Windows server network interface priority, DNS and Exchange “554 5.4.4”

My friend´s Exchange 2013 implementation was experiencing problem with e-mail delivery. E-mails were returned from inside as well as outside of organization with NDR pointing to DNS failure.

I was investigating this issue, but not all e-mails were lost. Only some of those. I knew, that there was a change recently, that new network interface for VPN connection has been added to Exchange server.

Symptoms:

DNS for next hop is not resolvable returning DNS error

“554 5.4.4 SMTPSEND.DNS.NonExistentDomain; nonexistent domain”.

Investigation:

I started to investigate what could cause the problem. It was DNS error, so I started to use NSLOOKUP tool and tried to resolve DNS name for next hop domain. The answer was different, then I thought it would be. I have received Time Out answer from VPN DNS server, even there is another DNS server set in production environment. I realized from my previous Exchange 2010 projects, that priority of network interfaces is added from Highest to lowest based on sequence interfaces are added to system. So for example if you configure Production network interface before Replication, Replication interface will get higher priority and if you use DNS servers in your replication network (for whatever reason), wrong DNS server will answer to your request and this might lead to unexpected failures.

Now the naughty stuff:

If you use IPv6, you are still OK, since IPv6 DNS servers will answer even though Replication interface has higher priority then production one.

If you disable IPv6 on your interfaces, you have troubles. Once interface priority is changed to incorrect order, you will not be albe to at least resolve DNS queries correctly. Incorrect priority might also lead to packet loss.

Solution:

Very simple:

  • Right click network icon in notification area (right low corner) of your server and click Open Network And Sharing Center
  • Click on Change Adapter Settings
  • Press ALT key and select Advanced -> Advanced Settings
  •  In the Advanced Settings window select interface with incorrectly set priority and press arrows to move interface to correct place

Results before priority change

priority_before

priority_before_cmd

Results after priority change

priority_after

priority_after_cmd

Exchange – Single public IP address and easy SMTP High availability

This article is about use high availability of very simple kind, when you have single public IP address without possibility to forward traffic to more than one hosts. In my case I have single public IP address in my LAB, I use Steve Goodman´s Exchange 2010 HAProxy (http://www.stevieg.org/e2010haproxy/), which is not compiled for SMTP traffic. I have 2 node Exchange 2013 DAG with CAS/MAILBOX roles on each node.
This configuration simply means, that I cannot use Win NLB, because DAG cannot operate on the same machine as Win NLB does.

Previously

I used single node to route SMTP traffic to and in case of node failure SMTP traffic was held on gateway till the node came up.

Current setup

Well. If I think about DAG itself, it is high available cluster solution for Exchange 201x. For me there are 2 aspects good for SMTP high availability:

  • DAG has its own IP address
  • IP address is assigned to node running Active Manager and quorum

Yes, these 2 things are essential. If I route SMTP traffic to DAG IP, I will have it allways online and available, because if Active Manager is not online and accessible on single DAG node, DAG is in serious problems and most probably some or all databases will not work.

What to do to make it work?

  • On each DAG node create new internet receive connector bound to Frontend Transport Service, which is stateless SMTP proxy (running on Client Access role), routing traffic to Transport Service on Mailbox server role. Bind the connector to DAG IP address.

New-ReceiveConnector -Name “From Internet” -Bindings “192.168.1.55:32” -PermissionGroups AnonymousUsers -TransportRole FrontEndTransport -Usage Internet

Identity                                Bindings                                Enabled ——–                                ——–                                ——-

FRONTEND1\FromInternet                  {192.168.1.55:32}                       True

  • Set receive connectors to access traffic from smart hosts if needed.
  • Set up routing of SMTP traffic to virtual DAG IP address
  • Check firewall to be sure SMTP traffic is allowed to traverse the network
  • The node to which traffic will flow is the one owning DAG IP Address (Active manager). There is info how to determine Active manager in my article: http://ficility.net/2012/09/02/exchange-2010-dag-active-manager-determinemove/

Downsides:

  • SMTP traffic is not load balanced for external traffic