Microsoft released an out of band patch today for all supported versions of Windows. The patch fixes a privately reported bug in the Kerberos Key Distribution Center (KDC) protoccol. If unpatched, it would allow an unauthorized user to execute an elevation of privilege attack.
“The problem stems from a failure to properly validate cryptographic signatures which allows certain aspects of a Kerberos service ticket to be forged,”
Microsoft says that limited attacks on Windows servers are already in the wild – hence the very unusual situation of releasing a patch out of band.
Assuming that the domain is infected, the only solution is to rebuild the domain from scratch.