As an aside, if you use DNS validation for the Let’s Encrypt certificates, you don’t need to have a public A/CNAME record for your hostname. I’ve posted some other information here on implementing DNS validation:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
This way, you could get a cert for ad.yourdomain.tld (or whatever), without having that domain resolve, on the public Internet, to your domain controller. Since I moved my DNS hosting to Cloudflare, I’ve used the technique I posted in the wiki for most of my internal resources. But now that I’ve put acme-dns onto my Neth box (as described in the first link), I think I’m going to move that way, so I don’t need to have as many copies of my Cloudflare API key floating around.