I'm far from being an AD expert, but digging a bit it seems that actually the question seems more wider.

In the sense that deploying certificate and opening ldap services for bind and authenticate is an optional thing on Windows domain.

And in my case the domain where I have to join doesn't have them deployed.

I found an interesting blog here:

Some extract about LDAP activation notes:

"

By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring  device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network unencrypted. This could quickly lead to the compromise of credentials.
. . .
Note:
Only LDAP data transfers are exposed. Other authentication or authorization data using Kerberos, SASL, and even NTLM have their own encryption systems. The Microsoft Management Console (mmc) snap-ins, since Windows 2000 SP4 have used LDAP sign and seal  or Simple Authentication and Security Layer (SASL)  and replication between domain controllers is encrypted using Kerberos  .
"

So the situation is that oVirt/RHV can currently interact with AD only through LDAP bind that travels in clear by default on AD, from which the need to enroll certificate on AD and enabling ldaps or StartTLS
It could be interesting to enable other means of AD integration, like vSphere already does, joining the AD domain and so using native encrypted SSO communications.

An interesting article here from Nakivo:

Any ongoing effort to go in this direction? Samba could join with minimal effort a Windows domain, I think... 

Thanks,

Gianluca