Glossary
NTDS.dit
The Active Directory database on a domain controller — an ESE/JET database holding every domain account and its encrypted credentials.
NTDS.dit is the on-disk Active Directory database stored on every domain
controller (typically C:\Windows\NTDS\ntds.dit). It is an ESE (Extensible
Storage Engine / JET Blue) database whose datatable holds one row per
directory object — users, machines, groups, and schema alike.
Account password hashes live in tagged columns (unicodePwd, dBCSPwd) wrapped
under the domain's PEK, which is itself encrypted with
the boot key. Because it contains every credential in the domain, NTDS.dit is a
Tier-0 asset; it normally only leaves a DC via backup, volume shadow copy, or
ntdsutil. See Inside NTDS.dit.