WINDOWS 2000 SERVER
Domain controllers have a special offline SAM that stores the Administrator account used in the Directory Services Restore mode. Admins use this mode to recover Windows 2000 domain controllers. Since this account is very powerful, you must protect it.
some tips for protecting this account:
* Use a strong password, and change it regularly, in accordance with your password policy.
* Enable auditing for the SAM file located in %systemroot%\System32\Config.
* Physically secure the computer. Since the account isn't accessible when Active Directory is online, physical security is important.
backups, and don't let them get into the wrong hands.
If you used Server Wizard to set up your domain controller, make sure you read Microsoft Knowledge Base article Q271641. This article discusses security issues related to using the Server Wizard.