from the doc: "/ to make this exploit work remotely you must use sbaaNetapi.dll witch modifies the DsRoleUpgradeDownlevelServer API, this will allow the remote host to be specified as explained on eeye advisory... http://www.eeye.com/html/Research/Advisories/AD20040413C.html"
rlsasrv.exe