Hi ChrisThe OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary. So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the ...
It does sound like the netlogon service on the DC is either not reachable or rejecting the connection.A sniffer might not shed too much light on why.If you can, I would suggest to enable netlogon debug and reproduce the issue and send us the netlogon...