Is the NTDS.DIT is encrypted as a whole (regardless of any internal encryption) using the BootKey stored in the System hive of the registry, and the BootKey is different for every computer, or is it just the PEK (password encryption key) that the BootKey encrypts and not the whole database?
The Hash of the user password as I understand it different hashes are stored for
MD4 for NTLM,
MD5 for Kerberos,
SHA1 for Kerberos 2008
Then this hashed password is encrypted using either RC4/DES or AES (2012 R2 and above) is that correct?
Thanks very much