June, 2011

| |

|

Enabling and Managing Federation

Posted over 3 years ago

by

Dan Kenyon-smith

Steps	Action
Configure a remote domain to be used with Office 365	Launch on-premises Exchange Management console (EMC), navigate to Hub Transport and select new remote domain in the actions pane
Create a new Accepted domain	Create a new Accepted domain that is authoritative for the namespace
Create a new federated trust with the Microsoft Federated Gateway (MFG)	Run the following command to get the Exchange certificate thumbprint Get-ExchangeCertificate \| Where-Object {$_.Services –like “IIS*”} and copy the thumbprint value
	Then run New-FederationTrust –Name “Microsoft Federation Gateway” -Thumbprint XXXXXXXXXXXXXXXXXXX (where XXX is the thumbprint value). This creates the following federation trust You will see the similar text displayed from the command specified above:- To complete the federation configuration, you must add a text (TXT) record in DNS for the domain you want to use as the account namespace and for any other domain you want to add as a federated domain on the Microsoft Federation Gateway. After the TXT records are available in DNS, complete the federation trust configuration by using the Manage Federation wizard in the EMC or the Set-FederatedOrganizationIdentifier cmdlet in the Shell
You then need to prove ownership of the namespace	Run Get-FederatedDomainProof –DomainName ExchangeDelegation.company.com \| FL DomainName,Proof and Get-FederatedDomainProof –DomainName company.com \| FL DomainName,Proof. Then create a DNS txt record in public DNS to prove ownership of the namespace. Copy the proof output and paste into your public DNS txt record.
Perform an nslookup to verify ownership	Run nslookup Set q=txt Company.com
Add the namespaces to the federation trust through the EMC	Edit the ‘Microsoft Federation Trust’ object

Ensure the enabled certificate is specified as the ‘current certificate’	This wizard lets you to specify a current and next certificate to ensure your certificate does not become invalid. If you have multiple HT servers click on ‘shoe distribution state’ to ensure all servers have the correct certificate installed
Add the accepted domains	Add Exchangedelegation and company.com to the manage federation section and then complete the wizard and verify by running Test-OrganizationalRelationship
Create the organisation Trust relationship	In the on-premise EMC select ‘Organization Configuration’ and in the actions pane select ‘New Organization Relationship’ Select ‘Enable this organization relationship’ Select ‘enable free/busy information access’ Select ‘free/busy access with time, plus subject and location’ if this the access level you want to grant
Configure the external organization settings	Select to ‘automatically discover configuration information’ and specify the online tenant namespace

Written by Daniel Kenyon-Smith