A few more things to look at are:

Services: stop and disable any service that you don't have to have.
IP filtering: Turn on an use IP filtering. Only allow the ports that you absolutely have to.

You may not be able to down load a firewall but that doesn't mean that you can't reduce your attack surface.

Have you changed the NTFS permissions on your hard drives? By default the everyone group has full access to your computer. Just be careful not to be to restrictive here, Since you are a domain controller you will have to leave somethings a little more open. ie replace everyone full with authenticated users read/execute/list

Disable the Guest account.

Rename the administrator account

Disable Anonamous access

Setup account lock out policies

Just to help you know when he has been comming at you setup a dummy Administrator account, remove it from all groups and turn on auditing for this account. That way you can see any attempts to use that account in you logs.

You might try applying the HISECDC.inf in the local security policy. If that one breaks to much then try the SECUREDC.inf and then the BASICDC.inf. Remember that you can alwas go back to the original local security policy by using the "setup security.inf"

Disable the remote registry service!

Just remember that if configured properly a Windows server can be just as secure as any other OS.

Good luck!