You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers.
Open the Control Panel on a domain controller.
Open the Add or Remove Programs applet.
Click on Add/Remove Windows Components.
Check the box beside Certificate Services and click Yes to verify.
Select the type of authority you want the domain controller to be (select Enterprise root CA if you are unsure) and click Next.
Type the common name for the CA, select a validity period, and click Next.
Enter the location for certificate database and logs and click Next.
After the installation completes, click Finish.
Now open the Domain Controller Security Policy GPO.
Navigate to Computer Configuration → Windows Settings → Security Settings → Public Key Policies.
Right-click on Automatic Certificate Request Settings and select New → Automatic Certificate Request.
Under Certificate Templates, click on Domain Controller and click Next.
Right-click on Automatic Certificate Request Settings select New → Automatic Certificate Request.
Under Certificate Templates, click on Computer and click Next.
After domain controllers obtain certificates, they open up ports 636 and 3289. Port 636 is for LDAP over SSL/TLS and port 3289 is used for the global catalog over SSL/TLS. See Recipe 14.2 for more information on how to query a domain controller using SSL/TLS.