Today I was delayed a little bit when adding hybrid domains in the Hybrid Configuration Wizard. We added the TXT records as requested and the hybrid configuration wizard kept on showing a question mark when trying to verify the domain ownership.
One of the errors in the Hybrid Configuration log (which can be found under C:\Users\<username>\AppData\Roaming\Microsoft\Exchange Hybrid Configuration) was the following:
HCW 0000 – PowerShell failed to invoke ‘Set-FederatedOrganizationIdentifier’: An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information “An error occurred accessing Windows Live. Detailed information: “Unable to connect to the remote server”.”. {CategoryInfo={Activity=Set-FederatedOrganizationIdentifier,Category=InvalidResult,Reason=ProvisioningFederatedExchangeException,TargetName=,TargetType=},ErrorDetails=,Exception=An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information “An error occurred accessing Windows Live. Detailed information: “Unable to connect to the remote server”.”.,FullyQualifiedErrorId=[Server=EXCH01,RequestId=6daca869-e047-4f04-bc9d-bab9b908c323,TimeStamp=9/22/2017 11:53:46 AM] [FailureCategory=Cmdlet-ProvisioningFederatedExchangeException] 632075DC,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederatedOrganizationIdentifier}
Again a connection issue… my first hunch: it’s the network!!
…..No… not really, I wouldn’t dare.
But I did suspect security though and in many cases it’s the same person or team managing it…
We had already added the Office 365 IP Ranges (but only those specifically for Office 365, not the ones for Sway or Skype for Business etc) to the exclusions for the Firewall prior to starting the wizard but I noticed in the logging of the HCW that it was trying to reach an IP over port 443 that was not included in the Office 365 IP Ranges. When checking the source of that IP it seems it was from an Azure DNS server.
Not the most elegant solution but providing full internet access to the server just for that time and purpose solved the problem for us. I was immediately able to add the Federated Domains through the HCW.
Great!
ExOnline 