Massive. AD isn't just LDAP and Policies. There's somewhere around 14 services that are involved, even NetLogin still has it's tiny part to play. AD uses LDAP referrals, expects clients to follow them, and use the SRV records to find the DC in the same site (if one exists). AD as it is typically deployed is active/active multimaster with per-record tiebreaking based on edit time, client-based load balancing with proximity awareness, ACLs for every possible field and record, overridable at any point in the tree (389ds can do this, but openldap is a nightmare). There's a full automated PKI in there for managing certs for everything, and that's before we get into the KDC logic, the strange things SYSVOL can do, and various other things that integrate with AD.
Samba, krb5 &co can handle small cases, but it's architecture is still stuck in the nt4 days, and there's limited cohesive integration with LDAP and the other services.
Samba, krb5 &co can handle small cases, but it's architecture is still stuck in the nt4 days, and there's limited cohesive integration with LDAP and the other services.