AD DS vs AD LDS – Active Directory solutions compared

This article describes the differences between the directory services Active Directory Domain Services (AD DS) and the lightweight variant: AD DS vs AD LDS.

Discover with us the specific applications as well as the advantages and disadvantages. 

Directory Services

AD DS and AD LDS are both directory services. A directory service serves essentially as a database in which we store and manage information about objects. Objects here are all users, groups or devices. Directory services, like the other various services used while configuring Windows Server, are also called server roles.

AD DS

Microsoft Windows 2000 introduced Active Directory Domain Services (AD DS), a hierarchical directory service.

This service offers the following functions:

• A data and directory store to store information about AD objects.
• A rule set or a so-called schema that defines the object and attribute classes contained in the directory, the restrictions for instances of these and name formats. For example, a schema extension is necessary when setting up a Windows Server 2012 DC on a network that previously only knew Windows Server 2003 DCs.
• The global catalog, which contains almost all information about the objects contained in the directory, allowing administrators and users to search for them, regardless of the domain.
• A query / indexing mechanism that allows properties and objects to be published and searched by network users or applications (IDM Portal).
• A replication service for distributing directory data on the network. Any change to the directory data is replicated to all domain controllers in the domain.
• A security system for logging in as well as accessing directory data.

AD LDS

Essentially, Active Directory Lightweight Directory Services (AD LDS) provides only a subset of the capabilities of AD DS. This makes it a leaner and more independent directory service that we can run as a stand-alone directory without integration with an existing AD.

Prior to Windows Server 2008, AD LDS was still called ADAM (Active Directory Application Mode) and was only considered as an extension and not as a server role.

Common features

Both directory services work with the same core code:

• As with AD DS, AD LDS instances are also based on Lightweight Directory Access Protocol (LDAP) and provide hierarchical database services.
• As with AD DS, AD LDS understands locations and replication.

AD Lightweight Directory Services – Pro and Con

AD LDS Avantages

• Supports multiple instances with one schema each
• Works like an application and therefore does not need a domain or a domain controller and can be installed without rebooting
• Can be installed in parallel on a server with an AD DS as well as a standalone on a client or a member 

AD LDS Disadvantages

• Trusts, Group Policies, DNS Services and the global catalog
• Can not manage workstations and servers. That means you can not create a domain and then add workstations afterwards.
• Does not have an automatic software distribution

Short Comparison AD DS vs AD LDS

The following overview summarizes some core differences:

Application areas

• Provision of support for departmental applications:
  Often, the standard attributes in Active Directory are not sufficient to store the user information needed by an application. AD LDS can record the additional information so that no schema extension in the AD becomes necessary. For this purpose, one would build a replication relation between the AD DS and AD LDS and in the latter use a correspondingly extended scheme for user objects.

• Optimised storage of your employees’ thumbnails on an AD LDS instance:
  By saving the photos in the AD LDS to a central location, they are linked to the user accounts in the AD DS. Because they are included in the AD LDS, they are not replicated with all other AD DS data, and replication bandwidth requirements are reduced.

• We can use AD LDS to authenticate external users.

The following application areas are available:

• Security – AD LDS as authentication instance
• Development Environment – AD LDS is suitable as an Active Directory replacement for developers
• Flexible information store for AD user accounts

Conclusion

AD LDS should not be seen as a competitor to AD DS, but much more as a supporter. It is a fully LDAP-compliant directory service that just lacks the infrastructure components of AD DS.