Monday, April 1, 2013

Adding “exchangedelegation.domain.com” to Federation Trust via “Manage Federation” wizard throws the error: “Unable to reserve domain "FYDIBOHF25SPDLT.exchangedelegation…” in Exchange Server 2010 SP2

Problem

You would like to set up your Exchange 2010 with SP2 organization to federate with other domains so you go through the steps required by setting up one-time federation with Microsoft Federated Gateway, create the domain proof TXT records, add a new exchangedelegation.domain.com namespace to the Accepted Domains, then proceed to add it to the federated domains:

image

image

image

image

image

image

image

… but receive the following error:

Summary: 2 item(s). 1 succeeded, 1 failed.
Elapsed time: 00:00:18


Set-FederationTrust
Completed

Exchange Management Shell command completed:
Set-FederationTrust -RefreshMetadata -Identity 'Microsoft Federation Gateway'

Elapsed Time: 00:00:00


Set-FederatedOrganizationIdentifier
Failed

Error:
Unable to reserve domain "FYDIBOHF25SPDLT.exchangedelegation.domainusa.com" for Application Identifier "000000004001E502".  Detailed information: "Windows Live returned a domain reservation error.  Detailed information "DomainUnavailable: The specified domain is not available.".".

Windows Live returned a domain reservation error.  Detailed information "DomainUnavailable: The specified domain is not available.".

DomainUnavailable: The specified domain is not available.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.2.342.0&t=exchgf1&e=ms.exch.err.Ex703205

Exchange Management Shell command attempted:
Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'exchangedelegation.domainusa.com' -OrganizationContact 'administrator@domainusa.com' -Enabled $true

Elapsed Time: 00:00:17

imageimage

You try to re-run the wizard again and you receive the following error:

Summary: 2 item(s). 1 succeeded, 1 failed.
Elapsed time: 00:00:02


Set-FederationTrust
Completed

Exchange Management Shell command completed:
Set-FederationTrust -RefreshMetadata -Identity 'Microsoft Federation Gateway'

Elapsed Time: 00:00:00


Set-FederatedOrganizationIdentifier
Failed

Error:
An error occurred while attempting to provision Exchange to the Partner STS.  Detailed Information "An unexpected result was received from Windows Live.  Detailed information: "MaxUriReached MaxUriReached: Same URI cannot be attached to different AppId on a single day.".".

An unexpected result was received from Windows Live.  Detailed information: "MaxUriReached MaxUriReached: Same URI cannot be attached to different AppId on a single day.".

MaxUriReached: Same URI cannot be attached to different AppId on a single day.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.2.342.0&t=exchgf1&e=ms.exch.err.ExB5F48C

Exchange Management Shell command attempted:
Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'exchangedelegation.domainusa.com' -OrganizationContact 'administrator@domainusa.com' -Enabled $true

Elapsed Time: 00:00:01

image

Solution

Before I get to the cause of the problem, note that the second error received:

Error:
An error occurred while attempting to provision Exchange to the Partner STS.  Detailed Information "An unexpected result was received from Windows Live.  Detailed information: "MaxUriReached MaxUriReached: Same URI cannot be attached to different AppId on a single day.".".

… is simply because you tried to rerun the wizard with the same settings again within the 24 hour period. 

As for the initial error, a quick search on the internet will lead you to the following blog post on TechNet:

http://blogs.technet.com/b/hot/archive/2012/08/30/you-fail-to-configure-federation-in-an-exchange-server-2010-sp2-based-hybrid-environment.aspx

image

The problem with the post above is that the content of the blog references to a hybrid environment which initially threw me off because I wasn’t configuring a hybrid trust under the Hybrid Configuration tab:

image

Another KB that comes up when searching for the error is the following:

"Unable to reserve domain" error message if a federated domain name contains more than 32 characters in an Exchange Server 2010 environment

http://support.microsoft.com/kb/2770103

… which also references the “Hybrid Configuration wizard”.  Reading the contents of these 2 pages during troubleshooting left me wondering if I should be following the instructions or not seeing how I’m configuring a setting under the Federation Trust tab.  Furthermore, the KB’s solution is as follows:

To work around this issue, do not add "exchangedelegation" to the domain namespace or remove some characters from the domain name. Then, run the following command in Exchange Management Shell to create the federation trust: 

Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'Domain name less than 32 characters' -Enabled $true

What’s confusing is that I’m asked to either remove the whole “exchangedelegation” which is the 2nd TXT record commonly dedicated for domain delegation and the second suggestion to remove some characters from the domain name simply does not make sense seeing how companies don’t change their public SMTP domain names on the fly.

In hopes that I can help someone who runs into the same problem as me, the answer to this is indeed to shorten the domain name if it exceeds 32 characters even though we’re not creating a Hybrid Configuration.  The solution I used to shorten the domain while not having to remove characters from my domain name was to simply use exchdelegation.domain.com which shortened it enough to be under 32 characters.  The Manage Federation wizard completed successfully once I made this change:

image

1 comment:

Anonymous said...

Thanks for the article. I do have the same issue as your article describe, however, even though i shortened the domain name to fall under 32 characters, it still gives me same could not validate FYDIBOHF25SPDLT. error.
Does 32 characters restriction including FYDIBOHF25SPDLT?