Share via

Renew an expired Exchange SE Federation Delegation certificate with AD Sync active

Stefan Falk 171 Reputation points
2026-03-28T13:22:50.61+00:00

Hello!

A customer has its Exchange Federation Delegation certificate expired. Normal procedures according to documentation give errors, and I guess it is because AD Sync is used there also. There are no other federation trusts, and there are no federated domains visible. How do we recreate the Federation Delegation certificate in such a case please?

Best Regards,

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steven-N 23,295 Reputation points Microsoft External Staff Moderator
    2026-03-28T15:33:34.29+00:00

    Hi Stefan Falk

    Based on my observation, this behavior is usually caused by a hidden or leftover (“ghost”) configuration in Exchange called the Federated Organization Identifier.

    Even if you run Get-FederatedDomain and see nothing, Exchange may still have an old reference to a domain (like federated.yourdomain.com) stored in the background. Because the federation certificate has expired, Exchange can’t properly communicate with the Microsoft Federation Gateway to clean this up. That’s why commands to remove it often fail with errors like “Still in use” or connection issues.

    Given this, you can try the below approach to see if it can help you:

    Step 1: Clear the hidden configuration

    Remove-FederatedOrganizationIdentifier -Confirm:$false

    This removes the leftover domain reference that’s blocking everything.

    Step 2: Remove the old federation trust, after step 1 succeeds, run

    Remove-FederationTrust "Microsoft Federation Gateway"

    Create a new certificate and generate a new self-signed certificate for federation.

    Step 3: Recreate the federation trust

    New-FederationTrust
Set-FederatedOrganizationIdentifier

    You can try the above approach and get back to me with the results, if the issue still persists, kindly let me know in the comment section.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

    0 comments
  2. Stefan Falk 171 Reputation points
    2026-03-28T13:47:44.3966667+00:00

    There is no federated domain to remove via Remove-FederatedDomain. What exactly shall I do after Remove-FederationTrust if I simply do not have any federation domain?

    0 comments
  3. Q&A Assist
    2026-03-28T13:23:02.4733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use the procedure for an expired federation certificate, which removes and recreates the federation trust, regardless of AD Sync. The absence of visible federated domains does not change the required steps.

    1. Identify the primary shared (account) namespace Run in the Exchange Management Shell: 
         Get-FederatedOrganizationIdentifier | Format-List AccountNamespace,Domains
      The AccountNamespace value contains the primary shared domain in the format: FYDIBOHF25SPDLT<primary shared domain> For example, FYDIBOHF25SPDLT.contoso.com → primary shared domain is contoso.com.
    2. Remove all federated domains Even if none appear in the EAC, use the Shell to remove them from the trust:
      • Remove each federated domain that is not the primary shared domain: 
             Remove-FederatedDomain -DomainName <domain> -Force
      • After all others are removed, remove the primary shared domain: 
             Remove-FederatedDomain -DomainName <primary shared domain> -Force
    3. Remove the existing federation trust 
         Remove-FederationTrust "Microsoft Federation Gateway"
    4. Recreate the federation trust Recreate the trust as documented in "Configure a federation trust" for the environment. This will create a new self-signed federation certificate and new proof-of-domain TXT values.
    5. (If needed) Use ADSI Edit only when normal removal fails If the expired certificate or trust is in a broken state and the normal cmdlets fail (for example, errors like “federation certificate with the thumbprint cannot be found”), clean up the federation configuration in AD and then recreate the trust:
      • In ADSI Edit, under CN=Federation,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com:
        • Clear msExchFedAccountNamespace.
        • Clear msExchFedDelegationTrust.
        • Set msExchFedIsEnabled to False.
      • Under CN=Microsoft Federation Gateway,CN=Federation Trusts,..., delete the existing federation trust object.
      • Under CN=Accepted Domains,CN=Transport Settings,..., clear msExchFedAcceptedDomainLink on each accepted domain.
      • Then recreate the federation trust as above.

    AD Sync being active does not change these Exchange-side steps; the key is to remove the broken trust and its domains, then create a new trust so a fresh federation certificate is generated and used.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.