Changes to DNS in Windows 2000

In the Windows 2000 DNS implementation, a number of changes have been made. The most important include support for service records, dynamic DNS, secure dynamic updates, incremental zone transfer, and Active Directory integration. Each of these is described below:

Service Records – Windows 2000 DNS implementation provides support for an important type of resource record, service records (often referred to a SRV records). Service records allow a client to query DNS looking for a system running a particular service, such as a global catalog (which is designated by a GC record).

Dynamic DNS – In a traditional DNS implementation, all records needed to be created and updated manually on the DNS server, which could be extremely time consuming. The Windows 2000 implementation supports RFC 2136, usually referred to as Dynamic DNS or DDNS. In this implementation, clients are capable of automatically updating their records, which is especially useful in environments where clients use DHCP for IP address allocation. Windows 2000 is the only current Microsoft client OS that supports dynamic updates. However, it is also possible to configure a Windows 2000 DHCP server such that it updates DNS on behalf of clients, thus allowing non-Windows 2000 client information to be updated in DNS. Dynamic DNS is also especially useful for domain controllers, who can automatically register their service records – otherwise, all of these would need to be created manually.

Secure Dynamic Updates – if a DNS zone is Active Directory integrated, Windows 2000 allows you to use something called secure dynamic updates. Note that dynamic updates can potentially be dangerous because any client could potentially be registered in DNS, since dynamic DNS is only looking for a request, and is not authenticating the request. If secure dynamic updates are enabled, only a user or system that has the appropriate permissions on the associated access control list (ACL) for the zone can add a system to DNS. By default, the Authenticated Users group has these permissions. Client systems will attempt to use an unsecured request first by default, and a secure update if refused.

Incremental Zone Transfer – NT 4 DNS implementations only supported AXFR, or full zone transfers. Under this configuration, every time a primary name server did a zone transfers with a secondary, the entire zone database file was transferred, even if there were only a single change. Windows 2000 DNS supports IXFR, or incremental zone transfers. In this implementation, only the changes are passed during the zone transfer, as opposed to the entire zone database file.

Active Directory Integration – Windows 2000 still supports the traditional primary / secondary implementation of DNS. In that scenario, changes to the zone file could only be made on the primary, which had the only writable copy. Windows 2000 introduces a new concept here – Active Directory Integrated DNS. In this implementation, the DNS zone file and associated information is stored as objects in Active Directory instead of as files in the DNS directory on the hard disk. This integration basically allows any domain controller running DNS to accept changes to the DNS database, with changes to the zone file replicated as part of Active Directory replication. This also helps make DNS more fault-tolerant. In a traditional DNS environment, if the primary name server were to fail, all dynamic updates to DNS would be denied, since the writable copy would not be available. In AD-integrated DNS, all DNS servers are capable of handling an update. Note that legacy DNS servers can continue to exist – they can be secondaries, using the AD-integrated DNS server as a primary.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.