AD Physical Structure
Domain controllers, sites, and replication form the physical backbone that keeps the AD database synchronized and available across the network.
While the logical structure describes how AD is organized, the physical structure describes where and how the data actually lives. Domain Controllers (DCs) are special servers that store and manage the Active Directory database. Every DC has a copy of this database, which is a file called NTDS.dit. Sites are groups of well-connected computers, usually matching physical office locations. AD automatically replicates changes between domain controllers so they all stay in sync. If one DC goes down, others can still handle logins and lookups, which makes AD resilient.
Domain controllers are like post offices -- each one holds a complete copy of the address book (the AD database). Sites are geographic regions, like postal zones. Replication is the delivery truck system that ensures every post office has exactly the same, up-to-date address book. The NTDS.dit file is the actual physical book sitting in each post office's vault.
Try It Yourself
Key Takeaways
- Domain controllers are servers that host a full copy of the AD database.
- NTDS.dit is the database file and contains all AD objects including password hashes.
- Replication keeps all DCs synchronized; intra-site is fast, inter-site is scheduled.
- FSMO roles handle single-master operations like schema changes.
- Extracting NTDS.dit gives an attacker every credential in the domain.
NTDS.dit is one of the most prized targets in any Active Directory attack. Understanding the physical layer helps you grasp why attacks like DCSync and NTDS.dit extraction are so devastating.