Install a trial version of server 2012 in a virtual box and experiment all you’d like.
I would guess the machine that is going directly to a NTP server is your old PDC emulator. You need to undo the configuration you did there, and set it back to using the Domain for time sync.
On your 2012 box, which I assume is the new PDC emulator, you should set it to use NTP to external NTP servers. A few servers from pool.ntp.org is probably best.
I am a big fan of using Group Policy to configure NTP on the PDC emulator, and other DCs. So make one policy that applies the NT5DS time sync to all the rest DCs, and one policy applied only to the PDC emulator at a higher priority that sets the PDC emulator to NTP.
You can use the Get-ADUser to get a list eg. to find out all inactive user.
get-aduser -filter {lastlogondate -gt "8/1/2013"} -Properties lastlogondate | select Name,LastLogonDate | sort name
Otherwise, you can also try this active directory cleaner tool ( http://www.lepide.com/active-directory-cleaner/ ) that helps to find out all inactive user or computer accounts from AD environment and generate the comprehensive report on inactive user accounts, never logged on users and real last logon or logoff details of accounts .
As long as the DNS servers have caching enabled, then having all of them setup with forwarders shouldn't generate much traffic, although all of them will require network connectivity (UDP 53 at a minimum) to the forwarders you select. If you don't have forwarders configured, then they will use root hints out of the box, but that can also be disabled.
If you just have root hints configured and no forwarders, then your servers will use iterative queries instead of recursive. Combine that with disabling caching, and yeah, that could generate some traffic, but still probably not enough to matter.
If it were me, I'd configure all DCs to forward to the same public DNS servers and have caching enabled. There are tools available to test many common public DNS servers to find the most performant for your location and environment. I usually use this one (although from a workstation on the same network, not on the DC itself): https://www.grc.com/dns/benchmark.htm
The books are typically designed to teach to to pass Microsoft exams which include AD as a subject matter. The advice to build a lab and experiment is very good advice.
Here are the basic docs, if you want them. There is some good info, but keep in mind that there is a world of possibility you’re not going to realize until you just do it. https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started
Have you heard about guacamole?
This way you only provide an url, but has some extra configuration for sysadmins. Not sure how secure is it.
This way you only provide a link to your end user.
We had the same problem and configured about 200 vpn on users pc (didn't want to use guacamole)