"Proof of domain ownership has failed" Exchange Hybrid Configuration Wizard Failure
Issue:-
=========
While running the Exchange 2010 SP2 Hybrid Configuration Wizard, it fails with below error.
Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS. The format of the TXT
record should be "example.com IN TXT hash-value" where "example.com" is the domain you want to configure for Federation and "hash-value"
is the proof value generated with "Get-FederatedDomainProof -DomainName example.com". at
Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors).
Steps to Check and Rsolve.
===========================
1. Make sure your External DNS server has the proper TXT records for the "Proof" and you can query it successfully. [ Get-FederatedDomainProof -DomainName example.com ] Will give you the proof.
2. Open Exchange Console Management (On PREM) -> "Organization Configuration" -> Select "Federation Trust"
You should find an existing 'Microsoft Federation Gateway' Trust created by the wizard. Manually Try to run it and check if it fails. Alternatively you can run PS cmd as below in verbose mode to get the error as well.
Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'yourdomain.com' -Enabled $True -verbose
3. If it is pointing to FYDIBOHF25SPDLT.yourdomain.com, That GUID is Default, so dont worry. This means that still your TXT record is not fetched from External DNS to verify the 'Proof' record.
4. If you Manaully Delete the Federeation Trust and Create a new one, you will get a new Proof as well for the domain. "Get-FederatedDomainProof -DomainName example.com", will give you the new Proof, which you will need to again change in the External DNS, but mostly likely this will be the issue, if there is a stale entry in AD which can be checked through ADSIEDIT.msc
5. Main thing to check is from Command Prompt, basic 'nslookup' query. below are the commands.
>nslookup
>set q=ns
>yourdomain.com [ Here you will get multiple NS records if there are more than 1, precendence will take place during query. You need to individually Query the NS servers starting from the 1st one, usually if the first server fails to process the query, Hybrid Configuration Wizard will fail with same error. ]
>ns1.yourdomain.com < IP Address >
ns2.yourdomain.com < IP Address >
>nslookup -querytype=txt yourdomain.com ns1.yourdomain.com [ Here if the 1server fails, then that server is the issue, you need to change he precedence of the servers to the one which is responding with your Domain TXT record for the Proof. ]
Note:- This error is purely due to the Proof TXT record query is not getting processed. Even if you check in any online DNS Query tools or sites, you will see the TXT record, but it can come from multiple tries to other DNS servers as well, if the primary server fails. So usually we miss that point to check
Comments
- Anonymous
December 23, 2014
The comment has been removed - Anonymous
February 13, 2015
The comment has been removed - Anonymous
April 09, 2015
Hi Domenic,
how did you delete and create the new Federation Trust to have a new token.
I am in the same situation with Melbourne IT. and when I tried to delete the Federation Trust, I still have the same token.
exadmin@e-computech.com if you give me an answer please - Anonymous
October 13, 2015
Hey Domenic, I'm having the same problem as well. If you could tell me how you were able to delete and create the new federation trust to get a new token I'd appreciate it. Thanks! tmeyermn@gmail.com - Anonymous
November 03, 2015
The comment has been removed - Anonymous
November 03, 2015
The comment has been removed - Anonymous
November 19, 2015
Anyone else have the issue where the step for nslookup -querytype=txt yourdomain.com ns1.yourdomain.com comes back with the unrecognized command error? any advice to get past that?
Thank you - Anonymous
December 31, 2015
John, you run that command from a command prompt directly. Dont be in nslookup when you run it.