net commands, kerberos tickets, etc. You can really only 2FA web interfaces, VPNs, RDP and interactive console logons. You can 2FA LDAP, but it's a real pain to do so (I've seen it done).

Just think of any backend protocol that the system uses. The vast majority of those can't be 2FA'ed. This is not Windows specific either. The same is true for most all protocols.

This is why most companies buy firewalls and VPNs and only 2FA the VPN. That meets most compliance requirements and is simple to do. Is it secure? Probably not, but it checks the box (makes audit happy), so buy compromise insurance and move on.

You can firewall the backend services and use 2fa to temporarily open them for a specific workstation.

Those don't apply to "SMB and ldap", nor kerberos. The only way to get 2FA on an Active Directory domain is with PKI.