Hi Elias,

Separating DNS and AD services:
It should be possible to have AD DNS server hosted on a non-DC server.
Samba Wiki explain we just have to include
"/var/lib/samba/private/named.conf" in Bind configuration. This library can
be replaced be one of those shipped with Bind, this library will need
configuration for it can deal with remote DC(s).
Please note I never tried that, 'cause I'm a lazy guy, but that should be
possible: Bind+DLZ seems to me to be meant for that kind of job.

One (or more) non-DC DNS server dealing with AD DNS servers:
That is more simple to achieve:
- just configure AD DNS service as you want (please note that few weeks ago
Samba's internal DNS server was still not able to work as multi-masters
which is needed to avoid SPOF in AD, so IMHO the only valid DNS backend is
bind+DLZ if you want high availability)
- add a new zone to your existing DNS server (the one which is not AD DC)
like that one:
----------------------------------------------------------------------------------------------
zone "ad.domain.tld" IN {
type forward;
forward only;
forwarders {
<ip of 1st DC>;
<ip of 2nd DC>;
....
<ip of Nth DC>;
};
};
----------------------------------------------------------------------------------------------
Restart your external non-DC Bind service and it should be able to resolve
one more zone: the one from your AD.
What is nice in that is you don't need to take in account _msdcs zone as it
is a sub zone of "ad.domain.tld", your external Bind will also forward
requests regarding _msdcs to AD servers.

I did not played with that for a relatively long time and I'm just coming
back from vacations, so I'm not sure if you would need to allow forwarding
and recursion on that non-DC DNS server. It could be necessary... Anyway as
this DNS should be meant to resolve Internet addresses in addition of your
local domain(s) recursion and forwarding should be accepted already...

Hoping this clarify DNS management a little bit and that helps you,

Mathias