I agree with the first two. 3 and 4 are wrong though - your clients should never be using an ISP or public DNS server in an active directory environment. They don't know about the machines on your network.