Danger of Scavenging Stale Resource Records In _msdcs Zone

I already have DNS scavenging turned on, but it never seems to clean up any of the references to DC2, the domain controller and DNS server that failed some time ago.

You need to enable scavenging both at the server level and at the Domain level. Check properties of both to enable scavenging or delete the specific records yourself.

Can I just delete the entire Forward Lookup Zone? Does it recreate itself?

This is what you definitely do NOT want to do. Once you have your new DC up with DNS installed, make sure your Domain is AD Integrated and set it for replication to all domain or forest DNS servers. I prefer all forest but that's just me. When you decommission the old DC and remove everything make sure to re-point all of your clients and servers to the new DNS server IP address. I would suggest running them in parallel for a period of time to get all the clients and servers updated to using the new IP while the old one is still also available.

You are absolutely spot on in rebuilding the current DC as a second DC. You ALWAYS want to have 2 DCs and 2 DNS servers for an AD infrastructure. I personally insist on having at least one be a physical DC versus having both virtualized.

I am worried that in step 3 of my plan, I will end up replicating bad DNS records to my new domain controller. What is the best way to clean up my existing DNS before replicating it to my new server? It seems like it would be best just to have a clean Forward Lookup Zone, but I don't really understand how that zone works.

When in doubt, keep it. If things are working as expected and you don't want to break them, let sleeping dogs lie. If there are records you know are bad, get rid of them, but only records that you know what they do and only if you know for a fact that they are superfluous.

1. The way Active Directory's multiple-master replication works is quite different from the DNS protocol's primary/secondary replication model. So a secondary copy of the records is truly "secondary", in that it is always refreshed from the master.
2. Not quite sure what you mean... Can you clarify?
3. We need secondary zones because that's the way every other DNS server in the world works, including the industry standard one, BIND. Many companies have their BIND services running on large UNIX servers, and the Windows AD/DNS servers just have a secondary copy.
4. Yes, each domain controller keeps a full copy of all the AD & DNS data (with some minor exceptions--read up on Global Catalogs and FSMO roles).
5. Sort of... there's no built-in command to do this, but you can use BIND tools and a copy of the data from the secondary to fill out a new primary zone. It's not advisable, though.
6. No, you still have full control over zone transfer security. The quoted line is saying that the SOA, NS and A-records which point to the zone's primary & secondary name servers are always available for all clients to read, which means that they could use the info to create their own stub zone if they wanted to.