I always want to know what other domains and alternate host names are being hosted and specifically what web apps are running within those additional domain/host names. This is because I tend to get more mileage from web application vulnerabilities than I do from classic network vulnerabilities.
There are myriad ways of finding out this information. You might start with attempting zone transfers on the domains you do know to dump all host names. This rarely works so you might use a tool to identify host names based on a dictionary of potential values. This will work somewhat but those DNS records must be in your dictionary and you'll invariably miss some. For additional domain names, you might start performing reverse DNS lookups on the IP address space that's in scope for the assessment. Accurate reverse DNS zones are often not available so you might use a tool like Maltego which uses other information sources to identify those other domain names.
Yet another way of identifying straggling domain/host names is to grab SSL certificates on the network and look at the "commonName" attributes. Then you can take any new domain names identified and run them through the same process you already went through for the names you already knew. This may seem arcane but I've personally been in situations where I was unaware of a domain, obtained it through an SSL certificate, performed dictionary-based enumeration of the domain, and identified a hostname for a vulnerable web application listening on a site with host headers. The point is that I would have never known the app existed by just connecting to the web server's IP address without a name. Thorough coverage is the name of the game.
NMAP has a nice script built in to do just this:
nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open A.B.C.D/XY
