Configure legacy on-premises public folders for a hybrid deployment of Exchange Server
In a hybrid deployment, your users can be in Exchange Online, on-premises Exchange, or both, and your public folders are either in Exchange Online or on-premises Exchange. Public folders can only reside in one place, so you must decide where they belong. They can't be in both locations. Public folder mailboxes are synchronized to Exchange Online by the Directory Synchronization service. However, mail-enabled public folders aren't synchronized across premises.
This article describes how to synchronize mail-enabled public folders when your users are in Microsoft 365 or Office 365 and your public folder are in Exchange 2010 SP3 or later. However, a cloud user who isn't represented by a MailUser object on-premises Exchange (local to the target public folder hierarchy) can't access legacy or on-premises Exchange public folders.
Note
This topic refers to the Exchange 2010 SP3 or later servers as the legacy Exchange server.
You use the following scripts to sync your mail-enabled public folders. The scripts are initiated by a Windows task that runs in the on-premises environment:
Sync-MailPublicFolders.ps1
: This script synchronizes mail-enabled public folder objects from your local on-premises Exchange deployment with Exchange Online. It uses the local on-premises Exchange deployment as authoritative to determine what changes need to be applied to Exchange Online. The script creates, update, or delete mail-enabled public folder objects in the cloud based on what exists in the local on-premises Exchange deployment.SyncMailPublicFolders.strings.psd1
: This support file is used by theSync-MailPublicFolders.ps1
script and should be copied to the same location as the script.
When you complete this procedure, your on-premises and cloud users can access the same on-premises public folder infrastructure.
What hybrid versions of Exchange work with public folders?
The following table describes the supported version and location combinations of user mailboxes and public folders. "Hybrid not applicable" is still a supported scenario, but isn't considered a hybrid scenario because both the public folders and the users are residing in the same location.
Scenario | On-premises Exchange 2010 User Mailbox | On-premises Exchange 2016/2019 User Mailbox | Exchange Online User Mailbox |
---|---|---|---|
On-premises Exchange 2010 Public Folders | Hybrid not applicable | Hybrid not applicable | Supported |
On-premises Exchange 2013, Exchange 2016, or Exchange 2019 Public Folders | Hybrid not applicable | Hybrid not applicable | Supported |
Exchange Online Public Folders | Not supported | Supported | Hybrid not applicable |
A hybrid configuration with Exchange 2003 public folders isn't supported. If you're running Exchange 2003 in your organization, you must move all public folder databases and replicas to Exchange 2010 SP3 or later. No public folder replicas can remain on Exchange 2003.
Step 1: What do you need to know before you begin?
These instructions assume that you have used the Hybrid Configuration Wizard to configure and synchronize your on-premises and Exchange Online environments and that the DNS records used for most users' Autodiscover references an on-premises end-point. For more information, see Hybrid Configuration Wizard.
These instructions assume that Outlook Anywhere is enabled and functional on the on-premises legacy Exchange servers. For information on how to enable Outlook Anywhere, see Outlook Anywhere.
Implementing legacy public folder coexistence for a hybrid deployment of Exchange with the cloud might require you to fix conflicts during the import procedure. Conflicts can happen due to non-routable email address assigned to mail enabled public folders, conflicts with other users and groups in Exchange Online, and other attributes.
These instructions assume your Exchange Online organization has been upgraded to a version that supports public folders.
In Exchange Online, you must be a member of the Organization Management role group. This role group is different from the permissions assigned to you when you subscribe to Exchange Online. For details about how to enable the Organization Management role group, see Manage role groups.
In Exchange 2010, you must be a member of the Organization Management or Server Management Role Based Access Control (RBAC) role groups. For details, see Add Members to a Role Group.
In order to access public folders cross-premises, users must upgrade their Outlook clients to the November 2012 or later Outlook public update.
To download the November 2012 Outlook update for Outlook 2010, see Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition.
To download the November 2012 Outlook update for Outlook 2007, see Update for Microsoft Office Outlook 2007 (KB2687404) and download in preferred language.
Outlook 2016 for Mac and Outlook for Mac for Microsoft 365 or Office 365 are supported for cross-premises public folders if the following conditions are true:
- The April 2016 update for Outlook 2016 for Mac is installed.
- Exchange 2016 CU2 or later.
- Exchange 2013 CU14 or later.
After you have followed the instructions in this article to configure your on-premises public folders for a hybrid deployment, users who are external to your organization won't be able to send messages to your on-premises public folders unless you take additional steps. For example:
- Set the accepted domain for the public folders to Internal Relay. For more information, see Manage accepted domains in Exchange Online.
