When a Windows Server 2003 or Windows 2000 machine is promoted to a domain controller (DC), its local user database (i.e., its SAM) is reset and a new local Administrator account is created. During the promotion process, you're required to set the password for this new account. This password will be used in two rare, but extremely useful cases: when Active Directory (AD) isn't working and you must use the local Administrator account in the recovery console or in Directory Services Restore Mode. If you forget the local Administrator password, you can't use the recovery console nor restore the AD database. (The AD database is a part of the system state, and the system state in DCs can only be restored in Directory Services Restore Mode.)
In Windows 2003, the Ntdsutil utility has a nice solution to a forgotten local Administrator password: the Set DSRM Password command. However, the Ntdsutil utility in Windows 2000 doesn't offer this command. As a result, the system state backup in Windows 2000 might be rendered useless if you forget the local Administrator password.
One solution to this problem in Windows 2000 is to use a third-party utility, such as the Locksmith utility in Winternals Software's ERD Commander 2005. However, although this utility is good, it isn't free.
A free and simple solution is to verify that you've backed up the system state, then demote the DC. In the demotion process, the local user database is reset once again and you're asked to set the password of the new local Administrator account. After the demotion, you can log on to the machine using this password. Then, without going to Directory Service Restore Mode, you can restore the system state backup. (For standalone servers and member servers, you don't need to switch to the Directory Service Restore Mode when the system state backup will be restored.) That's all you need to do.
—Murat Yildirimoglu and Hayriye Ceyhan