So here's a fun little tidbit about the Microsoft Active Directory vulns CVE-2020-0761 and CVE-2020-0718 from last week:
If someone tries to exploit it and the attempt fails in the form of a crash, that domain controller will be permanently hosed until you remove some stuff via ADSI Edit. So sort of a perma-DoS for an "unskilled" attacker.
The one thing I haven't checked yet is if the bad records get replicated to other DCs. If so, that's kinda scary since it would imply sending the exploit once to pwn all the DCs. Or make them all inoperable.