Windows AD DS:

Provides authentication and authorization to on-premise applications, resources. Access to various resources can be streamlined through Group Policy some examples of implementing GPO for user’s rights assignment are detailed in the article here.

Authentication Protocol: Kerberos and NTLM

AD Database access: Through LDAP query

Creation of Domain Trusts: Allowed

On-Premise Windows Server AD offers 5 core services:

• Active Directory Domain Services (ADDS)
• Active Directory Certificate Services (ADCS)
• Active Directory Rights Management Services (ADRMS)
• Active Directory Lightweight Directory Services (ADLDS)
• Active Directory Federation Services (ADFS)

Windows ADDS provides a hierarchical data storage for various objects in the network users, computers, groups, printers etc. The objects are placed within various Organizational Units (OUs). For example the following screen snap shot demonstrates a way of organizing On-Premises ADDS

Azure Active Directory (Azure AD):

While allowing to create users and groups Azure AD provides a flat structure without Organizational Units (OUs) or Group Policy Objects (GPOs).

• Azure AD does have a domain name
• Provides no trusts between domains
• Supports Web based authentication OAuth 2.0, SAML 2.0 and Open ID Connect
• Use of HTTP/HTTPS to provide identity services
• Querying Azure AD done through REST API end point called AD Graph API

Azure Active Directory Domain Services (Azure AD DS):

Cloud based PaaS offering providing managed domain services, group policy, Kerberos / NTLM authentication that is compatible with on-premises Windows AD DS.  The following will additional features of Azure AD DS:

• Integration with Azure AD
• Cannot extend the schema
• No Domain / Forest trust
• Read-Only LDAP

The following screen snap shots show how identity information is synchronized in cloud-only and hybrid models.

Cloud-Only:

Hybrid Model: