set up a sniffer box on the domains and sniff for passwords being transmited. filter them by traffic from the domain controllers that way you can get rid of all the crap going through.

run a user enumeration against theservers and see what LOCAL accounts you have to work with. local accounts are easier to crack.