Your shouldn't point AD clients at an external DNS Server, even as a secondary, it can cause problems with internal name resolution. For security reasons it is best to only allow your DNS servers to directly query external DNS in the firewall layer.