t has been increasingly common for organizations to prevent external or outbound connections from their domain controllers. I have seen some use the Windows Firewall, others use non-routable IP addresses and others have installed third-party software to prevent any type of remote access. These are all recommended practices, but some security administrators wrongfully assume that their domain hashes are safe simply because they believe that it is impossible to get a meterpreter shell on any of their DCs.
more here....http://obscuresecurity.blogspot.com/2014/03/ntdsdotdit.html
more here....http://obscuresecurity.blogspot.com/2014/03/ntdsdotdit.html