If you expand and what's next is not clear.
Generally the general meaning. There is a central VPN server and many VPN clients that are depleted into one network.
1. Central office PPTP/IPSEC/OVPN and so on as a central server.
2. Install a router in mini offices and connect to the central office via VPN.
You can build everything on Mikrotiks, there is eoip + IPSec, it will perfectly connect everything into one network, but it has its own pitfalls in the form of unnecessary broadcasters and other things.

Here the task is divided into two parts (well, at least I didn’t solve it completely in one go)
Part 1 - one big microtic is installed in the office, which will drag the VPN on itself. It must have a white IP. Take a model with hardware encryption such as RB1100AHx2 (if it is already outdated, then take what is recommended instead)
- connecting constantly working mini-offices to AD. Using Mikrotik to the office and setting up a permanent VPN on IPSec - this will give a permanent connection to the office network as if it were in a neighboring subnet.
- Linux, Android tablets, Apple products - via IPSec in roadwarrior mode. There is a lot of documentation on the strongswan website, Mikrotik is also Linux and there is also either a shwan or an older rakun, so the documentation will do for setting up, well, Mikrotik has its own.
Part 2
- Windows - I still don't know how to hook it up to IPSec, but it can be connected to PPTP by forwarding it to some Windows server.

Depends on the country and possible regulatory requirements. In general, AD does not trivially fall on mixed infrastructures, there are many pitfalls and difficulties with various services.
If your AD is only for authorization and you are not in the Russian Federation (or the risks of disabling all this stuff are not too great for you), I would look towards azure ad and office 365.
The second option is to build a vpn network. Here you get like a virtual office.
The third option, public AD, is theoretically feasible, but I have not come across this, probably from a security point of view, this is extremely non-trivial.
There is also a hybrid of the second and third options based on ipv6, but here you need a person who is very well versed in this.

Obvious ovpn as service centered in DC. Or windows direct access (essentially the same)

MS has RRAS on which you can implement DirectAccess or VPN AnyWhere
VPN AnyWhere - supported by MS clients "out of the box" ... this is stupid SSTP or IKEv2 VPN
The client tries to raise the connection if it understands that it is not in the domain network.
It is possible for a remote client to make an off-line join to the domain, send the VPN connection config and it is in your domain.
DirectAccess - Required Windows7,8,10 Enterprise is configured only by group policies. Works over HTTPS. IPv6 over HTTPS
PKI required.
If you like OVPN, then both technologies are absolutely comparable with it in terms of speed, so you won’t notice the difference.
Linux and Mac users don't really fit in here, but you can get them via SSTP. DirectAccess and VPN can co-exist on the server.
Another option is Terminal Server + VPN. Users connect remotely via VPN, and then RDP to TS. There are RDP clients for almost any OS.
In general, everything has its own nuances: requirements for data availability, downtime, security. For example, should a person with a domain computer and an unencrypted disk roam anywhere, or is VPN and RDP still the right solution. Or, if you encrypt, then what to do when he turns it into a "brick". How to distribute settings on Linux and Mac - you can’t pull the screw GP on them. And if they can without a domain, then why should they bring the rest to the domain?