I'm in!
I was able to use the "UtilMan trick" as suggested. I'd used it on a Windows 7 machine years ago. I didn't expect it to still work on 2016R2, but it does.
Once I had a command prompt, I was able to use that to add a new local user and make them an administrator. Then I logged in as that new user and was able to rejoin the domain and reset the trust relationship.
The original administrator account still has an unknown password, and the vendor's services are still using it, but the server is up and running, and I have full control again. We will get with the vendor and get them to change their shit to use a proper account for their services and not the local administrator. Then we can reset the local admin password.
Thanks everyone for all the suggestions! I'll file them away for possible future use.