I'm trying to enable LDAP over SSL for some LDAP binds from applications and have some questions after reading some information online (same say that and MS article is wrong - https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx and I also checked this https://www.trustzone.com/microsoft-ad-ldap-2012/)

So I had used LDAPS some time ago and just wanted to refresh things up! Hope someone can check if I'm thinking clearly :-)

So first I created the template as described on the article, duplicating the Kerberos one and making the appropriate changes.

Then, before going on I checked all the information and wanted to make sure that I'm thinking correctly. On my other work when I used LDAPS I never imported to NTDS/Personal store, and if I remember correctly I was calling the domain controller by name, not calling the domain per se, for example dc1.domain.local and not domain.local.

As for the article, my understanding is that using the NTDS/Personal store I will import all the certificates I request on each Domain Controller, and then when I make the LDAP connection for the domain name, as for the example domain.local, the domain controller that would answer it will have the certificate (it was requested there) and also the NTDS store for the domain contains all the certificates for each domain. Is my understanding correct?

When I need to renew them (and I think they will renew automatically because I requested it from the Certificate Store or manually) I will re-import them to the NTDS/Personal.

Is the theory correct? :-)
Thank you in advance for the help!