What follows is simplified a bunch. I’m hoping Jinx can use this to come back with more coherent questions.
AD is Microsoft’s implementation of LDAP-style directory services.
An AD domain is NOT the same thing as a DNS domain. The two terms are almost completely unrelated. (more later)
Each Windows AD installation IS a Windows domain. The existance of an AD server (called a “domain controller” or DC for short) is precisely the thing which defines a Windows domain. Each domain must have at least one DC. Usually there are more than one for redundancy or traffic load balancing. Within a single domain all the DCs are equal partners, sharing & cross-updating each other as needed. One DC is slightly “more equal” than the rest, but the details there are real advanced stuff.
A domain is THE boundary for security. The DC(s) IS/ARE the security authority for all computers & users in the domain it controls. All authentication requests within a domain are directed to, and answered by, a DC of that domain.
Multiple unrelated domains can participate in “trust relationships” where one domain trusts the credentials issued by another domain. These trusts can be one way or bi-directional. This involves the DC(s) in each domain passing authentication requests to the other domain’s DC(s) & accepting the results.
Related domains can be grouped together into a structure called a “forest”. Bidirectional trust is implicit beteen all DCs in the forest. Forests can be arranged in tree-like hierarchies or as just a big collection of child domains. There are special inter-Domain DCs called GCs (global catalog servers) and “forest controllers” to keep track of the structure.
AD Domains can also be partitioned into separate physical locations, called replication zones. The classic example is a HQ & a branch office. A local DC in the branch office will handle all authentication chores for the local branch & have a special synchronization path & schedule with the DCs at HQ. This keeps all the branch office authentication traffic local & therefore quick.
Within a Windows domain, the DCs typcially also provide DNS services for the machines in the domain. So there is often a 1-to-1 mapping between Windows authentication domains and corporate internal DNS domains. These are unrelated to public DNS for things like public facing websites & public employee portals.
The network traffic between client computers (whether servers or end-user workstations, commonly called “member computers”) and DCs takes place over a myriad of TCP/IP ports. Port 80 is not involved at all.