In many cases, AD CS roles may not be installed on the DCs, and domain admin is not needed to manage them. If a CA machine account is compromised, then certificates could be forged to maintain persistence and elevate to domain admins.
Use SharpDPAPI to enumerate CA private keys:
Save the keys into .pem
and use openssl to convert to .pfx
.
Create a forged certificate using ForgeCert.
Request a TGT with certificate:
NOTE
It is also possible to create machine certificates and use S4U2Self abuse to access any domain-joined machine/service.