I have done this during the COVID lockdown in NZ last year. There are some things to keep in mind:
Your DNS servers need at least one member of the domain to be available on Zerotier; this is usually AD integrated, so that gives you an AD on the Zerotier network.
If you are using an external DNS provider, then you can set the names of all of the internal servers including the AD and other fileservers to be the Zerotier addresses for them.
This way, when a user is in the outside world, their DNS lookups will point at your internal servers; including the AD.
So, if your systems can cache credentials and other bits, the user can log in and find themselves looking at something that looks the same as being at work. Some bits, like group policy and password changes, can be a little hit and miss as they need to be connected via ZT for it to work.
Make sure your AD DNS servers do not broadcast the ZT network locally to your local clients, with the exception of the one which must. This means you must make all non-ZT DNS ADs [still using ZT] not respond or listen to DNS requests on the ZT interface. You also need to remove the ZT entries from AD DNS. For the system which is the master, let it talk via DNS on ZT.
If you’re careful, you will have a network talking over ZT, and local clients will be kept away, for the most part, from addresses that cannot respond to them.