Repair Federation Trust Checklist

  1. Document the existing trust settings (federated domains, federation settings)
    • Get-FederatedOrganizationIdentifier | select -ExpandProperty domains (local)
    • Get-FederationTrust |fl (local)
    • Get-OrganizationConfig |fl (local)
    • Get-OrganizationRelationship |fl (local)
    • Get-SendConnector |fl (local)
    • Get-ReceiveConnector |fl (local)
    • Get-FederatedOrganizationIdentifier | select -ExpandProperty domains (Office 365)
    • Get-AcceptedDomain | fl (Office 365)
    • Get-OutboundConnector | fl (Office 365)
    • Get-InboundConnector | fl (Office 365)
    • Get-RemoteDomain | fl (Office 365)
    • Get-OrganizationConfig | fl (Office 365)
    • Get-OrganizationRelationship | fl (Office 365)
    • Get-FederationTrust | fl (Office 365)
  1. Force remove each federated domain from the federation:

Remove-FederatedDomain -DomainName -Force

  1. Remove the federation trust:

Remove-FederationTrust “Microsoft Federation Gateway”

  1. Wait for AD replication
  2. Create a new federation trust:

New-FederationTrust -Name “Microsoft Federation Gateway v2” -Thumbprint “E866E662B3B5C57BE72DA541978BADB6ECED6E74”

  1. Update the trust organisation information:

Get-Federationtrust | Set-FederationTrust –RefreshMetadata

  1. Add to the federated organization identifier:

Set-FederatedOrganizationIdentifier -DelegationFederationTrust “Microsoft Federation Gateway v2 ” -AccountNamespace -Enabled $true

  1. Configure the required settings in the trust (as per the documentation created in step 1).
  2. Wait for AD replication
  3. Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust) – it can take 12-48 hours before the trust reports as being no longer expired!
  4. Add the federated domain back into the trust (this will involve generating domain ‘Proof’ entries and adding them to your external DNS, then waiting for DNS propagation):

Add-FederatedDomain -DomainName

Add-FederatedDomain -DomainName

Get-AcceptedDomain -Identity |fl

Get-RemoteDomain -Identity |fl

Get-FederatedDomainProof -DomainName -Thumbprint E866E662B3B5C57BE72DA541978BADB6ECED6E74

    1. Add the DnsRecord TXT string to the external facing DNS for the domain.