So had an interesting issue today where a Domain Controller (DC) was demoted yet the IP of the demoted DC was still showing up when running nslookup internaldomain.local
Demoted DC:Â MWDC04 / IP: 10.14.111.111
I had done the metadata cleanup and tried many suggestions when googling the subject. To my surprise none of the solutions I found worked.
I had removed the IP address from the Primary DNS Server and saw entries for:
(same as parent folder) Host(A)Â 10.14.111.111
(same as parent folder) NameServer (NS)Â 10.14.111.111
I also looked under internaldomain.local > _msdcs and deleted entries from there.
After clearing the cache and waiting for replication, did a nslookup again and the IP was still there.
Well, there are some good and bad things about Microsoft DNS.
You cannot search DNS values in DNS Management. You are limited to searching just the names.
All DNS entries are stored in a flat file on the DNS Server “C:\WINDOWS\system32\dns\internaldomain.local.dns” (The default location). JACKPOT!
I opened it up in Notepad++, did a search for IP and DNS name of the demoted server(MWDC04-10.14.111.111) and started deleting matched entries. I was so surprised to find entries that were deeply buried under “domaindnszones” & “forestdnszones” and a few other subzones.
Cleared the cache again and waited for replication. Once replication completed I tried nslookup internaldomain.local and this time it didn’t list the demoted DC anymore.
I hope this saves others time, because finding a record in DNS might be like searching for a needle in a haystack!