You can follow along here.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
--please don't forget to upvote
and Accept as answer
if the reply is helpful--