Just recently, one of our Exchange 2013 MBX/CAS server crashed due to a kernel issue after windows updates installation. The only option ahead was to perform a recovery mode installation of the server. As this server was also a DAG member the steps discussed in this article were followed.
The recovery installation started failing at the Mailbox role stage with the below error:
[ERROR] The internal transport certificate for the local server was damaged or missing in Active Directory. The problem has been fixed. However, if you have existing Edge Subscriptions, you must subscribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Shell.
Our Exchange environment had two Exchange 2013 Edge Transport servers subscribed to a single AD site. As per the output received, it said the issue had been fixed and we had to re-subscribe our Edge Transport servers. However, we were not able continue with the Exchange installation.
Upon researching further on this issue online and with available logs from Event Viewer + Exchange setup logs, we understood that this error occur because the Exchange recovery procedure tries to re-encrypt the EdgeSync credentials used for Edge Synchronization process and since the self-signed certificate on this new Exchange Server 2013 is different from the self-signed certificate on the failed Exchange 2013 server encryption fails.
This issue can be fixed by clearing the old EdgeSync credential values from the Exchange 2013 server using ADSIEdit. You can do this by connecting to the Configuration Partition on your Domain Controller -> Services -> Microsoft Exchange -> Your Organization Name -> Administrative Groups -> Exchange Administrative Group (FYDIBOHF23SPDLT) -> Servers -> Your Hub Transport Server (ie, MBX/CAS server in this case) -> Right click and select “Properties” -> Edit the attribue “msExchEdgeSyncCredential” and clear the EdgeSync credential values. Save the changes.
Now re-run the recovery installation procedure and it will get completed successfully.
Reference article can be found here.
Anish Sam Johnes 