{"id":11388,"date":"2019-12-09T06:00:33","date_gmt":"2019-12-09T13:00:33","guid":{"rendered":"https:\/\/www.zubairalexander.com\/stage\/?p=11388"},"modified":"2020-06-22T10:24:50","modified_gmt":"2020-06-22T17:24:50","slug":"comparison-of-microsoft-identity-services-ad-ds-azure-ad-azure-ad-ds","status":"publish","type":"post","link":"https:\/\/www.zubairalexander.com\/blog\/comparison-of-microsoft-identity-services-ad-ds-azure-ad-azure-ad-ds\/","title":{"rendered":"Comparison of Microsoft Identity Services: AD DS, Azure AD, &#038; Azure AD DS"},"content":{"rendered":"<p style=\"margin: 0in; font-family: Calibri; font-size: 12.0pt;\"><button id=\"listenButton1\" class=\"responsivevoice-button\" type=\"button\" value=\"Play\" title=\"ResponsiveVoice Tap to Start\/Stop Speech\"><span>&#128266; Listen to Post<\/span><\/button>\n        <script>\n            listenButton1.onclick = function(){\n                if(responsiveVoice.isPlaying()){\n                    responsiveVoice.cancel();\n                }else{\n                    responsiveVoice.speak(\"Microsoft Active Directory (AD) was released about 20 years ago with Windows Server 2000 on February 17, 2000. Additional flavors of AD were announced as part of Microsoft Azure, a cloud computing service offering by Microsoft. This article compares the three distinct identity services offered by Microsoft. Active Directory Domain Services (AD DS) Azure Active Directory (Azure AD) Azure Active Directory Domain Services (Azure AD DS) Here\\'s an explanation of these services. Active Directory Domain Services (AD DS) The Active Directory Domain Services (AD DS), is the traditional on-premises version of domain services provided by AD. Organizations use AD DS to centrally manage all their resource objects, such as users, computers, printers, shared folders, groups, organizational units (OUs), etc. These objects are part of the Active Directory domain, which allows the administrators to securely manage them through Group Policies. Some of the key features offered by AD DS includes: On-premises identity & authentication User and computer management Group Policies Domain trusts AD DS is managed by the organizations on-premises. The Enterprise Administrators are responsible for managing AD DS domain controllers, AD sites, trust relationships between the domains, Group Policies, backing up and restoring AD DS, etc. NOTE: In this article, the terms traditional AD and traditional AD DS, refer to the on-premises deployment of Active Directory and Active Directory Domain Services. Difference between Active Directory (AD) and Active Directory Domain Services (AD DS) A lot of people wonder what the difference is between AD and AD DS. In Windows Server 2000 and Windows Server 2003 Microsoft used the term Active Directory (AD). Starting with Windows Server 2008, Microsoft broke down the services provided by Active Directory into individual components, such as AD DS, AD FS, AD LDS, AD RMS, and AD CS. Therefore, AD DS is simply the Directory Services component of the Active Directory. Other components included in the newer editions of Windows Servers are AD Federation Services, AD Lightweight Directory Services, AD Rights Management Services, and AD Certificate Services. Together all these services fit under the AD umbrella. It\\'s important to note that although earlier editions of Windows Servers (2000 and 2003) didn\\'t use the term AD DS, the directory services are primarily the same in the newer editions of Windows Servers (starting 2008). Azure Active Directory (Azure AD) Azure AD offers some of the same features in the cloud, as AD DS offers on-premises. However, just because they both have AD in their names, doesn\\'t mean they are identical services. Azure AD is a cloud-based identity service that offers the following: Cloud-based identification & authentication User and computer management Mobile Device Management (MDM) Access to Software as a service (SaaS) applications, Microsoft Azure portal, and Office 365 services Because Azure AD is hosted and managed by Microsoft in the cloud, organizations don\\'t have direct access to AD domain controllers the way they do in their on-premises environment. Microsoft exposes parts of the Azure AD to organizations through the web-based interface so they have enough control to run and customize the services, but Microsoft is responsible for managing the services and servers behind the scenes in its datacenters across the globe. For a detailed comparison of Active Directory to Azure AD, visit Compare Active Directory to Azure Active Directory. Azure Active Directory Domain Services (Azure AD DS) The Azure AD DS is a managed AD DS service in the cloud. In other words, if you want the traditional AD DS running in the cloud, you can take advantage of the Azure AD DS service by running AD DS under Azure AD. This means that you will be able to use traditional AD DS features, such as Kerberos and NTLM authentication, Group Policies (which aren\\'t supported in Azure AD), LDAP, etc. The following table provided by Microsoft compares how the devices are represented in Azure AD-joined and Azure AD DS-joined environment. Aspect Azure AD-joined Azure AD DS-joined Device controlled by Azure AD Azure AD DS managed domain Representation in the directory Device objects in the Azure AD directory Computer objects in the Azure AD DS managed domain Authentication OAuth \/ OpenID Connect based protocols Kerberos and NTLM protocols Management Mobile Device Management (MDM) software like Intune Group Policy Networking Works over the internet Must be connected to, or peered with, the virtual network where the managed domain is deployed Great for... End-user mobile or desktop devices Server VMs deployed in Azure Managed vs. Self-Managed Domains For organizations who are interested in running traditional AD DS services in the cloud, Microsoft offers a couple of methods. You can either use a managed domain or a self-managed domain. Here\\'s the difference. Managed Domain A managed domain is something that you will create in the cloud using AD DS and Microsoft will create and manage the associated resources as necessary. Self-Managed Domain A self-managed domain is an AD DS environment that you can create in the cloud using the traditional tools. For example, you will use Virtual Machines (VMs) to install the AD DS domain controllers, member servers, etc. This is a self-managed domain so you (not Microsoft) will be responsible for managing the domain just like you do in your on-premises environment. In this article, I\\'ve only explained the high-level concepts. Microsoft explains these and other related topics in much more detail in this article. You may also want to look at this second article for additional\u00a0 information on this topic. Additional Reading Here are some related articles that you may find useful. What is Azure AD? Compare Active Directory to Azure Active Directory What are the Differences Between Azure Active Directory and Azure Active Directory Domain Services? Article Updated: June 22, 2020 Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. Copyright \u00a9 2019 SeattlePro Enterprises, LLC. All rights reserved.\", \"US English Male\");\n                }\n            };\n        <\/script>\n    <\/p>\n<p><span style=\"color: #000000;\">Microsoft Active Directory (AD) was released about 20 years ago with Windows Server 2000 on February 17, 2000. Additional flavors of AD were announced as part of Microsoft Azure, a cloud computing service offering by Microsoft. This article compares the three distinct identity services offered by Microsoft.<\/span><\/p>\n<ol>\n<li><span style=\"color: #000000;\">Active Directory Domain Services (AD DS)<\/span><\/li>\n<li><span style=\"color: #000000;\">Azure Active Directory (Azure AD)<\/span><\/li>\n<li><span style=\"color: #000000;\">Azure Active Directory Domain Services (Azure AD DS)<\/span><\/li>\n<\/ol>\n<p><span style=\"color: #000000;\">Here&#8217;s an explanation of these services.<\/span><\/p>\n<h4><span style=\"color: #000000;\"><strong>Active Directory Domain Services (AD DS)<\/strong><\/span><\/h4>\n<p><span style=\"color: #000000;\">The Active Directory Domain Services (AD DS), is the traditional on-premises version of domain services provided by AD. Organizations use AD DS to centrally manage all their resource objects, such as users, computers, printers, shared folders, groups, organizational units (OUs), etc. These objects are part of the Active Directory domain, which allows the administrators to securely manage them through Group Policies. Some of the key features offered by AD DS includes:<\/span><\/p>\n<ol>\n<li><span style=\"color: #000000;\">On-premises identity &amp; authentication<\/span><\/li>\n<li><span style=\"color: #000000;\">User and computer management<\/span><\/li>\n<li><span style=\"color: #000000;\">Group Policies<\/span><\/li>\n<li><span style=\"color: #000000;\">Domain trusts<\/span><\/li>\n<\/ol>\n<p><span style=\"color: #000000;\">AD DS is managed by the organizations on-premises. The Enterprise Administrators are responsible for managing AD DS domain controllers, AD sites, trust relationships between the domains, Group Policies, backing up and restoring AD DS, etc.<\/span><\/p>\n<p><span style=\"color: #000000;\"><span style=\"text-decoration: underline;\">NOTE<\/span>: In this article, the terms <strong>traditional AD<\/strong> and <strong>traditional AD DS<\/strong>, refer to the on-premises deployment of Active Directory and Active Directory Domain Services.