As an Exchange Admin, you are aware that Exchange relies on DNS.
In your environment, ensure that your PTR records are updating correctly or you might end up with false positives as shown below:
As you can see, the first 2 errors that stand out are that the Active Directory server cannot be reached, even though I can open a command prompt and ping the domain controller.
Secondly, it states that my account is not part of the correct groups even though an Exchange 2016 installation was done not long before this.
When we pinged the domain name, it returned the wrong IP, not that of the server but the Public IP of Azure.
Upon checking, the reverse lookup zone in DNS did not have the records. Going to DNS and ensuring the Zone was running then going to the records and unticking update PTR record and then adding the tick back the PTR records were created.
After a reboot, the setup ran fine without an error.
Hope it helps.