It can be pretty enlightening to read the few postmortems of big hacks that do get published.
Another seemingly common scenario (aside from a direct attack on the server) is to spear-phish someone else inside the company, not necessarily an admin or anyone technical, into clicking on some flash applet or trojan'd excel doc or something that owns their machine, then install keyloggers, proxies, etc., and work from there until you snag a credential that lets you into the server you actually want.
Another seemingly common scenario (aside from a direct attack on the server) is to spear-phish someone else inside the company, not necessarily an admin or anyone technical, into clicking on some flash applet or trojan'd excel doc or something that owns their machine, then install keyloggers, proxies, etc., and work from there until you snag a credential that lets you into the server you actually want.