Reduce the number of Domain Admins in your environment.

Do not allow or limit login of DAs to any other machine other than the Domain Controllers. If logins to some servers is necessary, do not allow other administrators to login to that machine.

(Try to) Never run a service with a DA. Many credential theft protections which we are going to discuss soon are rendered useless in case of a service account.

Set "Account is sensitive and cannot be delegated" for Domain Admins: