There can be situation where you need completely remove an re-create your Hybrid configuration which can seem challenging from required actions point of view. Procedure below describe steps needed to be done in order if you want remove and create Hybrid Configuration for example if you receiving following error when running Hybrid Configuration Wizard:
Execution of the Set-FederatedOrganizationIdentifier cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Federation trust "yourfederateddomain/Configuration/Deleted Objects/Microsoft Federation Gateway DEL:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" wasn't found. Make sure you have typed it correctly. at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)
That particular procedure is written for Exchange 2013/Office 365 Wave 15 configuration, but it works pretty well for Exchange 2010/Wave 15 Hybrid.
Clean-up
- Execute following command on you on-premise Exchange 2013 server (that command is not available on Exchange 2010, if your Hybrid server is Exchange 2010, just skip that step):
Remove-HybridConfiguration
- Remove existing organization relationships from both on-premise and O365 (you can use that command, if you have just single relationship on each side):
Get-OrganizationRelationship | Remove-OrganizationRelationship
- Remove Federation Trust using ADSIEdit:
- Start ADSIEdit, connect to Configuration Partition, expand CN=Configuration,DC=your,DC=domain, expand CN=Services, expand CN=Microsoft Exchange, expand CN=yourexchangeorg, double-click CN=Federation Trusts
- In right-hand pane select CN=Microsoft Federation Gateway, right-click on it and select Delete
Create new Federation Trust
- First run following command on on-premise Hybrid server:
Get-ExchangeCertificate | where {($_.CertificateDomains -eq 'Federation') -and ($_.Status -eq 'Valid')} | Select-Object -Expand Thumbprint - You will see one or more strings with numbers and letters (for example: FFFFFFC752C0EDB0BF70CF6C9E241B0DC246292), pick one (any) copy and paste it to some text file.
- Run following command:
New-FederationTrust -Name "Microsoft Federation Gateway" -Thumbprint <thumbprint>
where <thumbprint> is string you copied in previous step.
- Then run following command on on-premise Hybrid server:
Get-FederatedDomainProof –DomainName yourdomain.com
After execution command from step 3 you will see DNS record that you should add to Public DNS (it will look like yourdomain.com TXT IN long_hash_number).
You will need to add that record in to public DNS. Please note that sometime it take up to 24 hours to pick up changes.
You may receive same hash that already present in DNS. It will happen if you will use same certificate for trust. Then make no changes, just proceed with next step.
- Execute following command on on-premise Hybrid server:
Set-FederatedOrganizationIdentifier –AccountNamespace <some_domain> –DelegationFederationTrust “Microsoft Federation Gateway”
In that step please use any domain that is already present in Accepted Domains in your organization, but not domain you going to federate. You will receive error saying “Proof of ownership has failed.”
It is expected, that will refresh Org ID.
Create new Hybrid Configuration
- Run following command on on-premise Hybrid server:
Set-FederatedOrganizationIdentifier –AccountNamespace yourdomain.com –DelegationFederationTrust “Microsoft Federation Gateway”
- Run following command on on-premise Hybrid server:
Get-FederationInformation -DomainName yourtenantdomain.onmicrosoft.com | New-OrganizationRelationship -Name "OnPremise_toO365" –FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails
- Run following command on O365 tenant:
Get-FederationInformation -DomainName yourdomain.com | New-OrganizationRelationship -Name "O365_toOnPremise" –FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails
- Run Hybrid Configuration Wizard from on-premise Exchange 2013 ECP
Now your Hybrid configuration should be working again.
Thanks for the great post , could you explain step5 I did not understand why we use some_domain that is in the accepted domain list, are you referring to which domain the one which is added by the HCW wizard or which domain and why we do this.
Also this cmd let is missing the enabled value
Set-FederatedOrganizationIdentifier –AccountNamespace yourdomain.com –DelegationFederationTrust “Microsoft Federation Gateway”
From TechNet
Set-FederatedOrganizationIdentifier -DelegationFederationTrust “Microsoft Federation Gateway” -AccountNamespace “Contoso.com” -Enabled $true
Yes, I agree with you that this step looks bit odd, but it is only way I managed to successfully refresh Organization Identifier. It is required because in previous steps we deleting Federation Trust and creating new one.
Unfortunately Organization Identifier is still linked with old one and if you try to run HCW without refreshing OrgID it will drop an error saying that it is unable to find object.
But if you try to run Set-FederatedOrganizationIdentifier with domain that already was federated, it does not refresh. It seems that there is some kind of internal cache, so I managed refresh it successfully only by adding new domain.
It is possible to add some temporary domain into your Accepted Domains list and then remove that when you finished procedure.
Because you already have your OrgID enabled, it is not necessary to use switch -Enabled, but it is still OK if you use that.
THANK YOU SO MUCH!
I was banging my Head against a wall for hours. Your Guide fixed my Problem in a blink of an eye.
After moving our Exchange from one Server to another one the leftover were present in the domain.
The ADSI edit was the key to solve the problem.