A few guidelines from you original question:
smb - look for missing patches and public exploits. you can also dictionary attack smb for credentials. i'd start with username "administrator"
You can also capture hashes for smb creds and use these in pass the hash techniques. There are a number of ways to do this.
ldap - if anonymous ldap sessions are allowed you can enumerate this service for lots of juicy info.
ms sql - look for missing patches. Better yet, if you can get creds for SA then more than likely they have xp_cmdshell functioning and you can get root, easy. You can get creds by dictionary attack, SE, or existing odbc connections.
snmp - again, dictionary attack. If you can find out the community string, you can likely read/write entire server configurations. This is a very powerful, yet often overlooked security issue on corporate lans.
I would recommend getting a copy of MSDN and installing your own AD environment so you can see all the moving parts of an AD environment. This is paramount to successful pentesting since most orgs use AD in one fashion or another.