In Active Directory Certificate Services it is possible to configure certificates to autorenew prior to certificate expiration. This functionality (which is shipped with every Windows box) is called certificate autoenrollment.
Here is the link that describes how to enable autoenrollment functionality (which is disabled by default): https://technet.microsoft.com/en-us/library/cc770546.aspx
in your case, it is sufficient to use a certificate based on Kerberos Authentication certificate template (which is compatible with LDAPS) and enable autoenrollment GPO. Certificate template already contains Autoenroll permissions for Enterprise Domain Controllers global group. If GPO is configured properly, domain controllers will renew their LDAPS certificates after 80% of existing certificate's lifespan.
and here is a link that describes what is autoenrollment and how it works in details (for reference): https://technet.microsoft.com/en-us/library/cc778954(v=ws.10).aspx