Prior to changing the IP or demoting a DNS server it is best to repoint all clients pointing to this DNS server to other DNS server. To assist in this I have written the following script. It requires the DNS service to have debug logging enabled. By running the script and pointing to the debug file, you will get an easy to handle array. Unless you specify a filename for the debuglog it will be in the file %SystemRoot%\system32\dns\dns.log
Download the script from the Microsoft social scripting archive.
Some examples:
Get all queries:
Get-DNSDebugLog -Path \\server.fqdn\c$\windows\system32\dns\dns.log
Get all except some queries:
# I dont care for the DCs sending traffic so using $ignore and the Active Directory module to exclude all DCs.
Import-Module ActiveDirectory
$ignore = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Hostname |ForEach-Object {[System.Net.Dns]::GetHostAddresses($_)|Select-Object -ExpandProperty IPAddressToString}
Get-DNSDebugLog -Path \dnsserver01c$tempdnslog.txt -ignore $Ignore
Well that is too much information:
#This will display client IPs and count of queries from each IP
Get-DNSDebugLog -Path \dnsserver01c$tempdnslog.txt -ignore $Ignore | Where-Object {$_.QR -eq "Query"} |Group-Object "Client IP"| Select Name, Count