If my understanding is right to this day on prem AD does not salt its passwords and MS is not doing anything to address that weakness. That should make everyone tear out their on prem AD.
AES keys are salted. Moreover, if you use public key authentication (e.g. smartcard, FIDO) it's not a requirement that any keys are provisioned on the user. I'm not sure if you can disable the generation of the NTLM key when using passwords, though (and it's true, that is unsalted).
AD exists as it does today because they were able to meet the USGs definition of a distinct crypto module in the 90s, and it’s too popular to break by policy.
