BadSuccessor: Enable domain takeover with Microsoft Active Directory Attack not called

Some related attributes on the DMSA account are msDS-DelegatedMSAStatewhich indicates that the migration process is unknown, ongoing or completing; msDS-ManagedAccountPrecededByLinkinstructs to replace the account; and msDS-GroupMSAMembershipwhich indicates which principals (users, groups and computers) can be authenticated as accounts.

Once the migration to the DMSA account is complete, any machine that authenticates the replacement service account will receive an error from the domain controller indicating that the old account has been disabled, KERB-SUPERSEDED-BY-USER The field indicates the DMSA that replaces it. The machine will then retry authentication as a DMSA to obtain authenticated session tickets, allowing them to perform actions.

This is where the Key Distribution Center (KDC) comes into play. In the Kerberos protocol used by AD, KDC ensures secure access to network resources by verifying users’ identities and grants them access according to their permissions.