Applies to: Exchange Server 2013
Topic Last Modified: 2012-10-09
A federation trust establishes a trust relationship between a Microsoft Exchange 2013 organization and the Microsoft Federation Gateway and supports federated sharing with other federated Exchange organizations. Normally, you shouldn’t have to manage or modify the federation trust after it’s created. However, there may be circumstances that require adding or removing federated domains or resetting the domain used to configure the organization identifier (OrgID) for the federation trust.
|Modifying an existing federation trust, especially the primary shared domain used to define the OrgID, can disrupt federated sharing between federated Exchange organizations or for hybrid deployments with Office 365 organizations.|
For additional management tasks related to Federation, see Federation Procedures.
What do you need to know before you begin?
- Estimated time to complete: 30 minutes.
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
Federation and certificates permissions entry in the
Shell Infrastructure Permissions topic.
- You will need to add a TXT record to your public DNS for each
new federated domain added to the federation trust. Review the
requirements for adding a TXT record with the organization that
hosts your public DNS records.
- For the purposes of this topic, an existing federation trust
was configured with the following settings:
- Contoso.com is the primary shared domain for the
federation trust. (This domain will not be changed.)
- The federated domains service.contoso.com and
sales.contoso.com are included in the existing federation
- Marketing.contoso.com is an accepted domain in the
- Contoso.com is the primary shared domain for the federation trust. (This domain will not be changed.)
- This topic also covers other federation management tasks, such
as viewing and managing certificates used for the federation trust
and viewing federation trust parameter information in the
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
What do you want to do?
Use the EAC to manage a federation trust
- On an Exchange 2013 server in your on-premises organization,
navigate to the Organization > Sharing.
- In the Federation Trust section, click
- In Sharing-Enabled Domains, skip Step 1 because
the primary sharing domain isn’t changing.
- In Step 2, select the service.contoso.com domain
and then click Remove
to remove the domain from the federated trust.
- In Step 2, click Add .
- In Select Accepted Domains, select
marketing.contoso.com from the list of accepted domains, and
then click OK to add the domain to the federated trust.
Important: A federated domain proof string will be created for the marketing.contoso.com domain. You must create separate TXT record on your public DNS for this domain.
- Using the federated domain proof string created for the
marketing.contoso.com domain, create a TXT record on your
public DNS server. Depending on the update schedule of your public
DNS host, replication of DNS changes may take 15 minutes or
- After the TXT record is created and replicated, click
Use the Shell to manage a federation trust
- This example removes the service.contoso.com domain from the
Remove-FederatedDomain -DomainName service.contoso.com
- This example adds the marketing.contoso.com domain to the
Add-FederatedDomain -DomainName marketing.contoso.com
Run the following Shell commands to manage other aspects of a federation trust:
- View the federated OrgID and federated domains
This example displays the Exchange organization's federated OrgID and related information, including federated domains and status.
- View federation trust certificates
This example displays the previous, current, and next certificates used by the federation trust Microsoft Federation Gateway.
Get-FederationTrust "Microsoft Federation Gateway" | Select Org*certificate
- Check federation certificates status
This example displays the state of federation certificates on all Mailbox and Client Access servers in the organization.
- Configure the federation trust to use a certificate as the
This example configures the federation trust Microsoft Federation Gateway to use the certificate with the provided thumbprint as the next certificate. After the certificate is deployed to all Exchange servers in the organization, you can use the PublishCertificate switch to configure the federation trust to use this certificate as the current certificate.
Set-FederationTrust "Microsoft Federation Gateway" -Thumbprint AC00F35CBA8359953F4126E0984B5CCAFA2F4F17
- Configure the federation trust to use the next certificate
as the current certificate
This example configures the federation trust Microsoft Federation Gateway to use the next certificate as the current certificate and publishes it to the Microsoft Federation Gateway.
Set-FederationTrust "Microsoft Federation Gateway" -PublishFederationCertificate
Caution: Before configuring the federation trust to use the next certificate as the current federation certificate, make sure that the certificate is deployed on all Exchange servers in your organization. Use the Test-FederationTrustCertificate cmdlet to check the deployment status of the certificate.
- Refresh federation metadata and certificate from the
Microsoft Federation Gateway
This example refreshes the federation metadata and certificate of the Microsoft Federation Gateway for the federation trust Microsoft Federation Gateway.
Set-FederationTrust "Microsoft Federation Gateway" -RefreshMetadata
For detailed syntax and parameter information, see the following topics:
How do you know this worked?
The successful completion of the Sharing-enabled domains wizard is your first indication that you configured the federation trust as expected.
To further verify success, do the following:
- Run the following Shell command to verify the federation trust
Get-FederationTrust | format-list
- Run the following Shell command to verify that federation
information can be retrieved from your organization. For example,
verify that the sales.contoso.com and marketing.contoso.com domains
are returned in the DomainNames parameter.
Get-FederationInformation -DomainName <your primary sharing domain>