[This topic is in progress.]

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

Microsoft Exchange Server 2010 uses Federation for federated delegation. Federation requires a federation trust with the Microsoft Federation Gateway. After you create the trust, you must configure the federated organization identifier with any accepted domains you want to federate.

To provide proof of ownership of the registered Internet domain, you must create a text (TXT) record in the Domain Name System (DNS) zone of each accepted domain you want to federate. The TXT record contains the federated domain proof encryption string generated when you run the Get-FederatedDomainProof cmdlet for each domain.

You can create a TXT record by using DNS Manager on a server running Windows Server 2008 that has the DNS server role installed. Your organization may use DNS server software from another vendor or use a service provider to host the DNS zone for the domain. Many Internet domain registrars host DNS zones for customers and most service providers offer Web-based management tools so that customers can manage DNS records for their domains. To learn more about the DNS server role, see DNS Server Role.

Note:
Creating a TXT record is one of several steps in setting up federated delegation in your Exchange 2010 organization. To review all the steps, see Configure Federated Delegation.

Looking for other management tasks related to Federation? Check out Managing Federation.

Prerequisites

  • A federation trust has been created between your Exchange 2010 organization and the Microsoft Federation Gateway. For details, see Create a Federation Trust.

  • Your Exchange organization uses one or more Internet domains registered with a domain registrar.

  • The domains have a DNS zone accessible from the Internet.

  • The DNS server role or the DNS Server service is installed. You can install the DNS server role by using Server Manager in Windows Server 2008. For information about using Server Manager, see Server Manager.

Step 1: Use the Shell to create the federated domain proof encryption strings

Run the Get-FederatedDomainProof cmdlet for any domains to be federated.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

This example generates the domain proof string used for the TXT record for contoso.com.

Copy Code
Get-FederatedDomainProof -DomainName contoso.com

For detailed syntax and parameter information, see Get-FederatedDomainProof.

Step 2: Create a TXT record

Use DNS Manager

  1. In DNS Manager, expand the DNS server you want, and then expand Forward Lookup Zones.

  2. Select the forward lookup zone in which you want to create the TXT record.

  3. From the menu bar, navigate to Action > Other New Records.

  4. In Resource Record Type, select Text (TXT), and then click Create Record.

  5. In New Resource Record, complete the following fields:

    • Record name (uses parent domain if left blank)   Leave this field blank, allowing it to create a record with the same name as the domain name.

    • Fully qualified domain name type (FQDN)   This read-only field displays the FQDN created by concatenating the record name to the domain name.

    • Text   Type the federated domain proof string that was generated when you ran the Get-FederatedDomainProof cmdlet. For example, if the federated domain proof string is 7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg==, you would enter the entire string in the Text field.

      Important:
      The federated domain proof is a string of alphanumeric characters. To avoid input errors, we recommend that you copy the string from the Shell, paste it into a text editor such as Notepad, copy it from the text editor to the Clipboard, and then paste it into the Text field of the TXT record. If the TXT record is created by using an incorrect federated domain proof string, the Microsoft Federation Gateway won't be able to verify proof of domain ownership, and you won't be able to add it to the federated organization identifier.
  6. Click OK, and then click Done to create the record.

Use the DNSCmd command

This example creates a TXT record in the forward lookup zone contoso.com with the federated domain proof string 7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg== on DNS server NS1.

Copy Code
DNSCmd NS1 /RecordAdd contoso.com "@" TXT "7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg=="

For detailed syntax and parameter information, see Dnscmd.

Other Tasks

After you create a TXT record for Federation, you may also want to: