DCSync doesn't require a foothold on a domain controller, just one account with the right to replicate directory data. Here's how to find who has those rights in your environment, remove what doesn't belong, and detect if someone is already using this technique against you.