the Co management feature. You can do this as followed.

Step1: Launch you sccm console

Step2: Go to administration

Step3: Go to overview

Step4: Cloud Services

Step5: Click on Co-management and select Configure Co-management

Enable System center Co-Management for SCCM Intune Managed Devices

When you have configured Co-manangement for Intune and system center you need to enable the feature. There are two ways to enable SCCM co-management.

  1. Enable Co-management for SCCM managed devices
  2. Enable Co-management for Intune managed devices

Enable Co-management for SCCM Clients

To enable co-management for SCCM Managed Devices with Intune, you need to select one of the following options.

  • Select ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune

Enable Co-management for Intune Managed Devices

To enable co-management for Intune managed devices with SCCM, so you need to create an application in Intune. The application will install a SCCM client at the  Intune managed devices. SCCM team provided sample command line to install SCCM client. (you can find this in the Wizard).

Seems like this is actually it. So If you need more information You can use the following resources at Microsoft

  • Co-management for Windows 10 devices – here
  • Migrate hybrid MDM users and devices to Intune standalone – here
  • Microsoft 365 and SCCM Windows 10 Co-Management – here

Migrate Exchange Hybrid Server to another other domain

Migrate Exchange Hybrid server

If you just want to manage the users in Exchange Online and you want to keep Exchange Hybrid, it is recommended to keep one hybrid server connected to your Office 365. You have to make sure that you migrate the rest of the mailboxes  to Office 365.

When all users are in Office 365, then Install another Exchange on the other domain an turn it hybrid.

Note: You have to change your configuration of your AD Connect to accomplish that.

In this blog i will explain step by step on how to achieve this

Install Exchange 2016 in user Forest

Install EX2016 in (new) user forest – Set SCP  to null to prevent any Auto discover. You can use the command below to perform this. Changing the SCP record  shouldn’t affect the existing deployment in the other forest. Recommended is to set the SCP to null once the installation of EX2016 was completed, this was more of a precaution than anything else as all the Autodiscover DNS entries already point to exchange online.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$null

Configure new Exchange server

Add Office 365 mail routing domain as remote domain in you exchange server. You can do this at the Exchange Admin Center (EAC) of your exchange server. If there already is a connector you can see this in the overview.

To add a mail flow click the + button

Select your Exchange server and follow the instructions. You can also perform this within Powershell (make sure you use the Exchange management Shell).

New-SendConnector -Name J3Rmeyer -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts jerrymeyer.nl-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

This command will create a send connector as followed

  • Name   j3rmeyer
  • FQDN   mail.jerrymeyer.nl
  • SmartHosts   jerrymeyer.nl.mail.protection.outlook.com

if you have multiple connectors please take a look at the Technet page where all the details are explained.

*Source: Microsoft technet

Export Exchange Attributes

Export Exchange attributes from resource forest account. If you have read my blog about migrating Azure AD Connect to another domain/ forest you will see that there are a lot of similarities

Link to former blogpost

It is important that you export the Attributes below.

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

*note check you user environment if the MUE and exchange guids are matching. Also check the MasterAccountSID if these are filled. The msExchMasterAccountSid is used to merge the users within the Metaverse of Azure AD Connect. This will result in that only one user will show up in the Office 365 tenant.

Azure AD Connect pt1

When you have exported all the attributes it is time to stop the Azure Ad Connect. You can do this with the commands bellow

To disable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $false

Check if it is enabled:


5. Remove resource forest account from AAD connect scope so it only syncs from user forest account

Import Exchange Attributes

Import Exchange attributes to user forest account and make sure to run the new-remotemailbox command to match the mailboxes online with the user accounts on-premise.

Enable-RemoteMailbox jerry -RemoteRoutingAddress jerry@j3rmeyer.mail.onmicrosoft.com

The Enable-RemoteMailbox command can be run immediately after creating the user account in Active Directory so there is no need to wait for the next AAD Connect synchronization cycle to complete before enabling the mailbox. Once the user account has been provisioned to AAD, the mailbox will automatically created or match.

Azure AD Connect pt2

When you have imported the Exchange attributes and did the match of the mailboxes it is time to enable the Azure AD connect.

To enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:


Change Azure AD configuration

When the Azure ad is doing its work and you have tested the mailboxes it is time to Remove the resource forest. To remove the resource forest account from the Azure AD connect you have to go in the configuration panel of Azure AD connect.

Go to containers and untick the domain

Decommission hybrid from resource forest

In this step we start with a note.

*note: Be sure to establish mail flow in your new environment prior decommission Exchange hybrid. Or queue the mails from on-premises

Bellow you find a list on what to do

  1. Move all legacy Exchange mailboxes to newly deployed Exchange server 2013/2016 in the organization.
  2. Move all content from the public folder database on the Exchange server to a public folder database on an Exchange  server in the organization.
  3. Remove the public folder mailbox and stores on the Exchange server
  4. On Exchange servers, for each offline address book (OAB), move the generation process to an Exchange 2013/2016 server. Ensure 2013/2016 is the one generating/serving OABs for users.
  5. Remove all added DB copies of mailbox DBs so each DB has a single copy in Exchange Server
  6. Remove all nodes from any existing Exchange Server Database Availability Group
  7. Delete the Exchange Server Database Availability Group
  8. Optional: Set the RpcClientAccessServer value of all  DBs to the FQDN of their server
  9. Optional: Remove the CAS Array Object(s)
  10. Check the SMTP logs to see if any outside systems are still sending SMTP traffic to the servers via hard coded names.
  11. Start removing mailbox databases to ensure no arbitration mailboxes still exist on Exchange  servers
  12. Verify that Internet mail flow is configured to route through your Exchange 2013/2016 transport servers
  13. Verify that all inbound protocol services (Microsoft Exchange ActiveSync, Microsoft Office Outlook Web App, Outlook Anywhere, POP3, IMAP4, Auto discover service, and any other Exchange Web service) are configured for Exchange 2013/2016.
  14. Start uninstalling Exchange Server and reboot the server.

