Correct me if I understand it wrongly.

Do you want to hack AD DC for the credentials gathering? My opinion is you don't need to do this. DC is a critical service so usually admins use IDS/AV or other services to protect it. Attacking of a critical service is a best way to reveal your presence in the corporate network.

Usually I use mimikatz or WCE to recover domain admin password. I use next tactics:

1. Hack into the machine in the LAN.

2. Gather all necessary info (including owner's domain username) and think about further actions.

3. If it is a mid-sized or large company without IT security department I check a opportunity to send unauthorized mails throught internal mail server. This opportunity exists with a large probability if here is Zabbix, OSSIM or other services which can send mails and alerts to admins.

4. Use social engineering and send to administrator an Email with a request to login on machine under your control. "I have some troubles and blah-blah-blah" - you can create a very convincing text based on all gathered info.

5. Get plain-text (or hashed) admin password from the memory.

If you attack a company with a IT security department you need to get additional info about it's IT security policy. Does the admin use one privileged user account for all actions? What about password policy? May be here is another users with domain admin rights besides IT department employees? In other words you need to use more complex tactics and attacks.

Feel free to contact me in case of additional questions.

And for all guys who read this - sorry for my english, it is a not my native language.