DcDiag: “Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)” meaning

I already have DNS scavenging turned on, but it never seems to clean up any of the references to DC2, the domain controller and DNS server that failed some time ago.

You need to enable scavenging both at the server level and at the Domain level. Check properties of both to enable scavenging or delete the specific records yourself.

Can I just delete the entire Forward Lookup Zone? Does it recreate itself?

This is what you definitely do NOT want to do. Once you have your new DC up with DNS installed, make sure your Domain is AD Integrated and set it for replication to all domain or forest DNS servers. I prefer all forest but that's just me. When you decommission the old DC and remove everything make sure to re-point all of your clients and servers to the new DNS server IP address. I would suggest running them in parallel for a period of time to get all the clients and servers updated to using the new IP while the old one is still also available.

You are absolutely spot on in rebuilding the current DC as a second DC. You ALWAYS want to have 2 DCs and 2 DNS servers for an AD infrastructure. I personally insist on having at least one be a physical DC versus having both virtualized.

I am worried that in step 3 of my plan, I will end up replicating bad DNS records to my new domain controller. What is the best way to clean up my existing DNS before replicating it to my new server? It seems like it would be best just to have a clean Forward Lookup Zone, but I don't really understand how that zone works.

When in doubt, keep it. If things are working as expected and you don't want to break them, let sleeping dogs lie. If there are records you know are bad, get rid of them, but only records that you know what they do and only if you know for a fact that they are superfluous.

In the NIC properties for the "secondary server", see that it has specified as its only DNS server the "primary server". Reboot the "secondary server" and verify that AD replication is occurring (using REPLMON from the Windows Support Tools, for example). Since they're in the same AD site you should see replication within 5 minutes.

Once you're seeing good AD replication, verify that you're "seeing" RR's in the DNS management console in the domain's forward lookup zone on the "secondary server". Once you see good RR's there, you're safe to specify the "secondary server" as its own DNS server and begin the process of transferring FSMO roles and decommissioning the "primary server".