- Disable Directory Based Edge Blocking (DBEB). For more information, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.
In hybrid mode, Exchange Online users can't access public folders using Outlook on the web (formerly known as Outlook Web App).
Step 2: Make remote public folders discoverable
If your public folders are on Exchange 2010 servers, you must install Client Access services on all mailbox servers that have a public folder database. This enables the Exchange RpcClientAccess service to run, which enables all clients to access public folders. For more information, see Install Exchange Server 2010.
Note
This server doesn't have to be part of the Client Access load balancing. For more information, see Understanding Load Balancing in Exchange 2010.
Create an empty mailbox database on each public folder server.
For Exchange 2010, run the following command in the Exchange Management Shell. This command excludes the mailbox database from the mailbox provisioning load balancer. This action prevents new mailboxes from automatically being added to this database.
New-MailboxDatabase -Server <PFServerName_with_CASRole> -Name <NewMDBforPFs> -IsExcludedFromProvisioning $true
For Exchange 2007, run the following command in the Exchange Management Shell:
New-MailboxDatabase -StorageGroup "<PFServerName>\StorageGroup>" -Name <NewMDBforPFs>
Note
We recommend that the only mailbox that you add to this database is the proxy mailbox that you'll create in the next step. No other mailboxes should be created on this mailbox database.
Create a proxy mailbox within the new mailbox database, and hide the mailbox from the address book. The SMTP address of this mailbox is returned by AutoDiscover as the DefaultPublicFolderMailbox SMTP. By resolving this SMTP address the client can reach the legacy exchange server for public folder access.
New-Mailbox -Name <PFMailbox1> -Database <NewMDBforPFs>
Set-Mailbox -Identity <PFMailbox1> -HiddenFromAddressListsEnabled $true
For Exchange 2010, enable Autodiscover to return the proxy public folder mailboxes.
Set-MailboxDatabase <NewMDBforPFs> -RPCClientAccessServer <PFServerName_with_CASRole>
Repeat the preceding steps for every public folder server in your organization.
Step 3: Download the scripts
Download the following files from Mail-enabled Public Folders - directory sync script:
Sync-MailPublicFolders.ps1
SyncMailPublicFolders.strings.psd1
Save the files to the local computer where you're running PowerShell. For example, C:\PFScripts.
Step 4: Configure directory synchronization
The Directory Synchronization service doesn't synchronize mail-enabled public folders. Running the following script will synchronize the mail-enabled public folders across premises. You need to recreate special permissions assigned to mail-enabled public folders in the cloud since cross-premise permission aren't supported in Hybrid Deployment scenarios.
Note
Synchronized mail-enabled public folders will appear as mail contact objects for mail flow purposes and will not be viewable in the Exchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use the Add-RecipientPermission command.
On the legacy Exchange server, run the following command to synchronize mail-enabled public folders from your local on-premises Active Directory to the cloud.
Sync-MailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile:sync_summary.csv
Where
Credential
is your cloud username and password, andCsvSummaryFile
is the path to where you would like to log synchronization operations and errors, in .csv format.
Note
Before running the script, we recommend that you first simulate the actions that the script would take in your environment by running it as previously described with the -WhatIf
parameter. We also recommend that you run this script daily to synchronize your mail-enabled public folders.
Step 5: Configure Exchange Online users to access on-premises public folders
The final step in this procedure is to configure the Exchange Online organization and to allow access to the legacy on-premises public folders.
You point to all of the proxy public folder mailboxes that you created in Step 2: Make remote public folders discoverable to enable theExchange Online organization to access the on-premises public folders.
Run the following command in Exchange Online PowerShell. To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.
Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PFMailbox1,PFMailbox2,PFMailbox3
You must wait until Active Directory synchronization has completed to see the changes. This process can take up to 3 hours to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you can force directory synchronization at any time. For detailed steps to force directory synchronization, see Microsoft Entra Connect Sync: Scheduler. Exchange Online randomly selects one of the public folder mailboxes that's supplied in this command.
Important
A cloud user who isn't represented by a MailUser object on-premises (local to the target public folder hierarchy) won't be able to access legacy, Exchange 2016, or Exchange 2019 on-premises public folders. See the Knowledge Base article Exchange Online users can't access legacy on-premises public folders for a solution.
How do I know this procedure worked?
Using a cloud user account, open Outlook and do the following public folder tests:
- View the hierarchy.
- Check permissions
- Create and delete public folders.
- Post content to and delete content from a public folder.