Export and store the DRA file recovery private key as soon as possible after promoting the first domain controller in a domain. Burn copies of the certificate, and keep it secure. Don't forget the password you used when creating the certificatethere is no way of recovering the key if you forget the password.
Remember that the users' private keys are in their user profiles. Avoid roaming profiles that contain encryption keys. If you need to use roaming profiles, set a Group Policy to remove the local copy at logoff.
If you have a workgroup with Windows 2000 pro desktops and laptops with no domain controller, then your best alternative for securing DRA private keys is to immediately export and remove the Admin File Recovery key from each machine, burn the certificates to a few CDs, and keep the CDs under lock and key.