Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter
Obsolete versions of this protocol (LM, LMv2 and NTLM(v1)) are disabled and NTLM (all versions) is disabled when possible. This allows to stay safe from NTLM relay, NTLM capture and cracking and pass-the-hash attacks.
krbtgt's password has been changed in the last 6 months to prevent Golden Ticket persistence attacks. From UNIX-like systems, this can be checked with Impacket's Get-ADUsers.py script.
Patches for NTLM tampering vulnerabilities (e.g. CVE-2019-1040, CVE-2019-1019, CVE-2019-1166) are applied to limit NTLM relay attacks.
Latest security patched are applied (e.g. for ProxyLogon, ProxyShell, PrintNightmare, ...).
Access Management (IAM/PAM)
Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting credential stuffing (i.e. trying to log in on other resources with that password/hash).
Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential bruteforcing, guessing, stuffing and cracking attacks.
Sensitive network shares are not readable by all users. A "need to know" policy is followed, preventing data leak and other credential-based attacks.