2FA with ActiveDirectory

What is the easiest way if the administrator of an active directory should use 2FA?

If it is about authenticating at a windows server, then you would need the privacyIDEA Credential Provider which is provided by the company NetKnights or available as source code at github.

The credential provider is installed on the machines, where 2FA is supposed to be performed.
You can not simply switch on 2FA for the admin in the whole domain.
note: Offline authentication is not supported.