So you want to enumerate the contents of DNS zones. That's not easily possible from the "outside" except for brute-force checks going down the path you've started -- it's kind of like cracking passwords. You'd have to query for all possible names, check for wildcards with pattern matches, etc... it's non-trivial and very resource intensive, and also very noticeable to vigilant admins (it'll look like a DoS attack if you're not careful). But I don't even think black hats would approach it this way, it'd be easier to either install a sniffer in front of the DNS server and passively collect the useful names over time or just compromise the DNS server itself.
So I'm not sure your purpose or use case, but there are much easier / legit ways. E.g., get access to the Microsoft DNS server to open up an MMC, connect to the DNS service and then you'll see all the zones and within each all the names. Or you could ask the admin for an export of all the zones from the MMC console. Or request to be able to pull zone transfers to your "test" server periodically (e.g., using "dig axfr @" or just setting up a secondary). These are much easier and non-intrusive ways to get what you want, and assuming this is for a legitimate purpose, shouldn't be a big deal.