Active Directory TLS
The certificate will enable LDAPS on port 636. Active directory uses sign and seal and is already secure when using port 389. Yes they can coexist at the same time
This article should help explain LDAPS. http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
This article explains how to use a third party certificate to enable LDAPS https://support.microsoft.com/en-us/kb/321051
According to this article the certificate must be issued to the FQDN of the server. So a wildcard certificate might not work https://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx
You don't need a commercial certificate to secure LDAP in Active Directory; all computers accessing it will by definition be domain members (*), thus you can use Windows' own Certificate Services to build an AD-integrated certification authority, which will be automatically trusted by all users and computers in the domain.
(*) Should you need to perform LDAP queries from a non-domain-joined device, you'll simply need to import the root certificate of your CA into its store of trusted certificates.