While running the Exchange 2010 SP2 Hybrid Configuration Wizard, it fails with below error.
Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS. The format of the TXTrecord should be "example.com IN TXT hash-value" where "example.com" is the domain you want to configure for Federation and "hash-value"is the proof value generated with "Get-FederatedDomainProof -DomainName example.com". atMicrosoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors).
Steps to Check and Rsolve.
1. Make sure your External DNS server has the proper TXT records for the "Proof" and you can query it successfully. [ Get-FederatedDomainProof -DomainName example.com ] Will give you the proof.
2. Open Exchange Console Management (On PREM) -> "Organization Configuration" -> Select "Federation Trust"
You should find an existing 'Microsoft Federation Gateway' Trust created by the wizard. Manually Try to run it and check if it fails. Alternatively you can run PS cmd as below in verbose mode to get the error as well.
Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'yourdomain.com' -Enabled $True -verbose
3. If it is pointing to FYDIBOHF25SPDLT.yourdomain.com, That GUID is Default, so dont worry. This means that still your TXT record is not fetched from External DNS to verify the 'Proof' record.
4. If you Manaully Delete the Federeation Trust and Create a new one, you will get a new Proof as well for the domain. "Get-FederatedDomainProof -DomainName example.com", will give you the new Proof, which you will need to again change in the External DNS, but mostly likely this will be the issue, if there is a stale entry in AD which can be checked through ADSIEDIT.msc
5. Main thing to check is from Command Prompt, basic 'nslookup' query. below are the commands.
>yourdomain.com [ Here you will get multiple NS records if there are more than 1, precendence will take place during query. You need to individually Query the NS servers starting from the 1st one, usually if the first server fails to process the query, Hybrid Configuration Wizard will fail with same error. ]
>ns1.yourdomain.com < IP Address >
ns2.yourdomain.com < IP Address >
>nslookup -querytype=txt yourdomain.com ns1.yourdomain.com [ Here if the 1server fails, then that server is the issue, you need to change he precedence of the servers to the one which is responding with your Domain TXT record for the Proof. ]
Note:- This error is purely due to the Proof TXT record query is not getting processed. Even if you check in any online DNS Query tools or sites, you will see the TXT record, but it can come from multiple tries to other DNS servers as well, if the primary server fails. So usually we miss that point to check
i have a question; How will the HCW verify domain if we have split dns configured internal organization and the Exchange 2010 SP3 server NIC pointed to internal DNS?
I am using Melbourne IT as my DNS host and found that, for some reason, TXT queries return spaces in the place of the plus symbol. I had to delete and create a new Federation Trust until I got one without a plus symbol.
Roy81, verification only uses your public DNS. The record is not required internally.
how did you delete and create the new Federation Trust to have a new token.
I am in the same situation with Melbourne IT. and when I tried to delete the Federation Trust, I still have the same token.
firstname.lastname@example.org if you give me an answer please