Simple questions really.....we have a single AD domain at 2008R2 functional level. We have 2 DCs on our main site (One holds all the Master roles, the other is the main one for the site), with 1 at each of our other 2 sites. We also have an RODC in our perimeter network. Each server hosts DNS (including the RODC). We currently have forwarders set up on just the main AD server, which point to our ISP DNS servers. Each server has been configured with one of the DNS servers at another site as primary DNS, with another site DNS as secondary, and 127.0.0.1 as tertiary DNS. In the case of the RODC, it has the RWDC as the primary DNS, and itself as secondary (127.0.0.1) - the RODC only has firewall ports opened to allow it to talk to one of the RWDCs.
The question is - is this the best way of doing it? Each site has it's own dedicated internet connection, as well as VPN links between each site - but in the past we've had problems with losing internet access if the main site loses internet. From all the docs i've read the way it's done seems to be correct, and I don't believe we should have DNS forwarders set up on every internal DNS server, but not 100% certain!
As a side note - we are using completely separate external DNS servers for any public facing servers - these sit at a hosting centre and in our DMZ, where our external servers also sit.