The growth and improper use of domain administrator accounts is one of the major security threats to systems in Windows Active Directory (AD) domains.
In order to avoid potential issues arising from these troubles, here's an article about restricting the use of domain admin accounts to domain controllers in Windows Server 2012 R2 domains by enabling support for additional Kerberos features.
The author also explains how to create a new authentication policy and silo. You can have a look at the tutorial here
You must authenticate to review this post