Hi,
Here's what should be done in my opinion :
1) The internal DNS service should be installed on the Domain Controller and any computer should be configured to use IP address of the DC as the unique DNS server. Even the DC itself should be configured to use its own IP address as DNS server
2) Doing like this all the computers in your domain will register in the domain DNS zone and should be able to resolve any internal name.
3) If you don't want your ISA server to be a member of the domain, then the ISA server do not need to use internal DNS at all. In this case the only DNS servers the ISA server should know are the external ISP DNS servers.
4) If you want your ISA server to be a member of the domain then it MUST NOT interrogate external DNS directly. Why ??? Because external DNS do not know anything about you internal DNS domain name and because external DNS answers are finally always authoritative answers. If your ISA server interrogate external DNS servers about you internal domain, the answer will always be something like "this name is unknown and IT DOES NOT EXIST AT ALL". Receiving the kind of authoritative answer your ISA server stops to interrogate any other DNS and never have resolution.
In the case you want your ISA server to be member of the internal domain you have only 2 architectural possibilities :
First architecture : Your ISA server only knows internal DNS. You only mention internal DNS on any network card configuration of your ISA server. You make changes on you internal DNS server to add a forwarder that points to the external DNS servers. Doing that you internal DNS server will transmit any DNS request that is not about internal names to the external DNS servers. You must of course allow outgoing external traffic across your ISA server so that internal DNS server can dialog with external DNS server.
To add DNS forwarders you must ensure that you internal DNS server doesn't owns the DNS root "." zone.
You must of course permit DNS dialog between ISA server and internal DNS, eventually by adding a specific trafic rule in ISA (normally there are system rules in ISA that already permit these dialogs).
On your client computers you can mention the ISA server address as the proxy address in IE configuration.
Second architecture : You install a DNS service on your ISA server but you don't create any DNS zone on it. This type of DNS configuration is called a "cache only" DNS server. You configure IP parametres on any netcard of your ISA server to interrogate itself only as a DNS server (you can use 127.0.0.1). You DO NOT mention external or internal DNS.
You add a conditional forwarder for your internal domain DNS suffix on the DNS service on ISA server so that DNS requests for internal domain are transmitted to internal DNS server.
You add a classic forwarder (non conditional forwarder) on the DNS service on ISA server so that DNS requests for any DNS suffix that is not already conditionaly forwarded are transmitted to external DNS servers.
You must of course permit DNS dialog between your ISA server and your internal DNS, and also between your ISA server and external DNS, by adding necessary trafic rules.
On your client computers you must configure the IP address (or name) of ISA server as a proxy server in IE configuration.
In order to separate internal and external networks dialogs I usually prefer the second architecture. In this architecture internal DNS are not able to resolve external names. This is not a problem because IE is configured with ISA address as a proxy server and then, clients computers never have to resolve external names. Only the proxy server (ISA) must resolve external names.
I hope this can help... And don't forget one thing : ISA is a firewall... That means that any dialog incoming or outgoing from/to external/internal network MUST BE allowed by a rule in ISA.
Have a good day.
