- Document the existing trust settings (federated domains, federation settings)
- Get-FederatedOrganizationIdentifier | select -ExpandProperty domains (local)
- Get-FederationTrust |fl (local)
- Get-OrganizationConfig |fl (local)
- Get-OrganizationRelationship |fl (local)
- Get-SendConnector |fl (local)
- Get-ReceiveConnector |fl (local)
- Get-FederatedOrganizationIdentifier | select -ExpandProperty domains (Office 365)
- Get-AcceptedDomain | fl (Office 365)
- Get-OutboundConnector | fl (Office 365)
- Get-InboundConnector | fl (Office 365)
- Get-RemoteDomain | fl (Office 365)
- Get-OrganizationConfig | fl (Office 365)
- Get-OrganizationRelationship | fl (Office 365)
- Get-FederationTrust | fl (Office 365)
- Force remove each federated domain from the federation:
Remove-FederatedDomain -DomainName o365mail.qub.ac.uk -Force
- Remove the federation trust:
Remove-FederationTrust “Microsoft Federation Gateway”
- Wait for AD replication
- Create a new federation trust:
New-FederationTrust -Name “Microsoft Federation Gateway v2” -Thumbprint “E866E662B3B5C57BE72DA541978BADB6ECED6E74”
- Update the trust organisation information:
Get-Federationtrust | Set-FederationTrust –RefreshMetadata
- Add o365mail.qub.ac.uk to the federated organization identifier:
Set-FederatedOrganizationIdentifier -DelegationFederationTrust “Microsoft Federation Gateway v2 ” -AccountNamespace o365mail.qub.ac.uk -Enabled $true
- Configure the required settings in the trust (as per the documentation created in step 1).
- Wait for AD replication
- Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust) – it can take 12-48 hours before the trust reports as being no longer expired!
- Add the federated domain back into the trust (this will involve generating domain ‘Proof’ entries and adding them to your external DNS, then waiting for DNS propagation):
Add-FederatedDomain -DomainName o365mail.qub.ac.uk
Add-FederatedDomain -DomainName ads.qub.ac.uk
Get-AcceptedDomain -Identity o365mail.qub.ac.uk |fl
Get-RemoteDomain -Identity o365mail.qub.ac.uk |fl
Get-FederatedDomainProof -DomainName o365mail.qub.ac.uk -Thumbprint E866E662B3B5C57BE72DA541978BADB6ECED6E74
-
- Add the DnsRecord TXT string to the external facing DNS for the o365mail.qub.ac.uk domain.