"Proof of domain ownership has failed" error when you run the Hybrid Configuration wizard

Applies to: Exchange OnlineExchange Server 2013 EnterpriseExchange Server 2013 Standard Edition


When you run the Hybrid Configuration wizard, you receive a "Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS" error message. The full text of the message resembles the following:
ERROR:System.Management.Automation.RemoteException: Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS. The format of the TXT record should be ""example.com IN TXT hash-value"" where ""example.com"" is the domain you want to configure for Federation and ""hash-value"" is the proof value generated with ""Get-FederatedDomainProof -DomainName example.com"".


This problem occurs if proof of ownership for the domain is required. If an existing federation trust isn't present, the Hybrid Configuration wizard creates a federation trust between the on-premises organization and the Microsoft Azure Active Directory (Azure AD) authentication system. When the federation trust is being created, proof of domain ownership is required. 


Provide proof of ownership by creating a text (TXT) record in the Domain Name System (DNS) zone of each accepted domain that you want to federate. The TXT record contains the federated domain proof encryption string that's generated when you run the Get-FederatedDomainProof cmdlet for each domain.

Make sure that your external DNS server has the correct TXT records for "Proof" and that you can successfully query the server. To do this, follow these steps:
  1. Open Exchange Management Shell on the on-premises Exchange server, and then run the following command:
    Get-FederatedDomainProof -DomainName contoso.com 
  2. On a computer that uses an external DNS server, run the following command:
    Nslookup.exe -querytype=txt <contoso.com> 
  3. Examine the values that are returned in the commands that you ran in steps 1 and 2. 

    One of the values that's returned by the Nslookup command must match the "Proof of Domain Ownership" value that's returned by the Get-FederatedDomainProof command. If the values do not match, use the result that's returned by the Get-FederatedDomainProof command to update your external DNS server. For more information about how to do this, see Create a TXT Record for Federation.
  4. Rerun the Hybrid Configuration wizard.


If you experience issues with the Hybrid Configuration wizard, you can run the Exchange Hybrid Configuration Diagnostic. This diagnostic is an automated troubleshooting experience. Run it on the same server on which the Hybrid Configuration wizard failed. Doing this collects the Hybrid Configuration wizard logs and parses them for you. If you're experiencing a known issue, a message is displayed that tells you what went wrong. The message includes a link to an article that contains the solution. Currently, the diagnostic is supported only in Internet Explorer.

Still need help? Go to Microsoft Community or the Exchange TechNet Forums.