Brian Reid – Microsoft 365 Subject Matter Expert

Fix Federation Trust Issues After Exchange Server Recovery

I had a need to recover an Exchange Server following a blue screen after patching that I could not undo. I had the databases intact, and of course Active Directory was installed on a different server so I installed a new server and ran setup /m:recoverserver (after installing all the updates and hotfixes that is).

Upon completion and remounting of the databases everything worked fine apart from some errors in the event log about federation trust certificates being missing. And of course, I did not have these in my certificate backup!

In Exchange 2010 RTM federation trust certificates needed to be publically issued certs, but from SP1 and onwards they can be self created by your Exchange Server and here is where the problem lies – because the certificates are self issued I never went through the process of ensuring I had an independent backup of them. Therefore I could not remove them or change them in Exchange Server.

First I was getting the following event log error:

Federation Certificate Not Found: thumbprint_value. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust.  The certificate may take time to propagate to the local or neighboring sites.

Attempts to Get-FederationTrust or Set-FederationTrust failed, presumable becuase I do not have the correct certificate installed.

Remove-FederationTrust fails because it is in use by some listed organizations, so I tried various other options. In summary it was impossible to remove the federation trust nor was it possible to create a new federation certifcate and move over to it. If I had multiple Exchange Servers in this organization then the certificate would have been retrieved from another server – but this is a single server organization.

So I resorted to removing the federation trust directly from ADSI Edit with the intention of creating a new one immediately and then removing and recreating that one straight away to attempt to clean it all up correctly.

The object to remove is CN=Microsoft Federation Gateway,CN=Federation Trusts,CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain

This allowed me to create a new federation trust, though I did need to go through the domain proof steps again.

Posted

in

, , ,

by

Brian Reid

Tags:

Comments

One response to “Fix Federation Trust Issues After Exchange Server Recovery”

  1. luciferjemmie avatar
    luciferjemmie

    Thanks for explaining the entire concept, it was good. Recently i faced similar issues with my Exchange database (not mounting, jet errors, dirty shutdown state etc). Then i came across with an Exchange-independent recovery app, that helped me to sort out all issues and extracted all mailboxes & public folders data. It’s called as: PCVITA EDB Converter (found it at google search)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.