What is a secure way to log onto the domain controller?

What is a secure way to log onto the domain controller?

On a pentest we found that a kerberos ticket under account name administrator was cached on one of the SQL database servers, which allowed us to steal the ticket, pass-the-ticket and log onto the domain controller. The logon type was remoteinteractive which suggests that a user from SQLDB01 made a RDP session to DC01. In terms of recommendations, I believe restricted admin mode does not protect against this attack as this protection just forces kerberos ticket to default.

1. What other recommendations are there?
2. Use credential guard to protect against dumping of kerberos tickets (?)
3. What is the correct/secure way to log onto the DC? I assume a jumpbox?