That's it's taken the Pen(etration) Testers a day and a half to get control of my Domain
Usually, they'll be in well within and hour and reading out your Domain Admin password out loud. Ha! These guys got Domain Admin equivalence, which is all but the same ... but it took them a day and a half.
Note to SysAdmins - you're only as strong as your weakest link. In my case, a Windows 2003 member server not under my control but on my domain. Note to self - anything on MY domain is under MY control. If it's not, it's NOT on my domain.
The Pen Testers would get in somehow, but it'd take a lot longer. I might set them on again without that server. Now, time to talk to the Network guys about further mitigation.