Okay first off ---full Distinguished name ----
CN=NAME_XXXX,OU=XX,OU=XXXX,OU=XXXXXXXXXXX,DC=XXX,DC=local
Also you have to specifiy the BASE DNs to search ---------- if you do not do this or use the default
DC=XXXX,DC=LOCAL
it will run too Deep it will STOP searching and Fail -----
SO Under the area for your LDAP Directories ----- Set your BASE DNs --- to search as close to where it can find your users the fastest ------
Do this as many times as needed to isolate your users that will be encrypted via LDAP enrollment as possible
OU=XXXXXXXXXXX,DC=XXX,DC=local
DO the very last one as DC=XXXX,DC=LOCAL as a catch all
Also ensure that your User for the LDAP lookups is a service account with the adequate permissions to read off the LDAP servers -----
Also ---- make sure your are using the correct protocol for your LDAP servers ------ as Most Microsoft servers were switched from 389 Unsecure to 636 or LDAPs ---- by default 2012 DCs do not allow for Unsecure LDAP.