Can I lock All Domain Admin Roles using Active Roles

You shouldn't block native DA permissions but you definitely should control access to the DA group.  Have you seen the Just In Time Privilege Elevation integration with Safeguard?  This will allow admins to have accounts that can be DAs but aren't in the group until needed.  They would just check out their account, then the integration uses a combination of a virtual attribute and a dynamic group to make sure they get the right access.  When they're done they check their priv account back in and group membership is stripped, password is changed, and the account is disabled when not in use.    Here's a video link of the process.  

https://youtu.be/3U4S7inJvs0?si=4MEYCy2Z9JyU_Zwe

You shouldn't block native DA permissions but you definitely should control access to the DA group.  Have you seen the Just In Time Privilege Elevation integration with Safeguard?  This will allow admins to have accounts that can be DAs but aren't in the group until needed.  They would just check out their account, then the integration uses a combination of a virtual attribute and a dynamic group to make sure they get the right access.  When they're done they check their priv account back in and group membership is stripped, password is changed, and the account is disabled when not in use.    Here's a video link of the process.  

https://youtu.be/3U4S7inJvs0?si=4MEYCy2Z9JyU_Zwe