Is the NTDS.DIT is encrypted as a whole (regardless of any internal encryption) using the BootKey stored in the System hive of the registry, and the BootKey is different for every computer, or is it just the PEK (password encryption key) that the BootKey encrypts and not the whole database?


The Hash of the user password as I understand it different hashes are stored for

MD4 for NTLM,

MD5 for Kerberos,

SHA1 for Kerberos 2008


Then this hashed password is encrypted using either RC4/DES or AES (2012 R2 and above) is that correct?


Thanks very much