Email delivery issue with SMTP service in Windows Server 2012 R2

Hello Experts

I have set up a new SMTP server using Windows Server 2012 R2 and the SMTP service (IIS 6).  The server sits in our local domain but does nothing else for us.

For information (this is relevant) the server's DNS configuration is (in order):

The first 2 DNS servers are internal only - no internet access.

The problem I have is that with the DNS servers configured in this order no email will be delivered - the messages just sit in the queue. If I edit the order and place Google's DNS server first email delivery works every time - but I get untold numbers of local DNS related issues on the server over time.

With the DNS set up in the way I have listed above (i.e. Google last) my server will happily resolve any name (public or private) I ask it to.

It has unrestricted internet access.

This one has me scratching my head - so any advice will be gratefully received.

Many thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Are you trying to deliver (relay) internal only emails or are the destination emails outside of your domain as well?

PlagusAuthor Commented:
Hi Dan

They are all destined for outside our domain.

Dan McFaddenSystems EngineerCommented:
A couple questions:

1.  how many NICs in the server?
2.  how many IPs addresses on the NICs?
3.  is the SMTP service bound to a specific IP address?
4.  Your DNS servers cannot resolve external domain names?  The Root Hints have been removed and there are no forwarders configured?

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

PlagusAuthor Commented:
Thanks for coming back to me again.  The answers to your questions are:

1. 1 - it's a Hyper-V virtual server
2. 1 -
3. At present, no - it is set to "(All Unassigned)".  I have tried it set specifically to the IP address of the server however.
4. No.  A while ago we blocked all public internet access for all our servers with the odd exception (WSUS for example).
Dan McFaddenSystems EngineerCommented:
Being a virtual server is irrelevant, quite common now-a-days.

I always recommend to use a specific IP, it makes for easier security management at the network perimeter (firewall).

Your last statement doesn't make sense.  If you've restricted all server access to internal networks only, how do you expect to deliver emails to the outside world?  How is your server resolving DNS names via a Google DNS server, if your servers have no Internet access?

Also, you are aware that Windows does not just scan thru the listed DNS server in your TCP/IP config and use one randomly.  There is a well defined process that Windows uses during the OS boot to determine which of the configured DNS Servers it will use.

Most of the time, the first DNS server listed is used.  Unless that server is offline, that is the one you are using.  The Windows DNS Client does not use all the DNS Servers in its config, it uses the first server to answer and then sticks with it until the network stack is restarted or the machine is rebooted.

PlagusAuthor Commented:

The SMTP server is one of the exceptions and has unrestricted internet access.

I believe I understand how the DNS servers are selected in order of use, but perhaps I don't.  With the 2 internal DNS servers only configured on the NIC we have no external resolution at all.  Add in Google's as a 3rd and we have external resolution.
Dan McFaddenSystems EngineerCommented:
At startup, the Windows DNS client looks at the TCP/IP config and then sends a DNS request to the first server in the DNS list.  If the 1st server does not answer,  it sends another DNS request to the 1st listed DNS server on all NICs on the server.  If no answer is received in 2 sec, it goes thru the above process again using the other DNS server listed, until an answer is received or DNS resolution is considered down. (this is a simplified paraphrasing of the article below)


With that said.  What is most likely happening is that the above process is failing against the 2 internal DNS servers.  During the querying of all DNS servers configured on the NICs in the server, Google is returning a valid response, therefore SMTP starts flowing.

IMO, preventing your internal DNS servers from Internet access is a bad practice.  You can block your users in other ways.  I highly recommend allowing your internal DNS servers access to (at least) port 53/udp so they can resolve external domain names.  Then you remove your dependency on using Google's DNS server.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PlagusAuthor Commented:
Thanks Dan.  I will give that a try (the allowing of 53 out through the firewall for our DNS machines).
PlagusAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for danmcfadden's comment #a41239798
Assisted answer: 0 points for Plagus's comment #a41239807

for the following reason:

My own comment offered final clarification on the change I made to restore service.
Dan McFaddenSystems EngineerCommented:
Did my advice not help direct you to a resolution?  The question is being closed without awarding any points?

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.