Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
Microsoft Exchange Server 2010 uses Federation for federated delegation. Federation requires a federation trust with the Microsoft Federation Gateway. After you create the trust, you must configure the federated organization identifier with any accepted domains you want to federate.
To provide proof of ownership of the registered Internet domain, you must create a text (TXT) record in the Domain Name System (DNS) zone of each accepted domain you want to federate. The TXT record contains the federated domain proof encryption string generated when you run the Get-FederatedDomainProof cmdlet for each domain.
You can create a TXT record by using DNS Manager on a server running Windows Server 2008 that has the DNS server role installed. Your organization may use DNS server software from another vendor or use a service provider to host the DNS zone for the domain. Many Internet domain registrars host DNS zones for customers and most service providers offer Web-based management tools so that customers can manage DNS records for their domains. To learn more about the DNS server role, see DNS Server Role.
Note: |
---|
Creating a TXT record is one of several steps in setting up federated delegation in your Exchange 2010 organization. To review all the steps, see Configure Federated Delegation. |
Looking for other management tasks related to Federation? Check out Managing Federation.
Prerequisites
- A federation trust has been created between your Exchange 2010
organization and the Microsoft Federation Gateway. For details, see
Create a
Federation Trust.
- Your Exchange organization uses one or more Internet domains
registered with a domain registrar.
- The domains have a DNS zone accessible from the Internet.
- The DNS server role or the DNS Server service is installed. You
can install the DNS server role by using Server Manager in Windows
Server 2008. For information about using Server Manager, see
Server Manager.
Step 1: Use the Shell to create the federated domain proof encryption strings
Run the Get-FederatedDomainProof cmdlet for any domains to be federated.
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.
This example generates the domain proof string used for the TXT record for contoso.com.
Copy Code | |
---|---|
Get-FederatedDomainProof -DomainName contoso.com |
For detailed syntax and parameter information, see Get-FederatedDomainProof.
Step 2: Create a TXT record
Use DNS Manager
- In DNS Manager, expand the DNS server you want, and then expand
Forward Lookup Zones.
- Select the forward lookup zone in which you want to create the
TXT record.
- From the menu bar, navigate to Action > Other New
Records.
- In Resource Record Type, select Text (TXT), and
then click Create Record.
- In New Resource Record, complete the following
fields:
- Record name (uses parent domain if left
blank) Leave this field blank, allowing it to
create a record with the same name as the domain name.
- Fully qualified domain name type
(FQDN) This read-only field displays the FQDN
created by concatenating the record name to the domain name.
- Text Type the federated domain proof
string that was generated when you ran the
Get-FederatedDomainProof cmdlet. For example, if the
federated domain proof string is
7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg==
, you would enter the entire string in the Text field.
Important: The federated domain proof is a string of alphanumeric characters. To avoid input errors, we recommend that you copy the string from the Shell, paste it into a text editor such as Notepad, copy it from the text editor to the Clipboard, and then paste it into the Text field of the TXT record. If the TXT record is created by using an incorrect federated domain proof string, the Microsoft Federation Gateway won't be able to verify proof of domain ownership, and you won't be able to add it to the federated organization identifier.
- Record name (uses parent domain if left
blank) Leave this field blank, allowing it to
create a record with the same name as the domain name.
- Click OK, and then click Done to create the
record.
Use the DNSCmd command
This example creates a TXT record in the forward lookup
zone contoso.com
with the federated domain proof
string
7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg==
on DNS server NS1.
Copy Code | |
---|---|
DNSCmd NS1 /RecordAdd contoso.com "@" TXT "7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg==" |
For detailed syntax and parameter information, see Dnscmd.
Other Tasks
After you create a TXT record for Federation, you may also want to:
- Add a federated domain. For details, see Manage
Federation.
- Create an
Organization Relationship