Re-Configuring Hybrid Configuration on Exchange 2010/2013

hybrid exchange office 365

Re-Configuring Hybrid Configuration on Exchange 2010/2013

I am not sure that you need this solution because it is really extreme issue. My client has a unique system. Somehow Office 365 tenancy had a problem. It was licensing issue and Microsoft wanted us to create a new tenancy and they moved the license to new tenancy. Therefore, on Exchange 2010, we had to reconfigure Hybrid configuration. During the configuration, actually we thought that we would be straight, we got error message.

Execution of the Set-FederatedOrganizationIdentifier cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Federation trust “yourfederateddomain/Configuration/Deleted Objects/Microsoft Federation Gateway DEL:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” wasn’t found. Make sure you have typed it correctly. At Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)

Re configuring, of course, didn’t change the certificate, TXT record and organization relationship settings. It was pointed to old tenancy.

After little bit investigation, the solution is found.

First of all, you need to clean the hybrid configuration and must be ready to it from the scratch. However, the settings need to be deleted correctly. Otherwise new configuration will not work properly.

I found the solution for Exchange 2010 but it is also be applied to Exchange 2013.

Step 1;

For Exchange 2013


For Exchange 2010

No need to do anything. I know it is weird.

Step 2;

Remove the Organization Relationship from the Exchange

Get-OrganizationRelationship | Remove-OrganizationRelationship

Step 3;

Remove the Federation Trust from the Active Directory. As you know that in federation trust section you can see the trust connection and you are able to delete it. Somehow when it is deleted, it is not actually deleted from the system. So, please follow the steps;

  • Start ADSIEdit, connect to Configuration Partition, expand CN=Configuration,DC=your,DC=domain, expand CN=Services, expand CN=Microsoft Exchange, expand CN=yourexchangeorg, double-click CN=Federation Trusts
  • In right-hand pane select CN=Microsoft Federation Gateway, right-click on it and select Delete

Now, the old configuration has been deleted and it is time for a new connection

Open PowerShell on Hybrid Server (On-Premises)

Step 4;

Get-ExchangeCertificate | where {($_.CertificateDomains -eq ‘Federation’) -and ($_.Status -eq ‘Valid’)} | Select-Object -Expand Thumbprint

When you run the command above, you will see some numbers and letters. I believe that you used it one of them before and this time pick up another one. Copy that line

For Example; D244NMIN75224NJO2DB0BF34523MOCF34235E2C214FRFDF2

Step 5;

And paste it end of this

New-FederationTrust -Name “Microsoft Federation Gateway” -Thumbprint <thumbprint>

For Example: New-FederationTrust -Name “Microsoft Federation Gateway” -Thumbprint D244NMIN75224NJO2DB0BF34523MOCF34235E2C214FRFDF2

If it is completed successfully, you will see the setting in the Federation Trust section in Hybrid Exchange server.

This action above created new TXT records for you. It is time to take this new txt record and create a new TXT record in your External DNS settings

How to get the proof?

Step 6;

Get-FederatedDomainProof –DomainName

You will see some lines here and your section is PROOF part. Copy everything in Proof part or same number is in the last line, everything after TXT IN….. TXT IN long_hash_number

So, Copy this hash number and create a new TXT record and you can delete the old TXT record If you want.

Step 7;

This step looks weird but it is not because we will run same command in Step 8.

Set-FederatedOrganizationIdentifier –AccountNamespace <some_domain> –DelegationFederationTrust “Microsoft Federation Gateway”

Above command you need to type something from accepted domains. Why? For example, I have used same command previously and Exchange assigned to me an ORG ID. If I use same name again, Exchange will not chance the ORG ID and our hybrid configuration will not be completed successfully. That ORG ID needs to be changed. This is the best way to change it. Run this command any domain name in your accepted domain list. If you have one domain name in the list, create a second one for 10 min.

For example, I run it like that ( is in my accepted domain list)

Set-FederatedOrganizationIdentifier –AccountNamespace MSINFORMATION.COM –DelegationFederationTrust “Microsoft Federation Gateway”

You are confused right? Because you created TXT for yourdomain such as but now you are trying to create Organization Identifier for another name like

Yes it is weird and Exchange will understand that we can’t use this new domain name and the command will be finish ERROR (Proof of ownership has failed). Don’t worry this is normal but Org ID is now changed.

Creating New Hybrid Configuration

Step 8;

This time you must use orginal domain name and you will get new ORG ID,

Set-FederatedOrganizationIdentifier –AccountNamespace –DelegationFederationTrust “Microsoft Federation Gateway”

For Example; (you know my domain name is ;

Set-FederatedOrganizationIdentifier –AccountNamespace –DelegationFederationTrust “Microsoft Federation Gateway”

Step 9;

Go to Hybrid Server and Check that new federation trust and organization relationship records are there.

If so, just go to your old hybrid configuration and double click on it and start wizard configuration again. For Exchange 2010, you know that we didn’t delete it. Therefore, our entire previous configuration is there, all you have to do it is to click next button. DON’T forget to change tenancy name and user credential for new tenancy. It will be finishing successfully and you can see the new configuration is in Office 365.

For Exchange 2013, you need to create a new configuration. So, run Hybrid configuration wizard.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: