On this page, let’s discuss and compare the different Microsoft Directory Services that provide authentication services. There are three of these. Understanding them can sometimes be confusing because they all originally had “Active Directory” in their names. To avoid this confusion, Microsoft has renamed their cloud services.
The three domain services are:
- Active Directory Domain Services (often referred to as on-premises Active Directory Domain Services)
- Microsoft Entra ID (formerly called as Azure Active Directory)
- Microsoft Entra Domain Services (formerly called as Azure Active Directory Domain Services – Azure AD DS)
Domain Services
Domain Services
Understanding the differences and relationships between each is crucial. Let’s examine each one more closely.
Active Directory Domain Services
Active Directory Domain Services, available since Windows Server 2000, is a core services for user and group management for a Active Directory domain.
I’ll refer to it as AD DS for simplicity. AD DS is the Active Directory Domain Service installed on a domain controller running a Windows server OS.
Key features of Windows AD include:
- Objects are stored in a hierarchy such as OUs (Organization Units)
- Designed for network authentication.
- The directory schema can be extended to add custom attributes.
- It stores objects such as users, computers, groups, and security principals.
- Group policies can be used for user and device management.
- It’s highly available with multi-master replication. This implies that there is no single master domain controller.
- Supports network-based authentication protocols like Kerberos, LDAP, and NTLM.
- It’s based on standards such as LDAP and DNS.
- A dedicated server is necessary to function as a domain controller. For high availability, more than one server is required.
- Domain Controllers require management tasks such as backups, OS patching, and upgrades.
Microsoft Entra ID
Microsoft Entra ID (formally called as Azure Active Directory – Azure AD) is used to manage identity and access to Azure resources, Microsoft 365 services, and Dynamics CRM online.
Key features of Microsoft Entra ID include:
- It’s a cloud-based identity solution.
- Designed for web authentication.
- It contains users, groups, applications, and security principles.
- It uses web-based authentication protocols such as OAuth, SAML, and OpenID.
- It supports Microsoft Graph and API management.
- It’s multi-tenant, meaning services are securely shared with other organizations.
- Microsoft Entra ID has a flat architecture, meaning it does not contain Organizational Units (OUs) unlike the on-premises Active Directory Domain Services.
- Microsoft Entra ID is not extendable, meaning that attributes cannot be added.
- There are no group policies.
- Microsoft Entra ID has three licensing options – Free, P1, and P2.
- Microsoft Entra ID is a tenant-based and tied to a subscription.
Microsoft Entra Connect
Microsoft Entra Connect, formerly known as Azure AD Connect Sync, is a service that copies or synchronizes IDs and other attributes from on-premises Active Directory to Microsoft Entra ID.
This service allows us to manage identities in a single location rather than in two separate ones.
Microsoft Entra Connect is an application that operates within an internal network.
Microsoft Entra Domain Services
Microsoft Entra Domain Services (formerly called as Azure Active Directory Domain Services, or Azure ADDS) is a platform as a service (PaaS) that provides services something similar to on-premises Active Directory Domain Services.
Microsoft Azure Domain Services is a cloud-based Platform as a Service (PaaS) offering. It supports LDAP, Kerberos, and NTLM authentication, eliminating the need for server management.
On-premises Active Directory Domain Services replicates to Microsoft Entra ID using Microsoft Entra Connect, and objects in Microsoft Entra ID are then replicated to Microsoft Entra Domain Services.
You may be wondering why an organization would choose to do replicate the objects this way. Here’s a use case.
Consider an organization with a Windows IIS website hosted on-premises, which relies on on-premises Active Directory Domain Services and doesn’t support modern authentication. This organization aims to transition the application to Azure, but doesn’t want to relocate domain controllers to Azure. In this scenario, they can shift the web server to Azure and utilize Microsoft Entra Domain Services for authentication.
Microsoft Entra Domain Services offers two types of forests: a user forest and a resource forest.
User forest
A user forest synchronizes objects from Microsoft Entra ID to Microsoft Entra Domain Services, including any accounts replicated from an on-premises Active Directory domain services to Microsoft Entra ID.
This forest type is effective when using password hash synchronization.
Resource forest
A resource forest, on the other hand, does not synchronize users and other objects from Microsoft Entra ID but utilizes a one-way trust between the resource forest and on-premises AD.
This forest type is beneficial in environments that do not synchronize password hashes or depend on smartcards for authentication.
Regardless of the forest type, Microsoft Entra Domain Services includes the following features:
- Supports LDAP, Kerberos, and NTLM authentication.
- Compatible with on-premises Active Directory Domain Services and integrates with Microsoft Entra ID.
- Microsoft Entra ID manages many Microsoft Entra Domain Services features.
- Microsoft Entra ID is the source for Microsoft Entra Domain Services objects with a user forest type.
- Objects in Microsoft Entra ID replicate to Microsoft Entra Domain Services.
- Microsoft Entra Domain Services is an extension of Microsoft Entra ID.
- Limitations include –
- Lack of domain or enterprise admin accounts, vital for certain application authentications.
- Schema can’t be extended.
- One-way trust can only be established between a resource forest and an on-premises AD domain.
- LDAP is read-only.
The table on the screen compares the features of each service.
| Feature | Active Directory Domain Services | Microsoft Entra ID | Microsoft Entra Domain Services |
| Extensible Schema | Yes | No | No |
| Group Policies | Yes | No | Yes |
| High Availability | Manually created | Yes | Yes |
| Kerberos, LDAP, NTLM | Yes | No | With Managed Domain |
| OAuth, SAML, Open ID | No | Yes | No |
| Dedicated Servers | Yes | No | No |
| Cloud-based | IaaS only | Yes (PaaS) | Yes (PaaS) |
| Domain & Enterprise Admin | Yes | No | No |
| Domain/Forest Trust | Yes | No | Outbound |
