If you ever get error "Cannot connect to a domain controller on the specified domain" when trying to vault a target account using the Windows Domain Service.
Check the domain controller is running with a valid SSL cert.
1. Launch Active Directory Administration Tool (Ldp.exe) from the domain controller.
2. Click Connection, Connect
3. Enter IP/FQDN of DC. Port 636, select SSL
4. Click OK
If you get "Can not open connection" error message then there's no SSL cert for the Domain controller.
A good connection will show:
ld = ldap_sslinit("domain1", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
remaining output truncated...
Along with information about the ssl cert on the domain controller