*source: blog technet

Configure hybrid in user forest

I think most of you know on how to do this. If not please check out Jaap Wesselius his blog.


I think i have captured the most of the migration, If you notice something is missing, incomplete or wrong please notify me.

Migrating Azure AD connect to new Active directory domain

Migrate Azure AD connect

When you want to migrate Azure AD Connect to another domain, so things can become pretty complicated. These kind of migrations can also create a lot of issues and unknown errors. The best thing to do before you start such a migration is to prepare this scenario in a testlab.

Disable Azure AD connect

First you need to logon to the Azure AD connect server which you want to migrate. Then perform the 4 steps below.

Install the Azure Active Directory Module for Windows PowerShell. So For more info, go to the following Microsoft website:

Connect to Azure AD by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:

Disable directory synchronization.  So to do this, type the following cmdlet, and then press Enter:

Set-MsolDirSyncEnabled –EnableDirSync $false

Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically:


*note This will take up to 72 hours. This change will not cause any service interruption, all users will be able to use their services as normal.

Install the new Azure AD connect

When you have prepared or executed the steps above you can install the Azure AD connect tool on the new server.

The second step is to populate your new AD domain with all user accounts. So it is now important that you copy all information from the old domain, (companyname, jobtitles etc), and for Exchange Online it is especially important that these attributes are copied:

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

What does the attributes do

  • The UserPrincipalName (UPN) of the users is the login name to Office 365.
  • ProxyAddresses are all your email addresses, both primary and alias.
  • The legacyExchangeDN, is used if you previously have migrated from an Exchange on-premises to Office 365. It is used for internal addressing in Exchange. If it is removed you will not be able to reply to old emails, meeting invitations, and your Suggested Contacts will also fail.
  • msExchRecipientTypeDetails sets the type of mailbox: usermailbox(1), linkedmailbox(2), Sharedmailox(4), legacymailbox(8), room mailbox(16), equipmentmailbox(13)
  • msExchMasterAccountSid This attribute of the target user object holds the objectSID of the source user account. This allows to connect to the own mailbox and shared mailbox.
  • msExchRecipientDisplayType sets the type of account that is used (List of references)
  • msExchRemoteRecipientType

Match Immutable ID

The third step is to make sure the immutable id in Office 365 which uses the ObjectGUID attribute  is translated to an ImmutableID in Azure Active Directory. If you rename your users, the ObjectGUID is untouched. And most of the time you use the ObjectGUID by default as immutableID.

*note if you have used something else please make sure this part is covert.

Currently we are moving to a new Domain so in this case the ObjectGUID will be changed. To manage this we have to clean the attribute in Office365. Office 365 generates these IDs for us,  you can use the Command below.

Set-msolUser -UserprincipalName “jerry.meyer@domain.com” -immutableID “$null”

Enable AzureAD sync and reinstall Azure AD connect

The next step is to enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:


After these steps you reinstall the Azure AD Connect Sync tool on a server in the new domain. I strongly recommend using a new server for this step. Always use a new server for this purpose else it can create bad errors or even break the sync. When this happens you need to create a ticket at Microsoft.

When the installation and full sync is done. The Sync tool will match the users in Office 365 and AD onprem by the primary email address. When there is a match  a new ImmutableID is created and written to Azure AD.

Retention Policy and Litigation hold

Most of the times Security is unfamiliar terrain when it comes down to Litigation hold and Retention Policies. In this blog post i will explain when to use Litigation hold and when it is best to use the Retention policy in Office 365.

Litigation Hold

When you search on Technet or Google for litigation hold you will find millions of results. But Actually it is quit simple. Litigation Hold is actually another expression for Legal Hold. When you translate this into Office 365 you will use this function. For instance when a user is leaving the company and you need to preserve the Mailbox for 30 years or even longer.

If you activate or use litigation hold you can already check this from you GDPR Checklist because this is one of the requirement.  Office 365 offers a rich set of in-place eDiscovery capabilities to identify relevant data. in-place Discovery including  for instance, search, hold, analyze and export. These tools will help you quickly to meet the investigative, legal, and regulatory requirements regarding GDPR.

To activate Litigation hold you can simply run the following command from the Exchange online powershell module

Set-Mailbox user@domain.com -LitigationHoldEnabled $true -LitigationHoldDuration Unlimited

*note it can take up to 60 minutes before this function is completely activated.

Retention Policy

Since some time compliance is one of Microsoft’s main focuses in Office 365. You need to know how to use these Office 365 features, so that next time you encounter legal, industry regulations or internal policies, you know what to do.

A retention policy is mainly used to preserve content for a specific period of time or indefinitely. Due to regulatory, legal, or business requirement. You can enable Retention policies on most of the Office 365 services like Onedrive, Exchange and since a short period even Groups and possibly even Teams.

You can configure the retention policies quiet easy using the wizard. You can find this in the Security and Compliance menu of the Office 365 admin Center.

So when do you use Litigation hold and when to use a retention Policy

When use Litigation hold to Legally hold a complete mailbox (it will be stored between the soft deleted mailboxes). You use the Retention Policy when you want to preserve Content of one of the Office 365 services.

And yes the configuration of these compliance settings really depends on the situation of you company or client.