Alexander's Blog

Sharing knowledge with the global IT community since November 1, 2004

Comparison of Microsoft Identity Services: AD DS, Azure AD, & Azure AD DS

/
/
Microsoft Azure

Microsoft Active Directory (AD) was released about 20 years ago with Windows Server 2000 on February 17, 2000. Additional flavors of AD were announced as part of Microsoft Azure, a cloud computing service offering by Microsoft. This article compares the three distinct identity services offered by Microsoft.

  1. Active Directory Domain Services (AD DS)
  2. Azure Active Directory (Azure AD)
  3. Azure Active Directory Domain Services (Azure AD DS)

Here’s an explanation of these services.

Active Directory Domain Services (AD DS)

The Active Directory Domain Services (AD DS), is the traditional on-premises version of domain services provided by AD. Organizations use AD DS to centrally manage all their resource objects, such as users, computers, printers, shared folders, groups, organizational units (OUs), etc. These objects are part of the Active Directory domain, which allows the administrators to securely manage them through Group Policies. Some of the key features offered by AD DS includes:

  1. On-premises identity & authentication
  2. User and computer management
  3. Group Policies
  4. Domain trusts

AD DS is managed by the organizations on-premises. The Enterprise Administrators are responsible for managing AD DS domain controllers, AD sites, trust relationships between the domains, Group Policies, backing up and restoring AD DS, etc.

NOTE: In this article, the terms traditional AD and traditional AD DS, refer to the on-premises deployment of Active Directory and Active Directory Domain Services.

Difference between Active Directory (AD) and Active Directory Domain Services (AD DS)

A lot of people wonder what the difference is between AD and AD DS. In Windows Server 2000 and Windows Server 2003 Microsoft used the term Active Directory (AD). Starting with Windows Server 2008, Microsoft broke down the services provided by Active Directory into individual components, such as AD DS, AD FS, AD LDS, AD RMS, and AD CS. Therefore, AD DS is simply the Directory Services component of the Active Directory. Other components included in the newer editions of Windows Servers are AD Federation Services, AD Lightweight Directory Services, AD Rights Management Services, and AD Certificate Services. Together all these services fit under the AD umbrella. It’s important to note that although earlier editions of Windows Servers (2000 and 2003) didn’t use the term AD DS, the directory services are primarily the same in the newer editions of Windows Servers (starting 2008).

Azure Active Directory (Azure AD)

Azure AD offers some of the same features in the cloud, as AD DS offers on-premises. However, just because they both have AD in their names, doesn’t mean they are identical services. Azure AD is a cloud-based identity service that offers the following:

  1. Cloud-based identification & authentication
  2. User and computer management
  3. Mobile Device Management (MDM)
  4. Access to Software as a service (SaaS) applications, Microsoft Azure portal, and Office 365 services

Because Azure AD is hosted and managed by Microsoft in the cloud, organizations don’t have direct access to AD domain controllers the way they do in their on-premises environment. Microsoft exposes parts of the Azure AD to organizations through the web-based interface so they have enough control to run and customize the services, but Microsoft is responsible for managing the services and servers behind the scenes in its datacenters across the globe.

For a detailed comparison of Active Directory to Azure AD, visit Compare Active Directory to Azure Active Directory.

Azure Active Directory Domain Services (Azure AD DS)

The Azure AD DS is a managed AD DS service in the cloud. In other words, if you want the traditional AD DS running in the cloud, you can take advantage of the Azure AD DS service by running AD DS under Azure AD. This means that you will be able to use traditional AD DS features, such as Kerberos and NTLM authentication, Group Policies (which aren’t supported in Azure AD), LDAP, etc.

The following table provided by Microsoft compares how the devices are represented in Azure AD-joined and Azure AD DS-joined environment.

Aspect Azure AD-joined Azure AD DS-joined
Device controlled by Azure AD Azure AD DS managed domain
Representation in the directory Device objects in the Azure AD directory Computer objects in the Azure AD DS managed domain
Authentication OAuth / OpenID Connect based protocols Kerberos and NTLM protocols
Management Mobile Device Management (MDM) software like Intune Group Policy
Networking Works over the internet Must be connected to, or peered with, the virtual network where the managed domain is deployed
Great for… End-user mobile or desktop devices Server VMs deployed in Azure

Managed vs. Self-Managed Domains

For organizations who are interested in running traditional AD DS services in the cloud, Microsoft offers a couple of methods. You can either use a managed domain or a self-managed domain. Here’s the difference.

Managed Domain

A managed domain is something that you will create in the cloud using AD DS and Microsoft will create and manage the associated resources as necessary.

Self-Managed Domain

A self-managed domain is an AD DS environment that you can create in the cloud using the traditional tools. For example, you will use Virtual Machines (VMs) to install the AD DS domain controllers, member servers, etc. This is a self-managed domain so you (not Microsoft) will be responsible for managing the domain just like you do in your on-premises environment.

In this article, I’ve only explained the high-level concepts. Microsoft explains these and other related topics in much more detail in this article. You may also want to look at this second article for additional  information on this topic.

Additional Reading

Here are some related articles that you may find useful.

Article Updated: June 22, 2020

Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background.

Copyright © 2019 SeattlePro Enterprises, LLC. All rights reserved.

  • Facebook
  • Twitter
  • Linkedin

2 Comments

  1. Thanks for your sharing, I am looking for a side by side comparison between AAD and AD DS. Do you know where can get a good comparison table?

Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar