Well startTLS is prefered always before ldaps, not only in AD. So maybe you can open documentation bug, so we will properly describe how this DNS SRV server set works and what needs to be done, to get it properly working.
Ok, I'll do that. I counted : that will be my 18th bug in my list (counting also the RFE and docs bugs, not only the software bugs, I didn't report all of them yet) for RHEV/ovirt... I should be payed by Red Hat team ;) (by the way, I hope the stability of RHEV will increase)
Unfortunatelly no, I can only see that's something wrong with SSL.
That's also the only thing I saw.
'ovirt-engine-extensions-tool' logs would be more helpfull.
Here it is : https://bpaste.net/show/a166df875909
Btw, did you installed it via 'ovirt-engine-extension-aaa-ldap-setup'? There you can choose startTLS, so you can avoid typos in configuration.
Yes that's what I did, I made a different profile for all cases, using the tool.