Background: I have a relatively small Active Directory domain (Windows 2003 Functional level) with two domain controllers, both running DNS servers. They are the primary and secondary DNS servers for the LAN. No other local DNS. I do not have any subdomains or recursion going on.
My Question: In the DNS Manager, under server Properties, Forwarders tab. Should I have my ISP's DNS servers listed here (or the Google ones)? Or should I leave the Forwarders tab blank and rely on the Root Hints servers?
I Googled before posting. About half the advice I read said the use the ISP DNS as forwarders, and half said to just use the Root Hints. So, I have no idea which is "best" for my setup (which I imagine is pretty typical for a small shop).
Unless you have some reason to directly recurse from the root, I'd recommend using a forwarder; Google or your ISP is much more likely to have something in cache for a query, so it'll provide better performance for name resolution within your network.
As far as Google vs ISP, there are two reasons that you might want to use Google over your ISP:
What I have come to in my experience is that it's good (and doesn't hurt to have more than 2) to use a big name (Google, Microsoft, Verizon) set of DNS forwards, and your local ISPs. in conjunction. The reason I like this approach is that local ISPs usually don't have the infrastructure or man-power that the larger named companies do; meaning if they go down, I want to be able to have another set of DNS forwarders to rely on, and vice versa. If for some unknown reason Google or Verizon's DNS servers are down, then my local ISP can take over and work.
Also, I've had issues with local ISPs and their caching times; they do vary throughout regions, but Google and Verizon always had the best TTL refreshes for me and my clients. There isn't a "best practice" per se, just different approaches like I've described.
What is "best" depends on your situation. A person who is in child domain might want to set his or her forwarders to their parent domain's DNS servers.
Or you might want to set your forwarders to a set of DNS servers that are authoritative for a particular domain that's internal to your organization.
Or you might not have internet access and so root hints won't help you.
Or you might prefer a particular forwarder to root hints for performance reasons.
Or if you don't really care about any of the above, then root hints work fine.
I do support the approach of having a "Big Name" nameserver alongside your local ISP as forwarders for reliability. But considering performance, I think the best thing to do is to benchmark with a tool like GRC's DNS Benchmark and use the servers that perform the best!
One thing none of the other answers mentioned, and the most important reason why you do want to use your ISP DNS as your primary DNS forwarders, is that your ISP DNS gives you access to local Content Delivery Networks (CDNs).
A CDN caches internet data and uses DNS wizardry to point IP addresses to the CDN first. What this means is that the YouTube or Netflix video you're watching is cached on servers at the CDN. The CDN is located geographically close to you so that you stream the video from a server a few miles away instead of a few thousand miles away. This reduces latency and shortens download times.
If your office is located in Colorado Springs, for example, your ISP will redirect to CDNs in Colorado Springs and Denver. The nearest Google DNS server is in Iowa and doesn't have a clue where your office is or where the nearest CDN is located. This means that using Google DNS will send your browsing requests through Google's CDNs or directly to the authoritative host, increasing latency and slowing download speeds.
I recommend setting your ISP DNS as your primary DNS forwarders, but always include a fallback forwarder to a public DNS server just in case. The only exception to this is if the ISP DNS servers are unreliable, which you can test using GRC's DNS Benchmark as N.Balauro mentioned in their answer.
There are various paid DNS services (such as OpenDNS) that offer their own CDNs and have much better geographic coverage than Google's free DNS.