Monday, October 29, 2012

"Proof of domain ownership has failed" Exchange Hybrid Configuration Wizard Failure

Issue:-
=========
While running the Exchange 2010 SP2 Hybrid Configuration Wizard, it fails with below error.

Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS. The format of the TXT
record should be "example.com IN TXT hash-value" where "example.com" is the domain you want to configure for Federation and "hash-value"
is the proof value generated with "Get-FederatedDomainProof -DomainName example.com". at
Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors).


Steps to Check and Rsolve.
===========================
1. Make sure your External DNS server has the proper TXT records for the "Proof" and you can query it successfully. [ Get-FederatedDomainProof -DomainName example.com ] Will give you the proof.

2. Open Exchange Console Management (On PREM) -> "Organization Configuration" -> Select "Federation Trust"
You should find an existing 'Microsoft Federation Gateway' Trust created by the wizard. Manually Try to run it and check if it fails. Alternatively you can run PS cmd as below in verbose mode to get the error as well.

Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'yourdomain.com' -Enabled $True -verbose

3. If it is pointing to FYDIBOHF25SPDLT.yourdomain.com, That GUID is Default, so dont worry. This means that still your TXT record is not fetched from External DNS to verify the 'Proof' record.

4. If you Manaully Delete the Federeation Trust and Create a new one, you will get a new Proof as well for the domain. "Get-FederatedDomainProof -DomainName example.com", will give you the new Proof, which you will need to again change in the External DNS, but mostly likely this will be the issue, if there is a stale entry in AD which can be checked through ADSIEDIT.msc

5. Main thing to check is from Command Prompt, basic 'nslookup' query. below are the commands.
>nslookup
>set q=ns
>yourdomain.com [ Here you will get multiple NS records if there are more than 1, precendence will take place during query. You need to individually Query the NS servers starting from the 1st one, usually if the first server fails to process the query, Hybrid Configuration Wizard will fail with same error. ]
>ns1.yourdomain.com < IP Address >
ns2.yourdomain.com < IP Address >

>nslookup-querytype=txt yourdomain.com ns1.yourdomain.com [ Here if the 1server fails, then that server is the issue, you need to change he precedence of the servers to the one which is responding with your Domain TXT record for the Proof. ]

Note:- This error is purely due to the Proof TXT record query is not getting processed. Even if you check in any online DNS Query tools or sites, you will see the TXT record, but it can come from multiple tries to other DNS servers as well, if the primary server fails. So usually we miss that point to check


1 comment:

SweetHomeIdeas said...

great article, not too much information about this error. you safe my life! :)

Total Pageviews