find the client responsible for the schannel ldap error
Built-in you can't find easily the source of the message.
You need tcpdump, microsoft network monitor or wireshark to find the machine causing the error. (many thread told the same, there, there or there (See in the comment the answer to George about tcpdump))
If you are able to capture the traffic flowing to DC for analysis then you can use Wireshark's packet search to find certificates being presented.
This wireshark filter looks for certificate exchange and filters out anything issued by "LDAP SSL test", this would allow you to find certs not issued by your domain.
(ssl.handshake.type == 11) && !(x509sat.uTF8String == "LDAP SSL test")
I don't have an AD example to work on so that is using a standard LDAP over TLS pcap from the wireshark samples page.