One of the best ways to ensure secure domain controllers is to install them securely configured to start and to deploy them in a secure manner. The DC is secured before it is placed into production. Many of these security steps can be incorporated into an automated installation process.
Best Practices for DC Deployment
Five distinct sets of steps must be completed to bring up a DC securely:
Before a domain controller is established on the network, prepare for its installation. ...