Enable Role as AD Certification Authority, what can go wrong?

Solution 1:

Installing a full fledged certificate authority in order to sign a single certificate for your domain controller seems like a lot of effort for not a lot of gain. If all you need is LDAPS on a single domain controller, your time may be better spent just purchasing 3rd party certificate (there CAs that offer free certificates as well) assuming your domain name is one that you actually own and not something like corp.local. Here are a couple docs that can help:

• Requirements for domain controller certificates from a third-party CA
• Enable LDAP over SSL with a third-party certification authority

If you can't use a public CA for whatever reason, I'd still probably opt for something like New-SelfSignedCertificate rather than installing ADCS for a single cert.

To answer your questions.

• No, AD will not stop accepting unencrypted connections after adding a certificate. The TLS encrypted services run on different ports.
• I'm not sure what you mean exactly by "established certificates". But generally no, installing ADCS doesn't mess with existing cert stores other than to add the new root CA certificate as trusted.
• Other servers will fail to connect if they have been configured to use TLS and have not been configured to trust the CA root certificate (unless they've also been configured to disable certificate validation which is generally a bad idea). (This is another benefit of a public certificate which is that it will already be trusted by clients)
• Your VPN is unlikely to start using LDAPS for authentication unless you configure it to do so. But once you do, yes. VPN authentication will be dependent on properly functioning TLS.