Some customers have problems with a Netswap joining a domain, or with drive shares not coming back online after a drive swap. We believe some of these problems may indicate Windows “Name resolution problems” which classically are either DNS or WINS related. Both the Windows domain controller and the windows PC in a domain should have ALL DNS records point to the Windows domain controller only. Also if WINS is configured it should ONLY point to the domain controller.
There is a tendency to want to point DNS2 to the ISP’s DNS or to the local router, or to Google or another authoritative DNS server on the Internet. We highly recommend you do not do this as it can produce strange name resolution problems, authentication issues, or disappearing shares.
In the article linked above Microsoft seems to say best practice is use native IP address then loopback like this:
DNS1: 192.168.254.200 (for example if your server network card is 192.168.254.200)
DNS2: 127.0.0.1 (Just a way of pointing to yourself again – optional )
Now for the next question. But can you or Should you point DNS2 to ISP as a “fallback” position? We believe this is a no no. Look about halfway down in this article for the txt below
Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider’s (ISP’s) DNS servers. If you configure the DNS client settings to point to your ISP’s DNS servers, the Netlogon service on the domain controllers does not register the correct records for the Active Directory directory service. With these records, other domain controllers and computers can find Active Directory-related information. The domain controller must register its records with its own DNS server.
To forward external DNS requests, add the ISP’s DNS servers as DNS forwarders in the DNS management console. If you do not configure forwarders, use the default root hints servers. In both cases, if you want the internal DNS server to forward to an Internet DNS server, you also must delete the root “.” (also known as “dot”) zone in the DNS management console in the Forward Lookup Zones folder.
Also see this article https://serverfault.com/questions/682819/best-practices-for-secondary-dns-in-case-of-a-single-active-directory Note the last line
Finally if you’re not convinced refer to this article. The first DNS error re-iterates never to point Windows machines to public DNS servers