What is NTDS.DIT ?

This is the main AD database.

NTDS stands for NT Directory Services.
The DIT stands for Directory Information Tree.
Stores all objects and their attributes
Located in %SYSTEMROOT%\ NTDS folder on domain controllers
Made up of three tables:
Schema table
Data table
Link table
Schema table
the types of objects that can be created in the Active Directory, relationships between them, and the optional and
mandatory attributes on each type of object. This table is fairly static and much smaller than the data table.
Link table
contains linked attributes, which contain values referring to other objects in the Active Directory. Take the
Member Of attribute on a user object. That attribute contains values that reference groups to which the user
belongs. This is also far smaller than the data table.
Data table
users, groups, application-specific data, and any other data stored in the Active Directory. The data table can be
thought of as having rows where each row represents an instance of an object such as a user, and columns where
each column represents an attribute in the schema such as Given Name.
What are Active Directory Partitions ?
AD Database divided into groups called partitions,
Used to manage replication.
1. Schema partition:
Stores schema
Contains definitions of all classes and attributes in entire forest
Replicated to all domain controllers in forest
Content is the same throughout forest
2. Domain partition
Contains users, computers, groups, and organizational units created in Windows domain
Replicated to all domain controllers in domain
Large amount of data
Usually partition that changes most frequently
3. Configuration partition
Stores information about replication topology used in forest
Specifies how domain controller determines with which other specific partners it replicates
Found on all domain controllers
Same throughout forest
4. Application partition
Cannot contain security principals
Can be replicated to many different domains in forest
Without necessarily being included on all domain controllers
Used when developer wants to store information in Active Directory

What are FSMO Roles?

Active Directory extends the single-master model found in earlier versions of Windows to include multiple
roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active
Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role.
Currently in Windows there are five FSMO roles:
Schema master
The schema master FSMO role holder is the DC responsible for performing updates to the directory
schema. This DC is the only one that can process updates to the directory schema. Once the Schema update is
complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema
master per directory.
Domain naming master
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide
domain name space of the directory. This DC is the only one that can add or remove a domain from the
directory. It can also add or remove cross references to domains in external directories.
RID master
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all
DCs within a given domain. It is also responsible for removing an object from its domain and putting it in
another domain during an object move.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a domain.
PDC emulator
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured to gather the time from an external source.
All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or
earlier PDC performs for Windows NT 4.0-based or earlier clients.
Infrastructure master
When an object in one domain is referenced by another object in another domain, it represents the reference
by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The
infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a
cross-domain object reference.
NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in
that domain will not be updated and a warning to that effect will be logged on that DC's event log.