What Is a Domain Controller and Why Is It the Most Targeted Asset in Your Network?

In every Active Directory penetration test, the domain controller is the ultimate objective. Not because it's the only interesting target — but because compromising it means compromising everything else. Credentials, group policies, authentication for every user and computer in the domain: it all flows through the domain controller.

For IT teams at credit unions and small businesses, understanding what a domain controller actually does — and why it's so valuable to attackers — is the foundation for understanding why the security controls we recommend matter. This article explains it from the ground up.

What Is a Domain Controller?

A domain controller (DC) is a Windows Server that runs Active Directory Domain Services (AD DS). It is the central authority for authentication and authorization in a Windows domain. Every time a user logs in, every time a computer joins the network, every time someone accesses a shared folder — the domain controller is involved.

Specifically, a DC:

• Stores the Active Directory database (NTDS.dit), which contains every user account, computer account, group, and their associated credentials
• Authenticates users and computers using Kerberos (primary) and NTLM (legacy) protocols
• Enforces Group Policy Objects that control security settings across all domain-joined machines
• Replicates the directory database with other domain controllers for redundancy
• Manages the KRBTGT account used to sign all Kerberos tickets in the domain

Every security control in Active Directory — SMB signing policies, audit logging requirements, password policies, account lockout thresholds — is distributed to domain-joined machines through the domain controller.

Why Attackers Target Domain Controllers

Control of a domain controller means control of the entire domain. The specific capabilities an attacker gains upon DC compromise:

Full credential access. The NTDS.dit database on the DC contains the NTLM hash of every user account password in the domain. Via DCSync, an attacker with the right permissions can extract every hash without touching the DC directly. With every hash, they can authenticate as any user — pass-the-hash at domain scale.

Persistent access via Golden Tickets. The KRBTGT hash, stored on the DC and extractable via DCSync, enables Golden Ticket attacks — the ability to forge valid Kerberos tickets for any user indefinitely. Golden Tickets survive password resets and persist until the KRBTGT hash is rotated twice.

Domain-wide policy control. With DC access, an attacker can modify Group Policy Objects to push commands to every domain-joined machine simultaneously. This is how ransomware operators deploy their payload across an entire domain in minutes — a GPO that runs a script on every domain machine at next policy refresh.

Certificate authority control. In environments where ADCS runs on the domain controller or in the same security tier, DC compromise provides access to the certificate infrastructure — enabling certificate-based persistence that survives even credential rotation.

How Attackers Reach the Domain Controller

Attackers rarely attack the DC directly from the outside — it's rarely internet-exposed. Instead, they reach it through a chain of internal steps starting from initial access:

1. Initial access via phishing, stolen credentials, or compromised vendor connection
2. Lateral movement across workstations using pass-the-hash with shared local admin credentials
3. Credential escalation via kerberoasting, AS-REP roasting, or LSASS dumping to recover domain admin credentials
4. Or: direct path via ADCS ESC8 — coerce DC authentication, relay to certificate authority, get DC certificate, DCSync
5. Domain admin access to the DC

The ESC8 path is particularly notable because it bypasses the lateral movement phase entirely — a standard domain user account can reach DC-equivalent access in 15 minutes on a default Windows Server 2022 environment.

Protecting Domain Controllers: The Essentials

DC protection is the combination of all the controls discussed throughout the ThreatForged AI blog. Specifically:

Prevent the paths to DC access:

• ADCS hardening (ESC1, ESC8) — ADCS guide
• NTLM relay prevention — NTLM relay guide
• LAPS deployment — LAPS guide
• Tiered administration — tiered admin guide

Protect the DC itself:

• Physical and logical isolation — DCs should not be reachable from user workstations on non-essential ports
• No unnecessary services — DCs should run only AD DS and DNS. Not file shares. Not print services. Not ADCS unless specifically required.
• Enable advanced audit logging — Event ID 4662 for DCSync detection, Event ID 4768/4769 for Kerberos anomaly detection
• Microsoft Defender for Identity on all DCs — purpose-built identity threat detection that monitors for DCSync, pass-the-hash, Golden Ticket, and lateral movement patterns

Monitor for DC-targeted attack indicators:

• Unexpected replication requests (Event ID 4662 from non-DC accounts)
• LDAP queries with bulk enumeration patterns
• New admin account creation on DCs
• GPO modification events outside maintenance windows

How a Penetration Test Validates DC Protection

The only way to know whether your DC protection actually works is to test it. A vulnerability scan doesn't attempt to reach the DC. It doesn't test whether SMB signing is enforced on all machines. It doesn't test whether ADCS ESC8 is exploitable. It scans for known CVEs.

A proper Active Directory penetration test attempts the attack chains that reach domain controllers — relay, certificate abuse, credential escalation — and reports exactly how far an attacker got and what stopped them (or didn't). That's the evidence that your controls are actually working, and the documentation that NCUA examiners and cyber insurance underwriters want to see.

Sources

• Microsoft Security Blog, How Cyberattackers Exploit Domain Controllers Using Ransomware (April 2025) — microsoft.com
• Microsoft, Guidance to Help Mitigate Critical Threats to Active Directory Domain Services (December 2025) — microsoft.com
• ACSC, CISA, NSA & Five Eyes Partners, Detecting and Mitigating Active Directory Compromises (September 2024) — cisa.gov

---

Stay sharp. Stay prepared. — ThreatForged AI

Written by Ryan Kucher, founder of ThreatForged AI. Book a scoping call.

Related Posts

• What Is a DCSync Attack? How It Works and How to Detect It
• ADCS Misconfiguration: How to Find and Fix Certificate Services Vulnerabilities
• Golden Ticket Attack: What It Is, How It Works, and How to Detect It
• Active Directory Penetration Testing for Credit Unions: A Complete Guide
• Active Directory Security Checklist: 20 Controls to Audit Right Now