LDAPS is automatically enabled when you install an Enterprise Root CA on a Domain Controller. If you install the AD-CS role and specify the type of setup as “Enterprise” on a DC, all DCs in the forest will automatically be configured to accept LDAPS.
If you want to secure the connection, you may consider configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Policies for your reference:
Policy Setting: "Domain controller: LDAP server channel binding token requirements"
Policy Setting: "Domain controller: LDAP server signing requirements"