You have a requirement to provide an LDAP directory service to applications. And as a part of this there has been a discussion comparing full Active Directory (AD:DS) verses an Active Directory as an LDAP instance (AD:LDS).
The key differentiators between the two services are:
Active Directory Domain Services
Active Directory was designed and built in the late nineties for release with Windows Server 2000. The system was a direct replacement for Windows NT 4 Domains but is based on the X.500 standards. The solution was built as a replacement for file and print management but always contained methods to extend the schema and therefore extending functionality.
Active Directory Lightweight Directory Service
Designed and delivered as a direct competitor to traditional LDAP services such as iPlanet LDAP server AD:LDS (released as ADAM in Windows Server 2003) uses the same code base as traditional Active Directory but decouples many of the file and print specific details such as Domain Controllers , Domains and Forests. With a traditional Active Directory there is a single instance per server of the directory whereas AD:LDS can run many different ‘services’ on the same computer. AD:LDS comes without most schema objects to allow for custom schemas and is ideally suited to multi-million objects in web facing environment.
Comparing Services
Many of the features are listed below and shown if they are supported on both platforms.
| Feature | AD:DS | AD:LDS |
| Forest and Domain | Yes | No |
| Sites | Yes | Yes |
| Run as a services | No | Yes |
| Trusts | Yes | No |
| LDAP 2/3 | Yes | Yes |
| Kerberos | Yes | Partial |
| DNS Integration (SRV records required) | Yes | No |
| Schema modification | Yes | Yes |
| Computer objects (required) | Yes | No |
| Hosts computers (domain members) | Yes | No |
| Unique names (SAMaccountName) | Yes | Yes |
| Support iNetOrgPerson | Yes | Yes |
| Static ACL (stamped) | Yes | Yes |
| Global Catalogue | Yes | No |
| Custom Indexed objects | Yes | Yes |
| Scale (above 1 billion objects) | Yes | Yes |
| FSMOs | Yes | Yes |
| Trusts – Traditional Kerberos | Yes | No |
| SAML support | Yes | Yes |
| ADFS support | Yes | Yes |
| Group policy support | Yes | Partial |
| GPO based object rules | Yes | No |
| Active Directory Users and Computers support | Yes | No |
| LDAP tool support | Yes | Yes |
| ADSI Edit | Yes | Yes |
| Server Core support | Yes | Yes |
| Self-managed (via GPO) | Yes | No |
| Event log | Yes | Partial |
| Auditing | Yes | Partial |
| Higher computing power required | Yes | No |
| Built in Active Directory sync tool | No | Yes |
| Security outside of “Domain Admins” | No | Yes |
High-level comparison
Some of the key aspects of Active Directory verse LDS.
Key: The larger area is best.
No comments:
Post a Comment