The SSH keys don't help me if I get locked out of a Domain Controller unless you're using OpenSSH (which is now a native feature you can turn on). In that case you can actually still log into the DC via command line because it authenticates based on authorized_keys and not the LDAP of the DC. I actually do this on the enterprise, not because I may get locked out but because it is just convenient. Granted you'll have to execute powershell on the command line once in to use the AD cmdlets.

On the other hand when you create a DC now-a-days (Server 2019...I don't remember if this is asked in the wizard when in Server 2016) you can create a "Directory Services Restore Mode" which is basically a local admin account on the DC that you can log into only when the DC is booted into safe mode. You'll be asked to create it when you promote your DC.