Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter 😉 .
Domain Controllers are patched against ZeroLogon.
MS14-068 is patched, preventing forging of powerful Kerberos tickets.
PrivExchange patches are applied, protecting Exchange servers from authentication coercion attacks relying on the PushSubscription API, and ACE abuse attacks relying on the
EXCHANGE WINDOWS PERMISSION group having
WriteDacl permissions against the domain object allowing for DCSync.
Patches for NTLM tampering vulnerabilities (e.g. CVE-2019-1040, CVE-2019-1019, CVE-2019-1166) are applied to limit NTLM relay attacks.
Latest security patched are applied (e.g. for ProxyLogon, ProxyShell, PrintNightmare, ...).
Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting credential stuffing (i.e. trying to log in on other resources with that password/hash).
Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential bruteforcing, guessing, stuffing and cracking attacks.
Sensitive network shares are not readable by all users. A "need to know" policy is followed, preventing data leak and other credential-based attacks.
No account is configured with Kerberos Unconstrained Delegation capabilities.
No computer account has admin privileges over another one. This limits NTLM relay attacks.
Caching of domain users is limited on workstations and avoided on servers to prevent credential dumping of LSA secrets from registry.
Group Policy Preferences Passwords are not used.
LSA protection are enabled to prevent LSASS dumping.
Network shares readable by all domain users don't contain sensitive data like passwords or certificates limiting credential dumping.
The Machine Account Quota domain-level attribute is set to 0, preventing domain users from creating domain-joined computer accounts.
Default special groups are empty limiting, among other things, out-of-box ACE abuses.
SMB is required when possible, especially on sensitive servers, preventing NTLM relay attacks.
LDAP signing is required on Domain Controllers, preventing NTLM relay attacks.
Extended Protection for Authentication (EPA) is required, especially for Domain Controllers supporting LDAPS, preventing NTLM relay attacks.
IPv6 is either fully configured and used or disabled, preventing DHCPv6 spoofing with DNS poisoning attacks.
LLMNR, NBT-NS and mDNS are disabled, preventing MITM attacks relying on those multicast/broadcast domain name resolution protocols.
WPAD is disabled, preventing WPAD spoofing.
* (wildcard) ADIDNS record is created (requirement) with a
TXT set to
127.0.0.1 (optional, example only) preventing powerful ADIDNS poisoning attacks.
The print spooler is disabled on Domain Controllers and sensitive servers to prevent the PrinterBug authentication coercion attack.
The WSUS server (if any) is configured with HTTPS, to prevent ARP poisoning with WSUS spoofing attacks.
Set-up VLANs, 802.1X, NAC (Network Access Control) to limit the attackers progress withing the network.
⚒ Things to add
Use of physical tokens (U2F, access cards, ...)
Avoiding the use of plaintext protocols (limit ARP poisoning results)
Forest and domain trusts
sidfilter, sidhistory, etc.