Normally, where I have a customer with a SBS, I use its DNS to resolve internal names and then forward to the external DNS if the internal cannot DNS cannot resolve the address.
Recently, at a customer site the parent company installed a new Cisco PIX router and took over the DHCP functions. They have changed the config on the clients to use the primary DNS to resolve internal names and the secondary DNS to resolve external names.
I did not think that this was the intent of the Primary and Secondary DNS entries, but I'm no expert on the subject.
What is the preferred client setup when there is an internal DNS?
If you want things to work easily and painlessly, do the following:
Run Windows DNS servers only on Active Directory domain controller computers. (This insures they have copies of your Active Directory-integrated DNS zones).
Insure that your Windows DNS servers have either "Root Hints" specified (which is the case by default) or have a "Forwarder" specified referring to a DNS server at your IPS.
Verify that all Windows machines (servers and clients) have only Windows DNS servers specified as their DNS servers. (No non-Windows DC-based DNS servers should be specified in any server, client, or DHCP configurations.)
Verify that your firewall rules permit the Windows DNS servers outbound UDP port 53 to the Internet (either the entire 'net, if you're using "Root Hints" or your ISP DNS servers, if you're using "Forwarders").
This is the recommended configuration from Microsoft and will result in both Internet and internal name resolution w/o "leaking" dynamic registration requests from Windows machines to your ISP or other external DNS servers.
This answer is rather assumptive, but being that you mentioned SBS it's likely that this is a fairly simplistic network and the above is your most painless way to get what you're looking for moving forward.
If it were me, BTW, I'd use root hints rather than forwarders. I don't trust my ISP not to do nasty things with DNS (respond with their own "serach engine" site rather than returing NXDOMAIN's for invalid domain names, etc).
The purpose of secondary DNS is reliability, not to resolve a completely different address space. Typically your internal DNS is just configured to forward requests that it can't resolve locally. Nothing tricky about it, this is how DNS is supposed to work.
I would imagine that in this case your queries are taking a little longer than usual, as every external request has to fail on the primary first before it's sent to the secondary.
I'm assuming you're talking about Windows computers here.
For computers that are member of a domain, only the internal DNS server should be used; if extrnal name resolution is required, it should be done by the internal DNS server. This is crucial for proper domain operation, because Windows systems use DNS for many Active-Directory related activities, including (but not limited to) finding domain controllers. A domain member computer should never be configured to use a DNS server which doesn't have domain data, such as any external one.
If your computers are not member of a domain, you can use pretty much any DNS configuration you want; anyway, it's still considered best practice to use internal DNS servers and have them forward queries to external ones, instead of having the clients directly talk to external DNS servers; this allows for caching and reduction of external traffic.
There's one more piece that I'd like to bring out- looked like it got buried. The purpose of the primary and secondary DNS servers is redundancy- If the DNS service should stop on one, your client machines should be able to continue working without any noticeable difference, assuming the DNS servers are identical, etc. This is precisely why Active Directory integrates DNS and AD replication into the domain controllers (Among other reasons of course). Here's what I have done in similar situations: Assuming you have the ability and authority to make changes to the DHCP and DNS configs on both servers and PIX, do this:
On the Pix, set the DHCP-assigned DNS server entries to two identical DNS servers. If it were me, I'd have them be Windows servers. This may not be possible in your situation- I forget the deal with SBS, and I'm not sure what your replication options really are. On the DNS servers, set up authoritative zones to resolve the internal IP addresses (Take any MS defaults you can, plus follow best practices as well) Have the DNS servers forward queries to the DNS server(s) used to resolve the external addresses.
This will keep internal queries internal and optimize performance. It will push external queries out without having to wait for DNS1 to send to DNS2 to resolve the external queries. On the customer end, this will give you redundancy (i.e. one server goes down, they can continue working while they wait for you to arrive) and the latency during DNS requests will drop- higher productivity. Make it a win-win for the customer, whether you are internal or external to the company.