So had an interesting issue today where a Domain Controller (DC) was demoted yet the IP of the demoted DC was still showing up when running nslookup internaldomain.local
Demoted DC:Â MWDC04 / IP: 10.14.111.111
I had done the metadata cleanup and tried many suggestions when googling the subject. To my surprise none of the solutions I found worked.
I had removed the IP address from the Primary DNS Server and saw entries for:
(same as parent folder) Host(A)Â 10.14.111.111
(same as parent folder) NameServer (NS)Â 10.14.111.111
I also looked under internaldomain.local > _msdcs and deleted entries from there.
After clearing the cache and waiting for replication, did a nslookup again and the IP was still there.
Well, there are some good and bad things about Microsoft DNS.
The BAD:
You cannot search DNS values in DNS Management. You are limited to searching just the names.
THE GOOD:
All DNS entries are stored in a flat file on the DNS Server “C:\WINDOWS\system32\dns\internaldomain.local.dns” (The default location). JACKPOT!
I opened it up in Notepad++, did a search for IP and DNS name of the demoted server(MWDC04-10.14.111.111) and started deleting matched entries. I was so surprised to find entries that were deeply buried under “domaindnszones” & “forestdnszones” and a few other subzones.
Cleared the cache again and waited for replication. Once replication completed I tried nslookup internaldomain.local and this time it didn’t list the demoted DC anymore.
I hope this saves others time, because finding a record in DNS might be like searching for a needle in a haystack!