AD LDS and AD DS: Differences between Active Directory Lightweight Directory Services and Active Directory Domain Services

Active Directory Lightweight Directory Services (AD LDS) is designed more to run software rather than to run domains so it not a replacement for Active Directory Domain Services (AD DS). It can run on a computer that is in a workgroup, does not require DNS, and also can run on client operating systems like Windows workstations. For this reason, it is a good choice for application support and for testing. Please see the following link. Simply put Lightweight Directory Access Protocol (LDAP) is an application protocol used for querying and modifying items in a directory service provider like Active Directory that provides authentication, group policy, and other services in a Windows environment. While LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service.

For example, a developer can have their own AD LDS running on their client operating system and thus be able to make whatever changes they want. This is not possible using a production domain. AD LDS supports multiple instances as well, so the administrator is free to create as many local copies as they wish. 

AD LDS does not support domain features like group policy, global catalog support and the ability to manage workstations. For this reason, it cannot be used as a replacement for Domain Controllers. Even though these domain features are not available, AD LDS does support sites and replication.

This means AD LDS installation can replicate data between each other and also with Domain Controllers, however, the support of trusts is not supported so this limits an AD LDS instance to working with only the one domain.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of
Would love your thoughts, please comment.x