- Other name: Windows Server Active Directory
- On prem solution.
- Different architecture than Azure Active Directory.
- Logical divisions:
- Objects: users, printers etc.
- Domain
- Groups objects
- Each domain holds a database containing object identity information.
- Domains are identified by their DNS name structure, the namespace.
- Tree
- A collection of one or more domains and domain trees in a contiguous namespace
- Linked in a transitive trust hierarchy
- Forest
- At top of the structure
- A collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.
- The forest represents the security boundary within which users, computers, groups, and other objects are accessible.
- Domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a domain.
- Multiple instances can be deployed.
- You can deploy AD DS to Azure as VM but:
- You manage the deployment, configuration, virtual machines, patching, and other backend tasks.
- Included by Active Directory Domain Services (ADDS)
- Authenticates via AD DS
- Federated identity
- When the user logs into a service, instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials
- So the user never provides credentials directly to anybody but the identity provider.
- When the user logs into a service, instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials
- Includes Active Directory Certificate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), and Active Directory Rights Management Services (AD RMS).
| Aspect | Azure AD | Azure AD Domain Services |
|---|---|---|
| Device controlled by | Azure AD | Azure AD Domain Services managed domain |
| Representation in the directory | Device objects in the Azure AD directory. | Computer objects in the AAD-DS managed domain. |
| Authentication | OAuth/OpenID Connect based protocols | Kerberos, NTLM protocols |
| Management | Mobile Device Management (MDM) software like Intune | Group Policy |
| Networking | Works over the internet | Requires machines to be on the same virtual network as the managed domain. |
| Extending | Relies on federation to extend scope | Uses trusts between domains for delegated management |
| 💡 Great for | End-user mobile or desktop devices | Server virtual machines deployed in Azure |