MicrosoftMicrosoftYes, that was my understanding and I have just confirmed it with ldp.exe . If you use LDAPS (TCP/636) then your traffic is considered as already signed and your environment will not be affected. Just remember, that there's also LDAP Global Catalogue 3268 and LDAP GC SSL 3269. If you are using port 3268, it will be affected same as LDAP on port 389. So I would recommend enabling diagnostic logging and make sure you get no events 2889.
Yes, that is correct, based on what Alan has written in this article, the operating system will change the interpretation of "ldapserverintegrity"="None" value. Today it is "Negotiate", but will become "Require signing".
DDCP, if you mean Default Domain Controllers policy will not be changed.
This setting is a part of Security Settings, so it cannot come as update in ADMX template. It should be possible to create a custom ADMX template for this setting, but I would rather use GP Preferences and registry key. No need to do it manually.
