HyperV guest external IP: RRAS NAT on host VS direct access to external network with Microsoft Virtual Switch?

I have Win2008 R2 HyperV host with one physical adapter running a bunch of VMs. I have a subnet of external IP addresses: x.x.x.208 / 255.255.255.240

I used to have the following setup:

host OS would have AD DC, HyperV, RRAS, DHCP & DNS roles. Physical adapter would have all available IP addresses assign to it explicitly:

x.x.x.210 / 255.255.255.240

...

x.x.x.221 / 255.255.255.240

HyperV network would have one External network created - but with "Allow management OS to share the adapter" option turned on - this way I could assign public IP to the host OS as well:

HyperV created another network adapter with I used for internal LAN (192.168.2.0 / 255). RRAS was set for NAT and LAN routing, and does NATting for guests as follows:

x.x.x.210 -> 192.168.2.10, Allow incoming sessions = YES

...

x.x.x.221 -> 192.168.2.21, Allow incoming sessions = YES

So basically all guest VMs did not have external IP address - but for them this did not matter - they still had access to internet, and were accessible from outside.

then we started to have issues with RRAS, VPN, etc, etc - so I did some reading and read that NAT schema is not good (could someone comment on this btw?) and I should virtualize physical adapter to give guest VMs access to external network directly. Alright, I did this.

Here is the current setup:

I removed "Allow management OS to share the adapter" from external adapter, and added second internal network to HyperV.

Then I had to add second network adapter to each guest VM - and then explicitly set public IP address for each one. That was done, and works fine. RRAS role was removed from the host.

questions:

1. Did I do the right thing? My inner feeling says yes - as here we have less "parts" (or at least looks like) but I just want to get some authoritative opinions.

2. Any issues I should be aware of with the current setup vs old one? Any best practices I should do after I set up the network as described above?

3. Probably, the most important question for me. In both scenarios, firewall is running on guest VM, and nothing has changed after the switch. And my understanding was that NAT does not do any filtering of traffic - everything goes directly to guest. HOWEVER right after the switch, I start getting the following errors in the log (on our exchange VM server):

Inbound authentication failed with error LogonDenied for Receive connector Default EXCHANGE. The authentication mechanism is Ntlm. The source IP address of the client who tried to authenticate to Microsoft Exchange is [200.195.42.7].

this kinda implies to me that in the new setup VM became "more" exposed to external threat - but I just don't understand why this was not the case for NATed scenario? I verified - there is NONE errors like that before the switch. Why am I getting such errors now? what has changed from the network point of view?