You are here: Blog Federation Trust in Exchange

Federation Trust in Exchange


1-First setup a trust to the Microsoft servers:

  • -login to the EAC.
  • -click ORGANIZATION.
  • -click SHARING.
  • -click ENABLE to add a Federation Trust to the Microsoft servers.
  • -click CLOSE.
  • -click MODIFY.
  • -select the PRIMARY domain.
  • -click OK.
  • -it will return a TXT record.
  • -create a TXT record for this domain on your public DNS server that contains the key. It will look like this:
  • -create a TXT record for this domian on your Private DNS servers in your Active Directory.
  • -wait. This should be around 15 minutes but can take 24 hours.

2-Second, the outside domain must do the same steps above.

3-Third setup an ORGANIZATION-SHARING using the outside domain. It will fail if the domains have not setup the trusts.

  • -checkmark enable calendar free/busy information sharing.

4-Fourth setup an INDIVIDUAL-SHARING policy and set it as the default policy for everyone in the Exchange server.


That should do it; you should now be able to see each others calendars as FREE/BUSY (not details).

To my dismay, this does not update users in the Global Address List (GAL) to include the outside domain. This means that, by default, looking up another person's calendar in the outsidedomain.tld is near impossible. You either have to manually type in all the outsidedomain.tld users into Exchange or use tools to do the sync for you; it is not built into Exchange. Grrrr...


As troubleshooting, you can get the URL by:

  • -hold CONTROL
  • -right-click the OUTLOOK icon (bottom-right).
  • -type in your password.
  • -click TEST.
  • -the AVAILABILITY-SERVICE-URL is the important URL.

Also, in the EMS, you can use the commands:

get-sharingpolicy foo-policy |fl

get-organizationrelationship |fl

get-federationinformation -DomainName outsidedomain.tld

Test-FederationTrust -useridentity mail\inside.foo.user

test-organizationrelationship -useridentity This e-mail address is being protected from spambots. You need JavaScript enabled to view it -identity outsidedomain.tld

As a result of the above test-organizationrelationship troubleshooting command failing, I had to toggle two properties and had to run the following:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $false
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $True

Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $false
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $True

Contact Dak Networks

Please contact us at the following.