Windows DNS Servers

Another big feature of the Windows 2000 DNS is that it is dynamic. That is, hosts can register and unregister records for themselves in DNS, including host name to IP address (A) records and service records (these will be discussed in a bit). The benefit of dynamic DNS is obviously the fact that previous versions of DNS did not support this, and as such, all records needed to be configured manually which could be very time consuming. Many people compare this functionaility with WINS. While the idea is similar, remember that the purpose of WINS is to register NetBIOS names to IP addresses, while DNS maps host names to IP addresses.

DNS is not only used in Windows 2000 to resolve host names to IP addresses. It is also used to allow a system to find services on the network, such as the authentication service of a domain controller. When a person tries to log on to a domain, their Windows 2000 system will query DNS, and try to find a list of one or more domain controllers in the same physical site. A domain controller automatically registers itself in DNS, but also registers records relating to some of the services it is running. In the same manner, a Windows 2000 client can register itself with DNS, but this can also be handled by the DHCP server who gave the client its address. Both of these elements deserve more attention, and will be covered in more details later in the series.

Although this section is only meant as an introduction to DNS, there are a couple of additional notes about DNS that are important:

  • Windows 2000 DNS supports IXFR, or incremental zone transfers. In this setup, when a change is made to a zone file, only the changes are replicated to other DNS servers. To contrast, Windows NT DNS only supported AXFR, or full zone transfers, under which any change to a zone file meant that the entire zone file would be replicated to all secondaries.
  • If you are using Active Directory integrated DNS, it is possible to enforce something called Secure Dynamic Updates. In this setup, a DNS server will only allow updates or record registrations from systems that have a valid Active Directory computer account. If this is not enforced, any system can make an update to DNS, which could represent a security threat.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.