<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"background-color: #fffdbd; text-align: left; vertical-align: top;\"><span style=\"color: #000000;\"><strong>Difference between Active Directory (AD) and Active Directory Domain Services (AD DS)<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">A lot of people wonder what the difference is between AD and AD DS. In Windows Server 2000 and Windows Server 2003 Microsoft used the term Active Directory (AD). Starting with Windows Server 2008, Microsoft broke down the services provided by Active Directory into individual components, such as AD DS, AD FS, AD LDS, AD RMS, and AD CS. Therefore, AD DS is simply the Directory Services component of the Active Directory. Other components included in the newer editions of Windows Servers are AD Federation Services, AD Lightweight Directory Services, AD Rights Management Services, and AD Certificate Services. Together all these services fit under the AD umbrella. It&#8217;s important to note that although earlier editions of Windows Servers (2000 and 2003) didn&#8217;t use the term AD DS, the directory services are primarily the same in the newer editions of Windows Servers (starting 2008).<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><span style=\"color: #000000;\"><strong>Azure Active Directory (Azure AD)<\/strong><\/span><\/h4>\n<p><span style=\"color: #000000;\">Azure AD offers some of the same features in the cloud, as AD DS offers on-premises. However, just because they both have AD in their names, doesn&#8217;t mean they are identical services. Azure AD is a cloud-based identity service that offers the following:<\/span><\/p>\n<ol>\n<li><span style=\"color: #000000;\">Cloud-based identification &amp; authentication<\/span><\/li>\n<li><span style=\"color: #000000;\">User and computer management<\/span><\/li>\n<li><span style=\"color: #000000;\">Mobile Device Management (MDM)<\/span><\/li>\n<li><span style=\"color: #000000;\">Access to Software as a service (SaaS) applications, Microsoft Azure portal, and Office 365 services<\/span><\/li>\n<\/ol>\n<p><span style=\"color: #000000;\">Because Azure AD is hosted and managed by Microsoft in the cloud, organizations don&#8217;t have direct access to AD domain controllers the way they do in their on-premises environment. Microsoft exposes parts of the Azure AD to organizations through the web-based interface so they have enough control to run and customize the services, but Microsoft is responsible for managing the services and servers behind the scenes in its datacenters across the globe.<\/span><\/p>\n<p><span style=\"color: #000000;\">For a detailed comparison of Active Directory to Azure AD, visit <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/fundamentals\/active-directory-compare-azure-ad-to-ad\" target=\"_blank\" rel=\"noopener noreferrer\">Compare Active Directory to Azure Active Directory<\/a>.<\/span><\/p>\n<h4><span style=\"color: #000000;\"><strong>Azure Active Directory Domain Services (Azure AD DS)<\/strong><\/span><\/h4>\n<p><span style=\"color: #000000;\">The Azure AD DS is a managed AD DS service in the cloud. In other words, if you want the traditional AD DS running in the cloud, you can take advantage of the Azure AD DS service by running AD DS under Azure AD. This means that you will be able to use traditional AD DS features, such as Kerberos and NTLM authentication, Group Policies (which aren&#8217;t supported in Azure AD), LDAP, etc.<\/span><\/p>\n<p>The following table provided by <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/compare-identity-solutions\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft<\/a> compares how the devices are represented in Azure AD-joined and Azure AD DS-joined environment.<\/p>\n<table class=\"table\">\n<thead>\n<tr>\n<th style=\"text-align: left; vertical-align: top;\"><strong>Aspect<\/strong><\/th>\n<th style=\"text-align: left; vertical-align: top;\"><strong>Azure AD-joined<\/strong><\/th>\n<th style=\"text-align: left; vertical-align: top;\"><strong>Azure AD DS-joined<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Device controlled by<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Azure AD<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Azure AD DS managed domain<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Representation in the directory<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Device objects in the Azure AD directory<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Computer objects in the Azure AD DS managed domain<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Authentication<\/td>\n<td style=\"text-align: left; vertical-align: top;\">OAuth \/ OpenID Connect based protocols<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Kerberos and NTLM protocols<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Management<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Mobile Device Management (MDM) software like Intune<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Group Policy<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Networking<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Works over the internet<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Must be connected to, or peered with, the virtual network where the managed domain is deployed<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Great for&#8230;<\/td>\n<td style=\"text-align: left; vertical-align: top;\">End-user mobile or desktop devices<\/td>\n<td style=\"text-align: left; vertical-align: top;\">Server VMs deployed in Azure<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><strong><span style=\"color: #000000;\">Managed vs. Self-Managed Domains<\/span><\/strong><\/h4>\n<p><span style=\"color: #000000;\">For organizations who are interested in running traditional AD DS services in the cloud, Microsoft offers a couple of methods. You can either use a <em>managed<\/em> <em>domain<\/em> or a<em> self-managed<\/em> <em>domain<\/em>. Here&#8217;s the difference.