Exchange 2016 Setup RecoverServer fails with internal transport certificate warning

I am currently working with a customer on their Exchange 2016 design, implementation and disaster recovery process. While writing a new Exchange 2016 disaster recovery document I ran into this issue in my lab environment while running “Setup.exe /Mode:RecoverServer /IAcceptExchangeServerLicenseTerms”.


For search engine options this is a part of the actual error message.

Mailbox role: Transport service FAILED

The following error was generated when “$error.Clear(); Install-ExchangeCertificate -DomainController $RoleDomainController -Services SMTP” was run: “System.InvalidOperationException: The internal transport certificate for the local server was damaged or missing in Active Directory. The problem has been fixed. However, if you have existing Edge Subscriptions, you must subscribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Shell.

Edit: I ran into the same issue with Exchange 2019 running on Windows 2019 Server Core.

The solution looks simple since it says “the problem has been fixed”. However, running the setup application again results in the next error message.


Again, for search engine possibilities:

Performing Microsoft Exchange Server Prerequisite Check

Configuring Prerequisites COMPLETED

Prerequisite Analysis FAILED

A Setup failure previously occurred while installing the HubTransportRole role. Either run Setup again for just this role, or remove the role using Control Panel.

For more information, visit:

The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the :\ExchangeSetupLogs folder.

To remove the watermark, start the registry editor on the Exchange 2016 server and go to HKLM\Software\Microsoft\ExchangeServer\v15\HubTransportRole and delete the Watermark and Action entries.


Rerunning the setup application unfortunately results in the 1st error, despite the “the problem has been fixed” and the removal of the watermark entries.

It turns out that I have two Edge Transport servers in my environment, with an Edge Subscription. This Edge subscription is using the self-signed certificate for encryption purposes, and since this self-signed certificate on the new Exchange 2016 server differs from the original (before the crash) self-signed certificate the encryption possibilities fail.

To resolve this, using ADSI Edit to find the msExchEdgeSyncCredential on the Exchange 2016 server you are recovering, and delete all credential entries.


When running the Setup application with the /RecoverServer option again (for the third time ) it will succeed and successfully recover the Exchange 2016 server.

Update Rollup 23 for Exchange Server 2010 SP3

I was a bit surprised finding this one in my mailbox this morning, but Microsoft has released Update Rollup 23 for Exchange 2010 SP3. It’s a security update, and it solves the vulnerability that’s described in CVE-2018-8302 (Exchange memory corruption vulnerability).

A couple of things to be aware of:

  • This update is available via Windows Update and as such can be installed automatically.
  • The Visual C++ 2013 Redistributable package is now a required component. You can download this from
    If it’s not installed, a pop-up warning will appear:
  • If you run the update manually, make sure you use evelated privileges (‘Run as Administrator’). Since you cannot run a .MSP file this way, open a command prompt with elevated privileges and start the Update Rollup from the command prompt. If you don’t use elevated privileges the update won’t install correctly, but doesn’t show a warning in this case. The result is that OWA and ECP might stop working.

Update Rollup 23 is available via the Download Center:

As always…. please test before updating your production environment!