Powered on SERVER2 and ran dcpromo, but couldn't demote it to a stand-alone server because Active Directory "knew" that there was still another DC out there. So I tried demoting it to a member server, but Active Directory insisted that it must be able to contact another DC in that case...so I powered on SERVER1. After demoting SERVER2 to a member server and rebooting, I ran dcpromo again to install Active Directory as a new domain in the existing forest. This didn't work at first because DNS lookups (for the new domain) on SERVER1 timed out. To fix, I created a primary zone on SERVER1 for the new domain and that allowed me to proceed with installing Active Directory on SERVER2 w/ SERVER1 as its DNS server.
Powered on a virtual workstation (XP1) and joined the second domain. After rebooting, XP1 saw every domain in the forest - meaning DOMAIN1, DOMAIN2, and XP1. A quick Google search determined that this list is not editable, but that you can set a default domain for a PC and then hide the domain list.
Windows workstations cache domain credentials for up to 10 offline logins. To change/disable this, edit a group policy: Computer > Windows > Security > Local > Interactive logon: Number...
After a slow initial login on XP1, I checked the event log and found complaints that the domain controller was inaccessible. Creating reverse DNS entries appeared to resolve this (though maybe it just needed more time).
Lastly, I assigned a batch file login script to XP1 via group policy, but noted that my PAUSE command was ignored.