In some situations the domain contoller used will not present a valid certificate.
(for example when tunnelling)
in 2.13 of the plugin this would produce a warning but would still work (the TLS channel was established and left open).
In 2.20 this is no longer the case and it is not possible to use an AD controller whose hostname does not match.
Ideally there should be an advanced option to either supply the expected hostname or to trust all hosts.
this is exceptionally useful for tests as I notice the AD tests in the plugin disable all TLS in samba and as such this is not exercising the code that will be used in the wild (as both Samba and AD require TLS)