Sharing Made Easy

Office O365 [ Exchange Online, SharePoint Online, Lync Online ]

"Proof of domain ownership has failed" Exchange Hybrid Configuration Wizard Failure

"Proof of domain ownership has failed" Exchange Hybrid Configuration Wizard Failure

  • Comments 1
  • Likes

Issue:-

=========

While running the Exchange 2010 SP2 Hybrid Configuration Wizard, it fails with below error.

Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS. The format of the TXT
record should be "example.com IN TXT hash-value" where "example.com" is the domain you want to configure for Federation and "hash-value"
is the proof value generated with "Get-FederatedDomainProof -DomainName example.com".   at
Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors).

Steps to Check and Rsolve.

===========================

1. Make sure your External DNS server has the proper TXT records for the "Proof" and you can query it successfully. [ Get-FederatedDomainProof -DomainName example.com ] Will give you the proof.

2. Open Exchange Console Management (On PREM) -> "Organization Configuration" -> Select "Federation Trust"

You should find an existing 'Microsoft Federation Gateway' Trust created by the wizard. Manually Try to run it and check if it fails. Alternatively you can run PS cmd as below in verbose mode to get the error as well.

Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'yourdomain.com' -Enabled $True -verbose

3. If it is pointing to FYDIBOHF25SPDLT.yourdomain.com, That GUID is Default, so dont worry. This means that still your TXT record is not fetched from External DNS to verify the 'Proof' record.

4. If you Manaully Delete the Federeation Trust and Create a new one, you will get a new Proof as well for the domain. "Get-FederatedDomainProof -DomainName example.com", will give you the new Proof, which you will need to again change in the External DNS, but mostly likely this will be the issue, if there is a stale entry in AD which can be checked through ADSIEDIT.msc

5. Main thing to check is from Command Prompt, basic 'nslookup' query. below are the commands.

>nslookup

>set q=ns

>yourdomain.com     [ Here you will get multiple NS records if there are more than 1, precendence will take place during query. You need to individually Query the NS servers starting from the 1st one, usually if the first server fails to process the query, Hybrid Configuration Wizard will fail with same error. ]

>ns1.yourdomain.com < IP Address >

ns2.yourdomain.com < IP Address >

>nslookup -querytype=txt yourdomain.com ns1.yourdomain.com [ Here if the 1server fails, then that server is the issue, you need to change he precedence of the servers to the one which is responding with your Domain TXT record for the Proof. ]

 

Note:- This error is purely due to the Proof TXT record query is not getting processed. Even if you check in any online DNS Query tools or sites, you will see the TXT record, but it can come from multiple tries to other DNS servers as well, if the primary server fails. So usually we miss that point to check

 

Comments
  • i have a question; How will the HCW verify domain if we have split dns configured internal organization and the Exchange 2010 SP3 server NIC pointed to internal DNS?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment