Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 6, 2014 9:33 AM
Hi,
I'm having a problem removing a Federation Trust. I have removed the Organisation Relationship successfully. However when I go to remove the trust by Powershell I get the following error
[PS] C:\Windows\system32>remove-federationtrust "Microsoft Federation Gateway"
Can't remove federation trust "Microsoft Federation Gateway". It's in use by the following organization(s): CN=Federation,CN=XXXXXX,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=XXXXX,DC=local
+ CategoryInfo : InvalidOperation: (Microsoft Federation Gateway:ADObjectId) [Remove-FederationTrust], Or
gsStillUsingThisTrustException
+ FullyQualifiedErrorId : A17E4A11,Microsoft.Exchange.Management.SystemConfigurationTasks.RemoveFederationTrusts
I cant seem to make other changes to it either, I cant add a domain, remove domain. I have seen references to delete the object in the Schema but dont really want to do that unless I know it wont cause other problems as I need to recreate this.
Ian
All replies (10)
Tuesday, February 11, 2014 6:38 AM ✅Answered
Hi,
We need to confirm whether the Federation trust has been removed in your environment. Please run the following command to verify that federation trust information isn’t returned for your Exchange organization:
Get-FederationDomain | FL
Get-FederationTrust | FL
As for the error "1007 AccessDenied: Access Denied", please check your system time on CAS and PDC Emulator and make sure they are set to the same time.
Thanks,
Winnie Liang
TechNet Community Support
Thursday, February 6, 2014 9:39 AM
There are few things you need to make sure before you remove the federation, like permissions, TXT records etc.
http://technet.microsoft.com/en-us/library/jj657500(v=exchg.150).aspx
http://technet.microsoft.com/en-us/library/dd297972(v=exchg.141).aspx
http://www.c7solutions.com/2012/03/fix-federation-trust-issues-after-html
Cheers,
Gulab Prasad
Technology Consultant
Blog: http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Thursday, February 6, 2014 10:33 AM
just as an extra If I try to remove the federated domain from the trust the I get the following.
The URI "rndsystems.co.uk" for domain "rndsystems.co.uk" on application identifier "000000004C026E19" couldn't be released. Detailed information: "An unexpected result was received from Windows Live. Detailed information: "1007 AccessDenied: Access Denied.".".
+ CategoryInfo : InvalidResult: (:) [Remove-FederatedDomain], UnableToReleaseUriException
+ FullyQualifiedErrorId : FCD3779D,Microsoft.Exchange.Management.SystemConfigurationTasks.RemoveFederatedDomain
VERBOSE: [10:12:16.954 GMT] Remove-FederatedDomain : Ending processing &
[PS] C:\Windows\system32>
when I look in the Schema using ADSIEdit for the above mentioned container all I see if the Default Sharing Policy. That has * has the external domain name. I have tried disabling the policy, removing the * and replace with a specific domain but all with the same results.
I suspect that the webservice at the Microsoft end isnt releasing it.
Ian
Thursday, February 6, 2014 1:03 PM
Thanks,
Yes I've read those already and I have done all the work needed except remove the TXT record and as the article says this can be done afterwards.
I am tempted to delete it in the schema as the last article suggests but I just wanted to know if this would cause other problems as I don't want to do anything that will cause problems later as I need to recreate the trust.
Ian
Thursday, July 28, 2016 2:22 PM | 1 vote
Get-FederationDomain | FL is not even recognized as a command. Error: Get-FederationDomain : The term 'Get-FederationDomain' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:1 char:1
- Get-FederationDomain | FL
-
+ CategoryInfo : ObjectNotFound: (Get-FederationDomain:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Thursday, January 12, 2017 11:14 AM | 3 votes
Why is this marked as the answer? It's not an answer. It's extremely irritating that this is common practice across the technet forums.
Monday, November 12, 2018 1:36 PM | 1 vote
This is not an answer to the question
Monday, November 12, 2018 1:36 PM | 1 vote
I agree!!
Thursday, November 29, 2018 11:01 PM
I had this trouble as well. I had success removing it by launching EAC in a browser and going to Organization. I then clicked on the Remove button under the Federation Trust heading. It went through a progress indicator and then said it was successful. I went back to powershell and ran Get-FederationTrust and it was gone. EAC must be doing something extra that is required to fully remove the trust from the Microsoft Federation Gateway.
Tuesday, June 11, 2019 10:10 PM | 2 votes
That thing that the EAC does is set-federatedorganizationidentifier.
Set-FederatedOrganizationIdentifier -OrganizationContact ''
Remove-FederatedDomain -DomainName 'example.com'
Remove-FederationTrust -Identity 'Microsoft Federation Gateway'
It sets the fed-org ID to null, removes the federated domain, then removes the federated trust.
Pulled this from the Exchange 2010 Exchange Management Shell Command Log.