Repair Federation Trust Checklist

  1. Document the existing trust settings (federated domains, federation settings)
    • Get-FederatedOrganizationIdentifier | select -ExpandProperty domains (local)
    • Get-FederationTrust |fl (local)
    • Get-OrganizationConfig |fl (local)
    • Get-OrganizationRelationship |fl (local)
    • Get-SendConnector |fl (local)
    • Get-ReceiveConnector |fl (local)
    • Get-FederatedOrganizationIdentifier | select -ExpandProperty domains (Office 365)
    • Get-AcceptedDomain | fl (Office 365)
    • Get-OutboundConnector | fl (Office 365)
    • Get-InboundConnector | fl (Office 365)
    • Get-RemoteDomain | fl (Office 365)
    • Get-OrganizationConfig | fl (Office 365)
    • Get-OrganizationRelationship | fl (Office 365)
    • Get-FederationTrust | fl (Office 365)
  1. Force remove each federated domain from the federation:

Remove-FederatedDomain -DomainName -Force

  1. Remove the federation trust:

Remove-FederationTrust “Microsoft Federation Gateway”

  1. Wait for AD replication
  2. Create a new federation trust:

New-FederationTrust -Name “Microsoft Federation Gateway v2” -Thumbprint “E866E662B3B5C57BE72DA541978BADB6ECED6E74”

  1. Update the trust organisation information:

Get-Federationtrust | Set-FederationTrust –RefreshMetadata

  1. Add to the federated organization identifier:

Set-FederatedOrganizationIdentifier -DelegationFederationTrust “Microsoft Federation Gateway v2 ” -AccountNamespace -Enabled $true

  1. Configure the required settings in the trust (as per the documentation created in step 1).
  2. Wait for AD replication
  3. Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust) – it can take 12-48 hours before the trust reports as being no longer expired!
  4. Add the federated domain back into the trust (this will involve generating domain ‘Proof’ entries and adding them to your external DNS, then waiting for DNS propagation):

Add-FederatedDomain -DomainName

Add-FederatedDomain -DomainName

Get-AcceptedDomain -Identity |fl

Get-RemoteDomain -Identity |fl

Get-FederatedDomainProof -DomainName -Thumbprint E866E662B3B5C57BE72DA541978BADB6ECED6E74

    1. Add the DnsRecord TXT string to the external facing DNS for the domain.

Managing Distribution Groups

Adding Members

Members can be added to a mail-enabled, universal group using powershell commands.

Extract details of the members from an existing group using the Get-DistributionGroupMember command. You can limit the information obtained to a single field e.g. PrimarySmtpAddress. The following command will do just that –

Get-DistributionGroupMember cmc-team |select PrimarySmtpAddress |Export-Csv cmc-addr.csv

The file it produces will be of the form –

#TYPE Selected.Microsoft.Exchange.Data.Directory.Management.ReducedRecipient


You need to produce a CSV file in the same format to add a list of members to a group. Import the CSV file to the group as follows –

Import-Csv cmc-addr.csv | foreach {add-distributiongroupmember -Identity cmc-team -member $_.PrimarySmtpAddress}

Note: If you have a list of staff IDs instead of addresses you need to use the SamAccountname attribute instead. The CSV file needs to be in the following format –

#TYPE Selected.Microsoft.Exchange.Data.Directory.Management.ReducedRecipient

The import command in this case would be –

Import-Csv cmc-sam.csv | foreach {add-distributiongroupmember -Identity cmc-team -member $_.SamAccountName}

Hiding List Membership

Sometimes you do not want recipients of messages sent via mail-enabled groups to be able to expand the recipient list. Do the following to hide the recipients –

  1. Open Active Directory Users and Computers console.
  2. Click View Menu and select Advanced Features (to enable it)
  3. Find your Distribution List or Security Group (mail enabled) in the OU. DO NOT search for your group because if you open the DL/Group properties from search windows, it will NOT show the Attribute Editor which is the advanced feature).
  4. Double click to open the DL/Group to see the properties. Go to Attribute Editor tab.
  5. Find hideDLMembership attribute, double click to open and select True. Click OK twice to close the dialog boxes.

It takes a while to take effect the changes while Exchange generates Offline Address Book and Outlook installations retrieve it.

OWA – Silent Redirection to Office365

If a user’s mailbox is in Office 365, the CAS server issues a redirect to Office 365 when the user has successfully authenticated. By default, it pops up a nuisance, interstitial page that requires an extra click (and can turn into a black hole),
This is avoided by adding the following code to C:/Program Files/Microsoft/Exchange Server/V14/ClientAccess/Owa/casredirect.aspx immediately above the line <!DOCTYPE HTML…

if (RedirectionUrl.Contains(“”)) {

You need to do this every time there is an update to the Exchange software.

Exchange 2010 Failed Database Content Indexes

Failed content indexes can easily go unnoticed when everything else is working fine however they will eventually begin to cause problems for you, for example by preventing database switch overs. You can list all failed indexes with the following command –

[PS] C:\>Get-MailboxDatabaseCopyStatus * | where {$_.ContentIndexState -eq “Failed”}

If any databases are listed the indexes can be fixed by piping the output from the command above into the Update-MailboxDatabaseCopy cmdlet as below –

[PS] C:\>Get-MailboxDatabaseCopyStatus * | where {$_.ContentIndexState -eq “Failed”} | Update-MailboxDatabaseCopy -CatalogOnly

Once this has completed run the first command again. It should not return anything if successful.

Message Tracking

Use EMS commands to retrieve message tracking data across several hub transport and mailbox server hosts as follows –

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} |`
Get-MessageTrackingLog -sender "" -Start "7/28/2012 8:00AM" -End "7/28/2012 5:00PM"


This is a split one-line command so watch out for the trailing back-tick!

Check help on the Get-MessageTrackingLog commandlet for other switch options e.g. trawl for recipients, message ID etc.