This video shows the compromise of four machines (including a domain controller) within a demonstration Windows domain environment.

MS08-067 is used to compromise a web server within the domain. The web server has cached a domain administrator's access token (from a previous interactive logon session.) This cached token is leveraged to add a new domain administrator account to the domain controller as well as local administrator accounts on the three machines which are members of the domain.

Metasploit's psexec module is used along with the newly created credentials to gain SYSTEM-level access to all of the machines. Finally, we use the persistence module to gain a foothold on the compromised systems to survive reboot. We demonstrate how this method can be used to cause meterpreter sessions to call back to the attacker every 45 seconds.

It is possible to perform domain privilege escalation using the abused domain administrator token due to the caching of access tokens (in case communication with the DC is severed.) More details about Microsoft's implementation of token-based access control with a slant towards penetration testing can be found in this whitepaper:
labs.mwrinfosecurity.com/publications/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf