Hello and thanks for reading this

My basic understanding of the process of promoting a server to a domain controller includes "hiding" or removing the local SAM database.  Some articles say it gets deleted and accounts move into the Domain SAM, some articles say the local SAM database is still there and accessible if the server is put into Directory Services Restore Mode (DSRM). 

Here's my question, and I'd like to ask it in the context of a bad actor gaining access to a domain controller which is also a file share server. (I know this will draw comments, all I can say is I inherited it)

If the SAM is hidden, then can a bad actor run powershell scripts to add local users?  Could these local users access the files on the local server (which again is a DC and a file share)?  The files are local, but they are owned and created by domain users.

I would like to learn about ways a bad actor could exploit a DC being a File Share with a local account.  Is it possible?  Is it then plausible?

My monitoring tool can pick up any "domain" activity.  It may have a blind spot because the machine SID on DCs all look the same to it.  So, if the machine SID is the same for 2 machines (except the last 5 digits), my security platform is not looking at the whole SID and claiming there is a duplicate. This duplicate does NOT MATTER for domain accounts because of other correlation.  It may matter if any local account was used on this Frankenstein DC/File Server

Server1  = 366431-13683

Server2 = 366431-13178

Security software only sees 366431

If the SAM is deleted, then i don't think I have a question

Thank you in advance