There are lots of confusion when talking about following three topics relating to Microsoft AD:
In this post, those terms and related technologies will be summarized in a easy way to understand.
Differences among those three
User accounts, group memberships, and credential hashes are synchronized one way from Azure AD to Azure AD DS.
- Active Directory is a database that organises your company’s users and computers. It provides authentication and authorization to applications, file services, printers, and other resources on the network. It uses protocols such as Kerberos and NTLM for authentication and LDAP to query and modify items in the Active Directory databases.
- Secure Object store, including Users, Computers and Groups
- Object organization – Organisational Units (OU), Domains and Forests
- Common Authentication and Authorization provider
- LDAP, NTLM, Kerberos (secure authentication between domain joined devices)
- Group Policy – for fine grained control and management of PCs and Servers on the domain
- No domain controller, just a identity management solution ,
- sub dns name onmicrosoft.com by default, but it can be customized
- modern authentication mechanisms: OAuth2, SAML, WS-FED
- Cloud auth, PTA, federation – seamlessly connecting to any Microsoft Online Services, thousands of SaaS applications
- Not able to do
- not offer Group Policy, LDAP, NT LAN Manager (NTLM) and Kerberos authentication
- You can’t join a server to it
- You can’t join a PC to it in the same way – there is Azure AD Join for Windows 10 only (see later)
- It is a flat directory structure – no OU’s or Forests
- Microsoft Managed, support OUs and GPOs
- not connecting to AD, different site/forest
- You are not enterprise admin, not Schema Admin, not Domain Admin
- Common Use Cases
- Traditional Authentication as a Service (Kerberos, NTLM)
- Cloud solutions that need domain join (Microsoft Virtual Desktop, AD Auth for file shares)
Domain Controllers in Cloud
- install domain controller to a virtual machine in Azure
- for organizations that use both on-premises and cloud-based resources which are connected through VPN or an Azure ExpressRoute.
- full control
Azure AD Connect
AD or AAD
Use both AD and AAD (sync-ed):
If you have a traditional on-premise set up with AD and also want to use Azure AD to manage access to cloud applications (e.g. Office 365 or any of thousands of SaaS apps) then you can happily use both. Y
Use both AD and AAD (Unsync-ed):
Use Only AAD:
More comparing can access this post at https://www.apps4rent.com/blog/active-directory-domain-services-vs-azure-active-directory/
Azure AD lets you manage the identity of devices used by the organization and control access to corporate resources from those devices. Users can also register their personal device (a bring-your-own (BYO) model) with Azure AD, which provides the device with an identity. Azure AD then authenticates the device when a user signs in to Azure AD and uses the device to access secured resources. The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune. This management ability lets you restrict access to sensitive resources to managed and policy-compliant devices.
Securely Manage AAD Join Devices
AD vs AADDS
Here are some of the main differences between AD (Not AAD) and AADDS:
Microsoft’s solution to this problem is Azure AD Domain Services (AAD DS). AAD DS is an Azure product that provides an Active Directory domain (managed by Microsoft) on two domain controllers. The domain controllers support LDAP, domain joining and authentication via Kerberos and NTLM. This version of Azure Active Directory also supports the use of organizational units and group policies.
With Azure AD DS-joined devices, applications can use the Kerberos and NTLM protocols for authentication, so can support legacy applications migrated to run on Azure VMs as part of a lift-and-shift strategy
Create Azure AD Domain Services
Change SKU to standard from enterprise to save some cost.
- Compare Active Directory to Azure Active Directory
- What are the Differences Between Azure Active Directory and Azure Active Directory Domain Services?
- Tutorial: Join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain
- Don’t Use Azure AD Domain Services to Replace Windows Domain Controllers