<\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>Managed Domain<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">A <em>managed domain<\/em> is something that you will create in the cloud using AD DS and Microsoft will create and manage the associated resources as necessary.<\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>Self-Managed Domain<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">A <em>self-managed domain<\/em> is an AD DS environment that you can create in the cloud using the traditional tools. For example, you will use Virtual Machines (VMs) to install the AD DS domain controllers, member servers, etc. This is a self-managed domain so you (not Microsoft) will be responsible for managing the domain just like you do in your on-premises environment.<\/span><\/p>\n<p><span style=\"color: #000000;\">In this article, I&#8217;ve only explained the high-level concepts. Microsoft explains these and other related topics in much more detail in<\/span> <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/compare-identity-solutions\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>. You may also want to look at <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/itops-talk-blog\/what-are-the-differences-between-azure-active-directory-and\/ba-p\/917392\" target=\"_blank\" rel=\"noopener noreferrer\">this second article<\/a> for additional\u00a0 information on this topic.<\/p>\n<h4><strong>Additional Reading<\/strong><\/h4>\n<p>Here are some related articles that you may find useful.<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/fundamentals\/active-directory-whatis\" target=\"_blank\" rel=\"noopener noreferrer\">What is Azure AD?<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/fundamentals\/active-directory-compare-azure-ad-to-ad\" target=\"_blank\" rel=\"noopener noreferrer\">Compare Active Directory to Azure Active Directory<\/a><\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/itops-talk-blog\/what-are-the-differences-between-azure-active-directory-and\/ba-p\/917392\" target=\"_blank\" rel=\"noopener noreferrer\">What are the Differences Between Azure Active Directory and Azure Active Directory Domain Services?<\/a><\/li>\n<\/ul>\n<p><em>Article Updated: June 22, 2020<\/em><\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"background-color: #e3e3e3; text-align: left;\">Thanks for reading my article. If you are interested in IT training &amp; consulting services, please reach out to me. Visit <a href=\"https:\/\/www.zubairalexander.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">ZubairAlexander.com<\/a> for information on my professional background.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p><span style=\"font-size: xx-small; font-family: Verdana;\">Copyright \u00a9 2019 <a href=\"https:\/\/www.seattlepro.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">SeattlePro Enterprises, LLC<\/a>. All rights reserved.<br \/>\n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Active Directory (AD) was released about 20 years ago with Windows Server 2000 on February 17, 2000. Additional flavors of AD were announced as part of Microsoft Azure, a cloud computing service offering by Microsoft. This article compares the three distinct identity services offered by Microsoft. Active Directory Domain Services (AD DS) Azure Active [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":10344,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6,43,67,63,24],"tags":[],"class_list":["post-11388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-articles","category-microsoft-azure","category-office-365","category-security"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2008\/12\/Azure_logo_350x350.png","_links":{"self":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/11388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/comments?post=11388"}],"version-history":[{"count":0,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/11388\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media\/10344"}],"wp:attachment":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media?parent=11388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/categories?post=11388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/tags?post=11388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}