I was at a customer site who was validating the DR doc for recovering a hub transport server. They had a copy of the production DC in a test lab and had reset the Hub transport computer account in AD. Running Setup.Com /Mode:RecoverServer failed with the following error.
[ERROR] The internal transport certificate for the local server was damaged or missing in Active Directory. The problem has been fixed. However, if you have existing Edge Subscriptions, you must subscribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Shell.
The issue was that the production network has edge subscriptions whereas it was missing in the lab. As part of the Exchange recovery step, it attempts to re-encrypt the credentials used for edge synchronization process and as the old certificate used for encrypting is missing, it throws the error message.
Though the error says that the problem has been fixed, running setup /m:recoverserver again throws the same error message
The solution is to delete the information about about the edge sync credentials used from the Hub transport server. In order to do that, I used ADSIEdit and navigated to Configuration partition –> Services -> Microsoft Exchange –> Org Name –> Administrative Groups –> Exchange Administrative Group (FYDIBOHF23SPDLT) –> Servers –> Hub Server –> right click “properties”.
Remove the values for “msExchEdgeSyncCredential” and run the recovery setup again. That solved the issue.