No, you should not. LDAP is fundamental to many processes in Active Directory. For example:
- When you perform an interactive logon on a client, the client performs a series of DNS lookups to determine the best domain controller, then performs a series of tests on tcp/389.
- The Active Directory schema is downloaded to the client using LDAP on tcp/389.
- The Group Policy Client uses LDAP to retrieve the policy information component which is stored in Active Directory.
- Many of the command line tools and system-integrated management tools use LDAP (Active Directory Users and Computers, Active Directory Sites and Services, etc).
- A TON of other stuff.
It's fairly easy to perform a network packet capture to confirm this.
It sounds like you may be confusing NTLM with Kerberos. It may be possible to use Kerberos in place of NTLM/2, although the client will attempt to fall back to NTLM/2 if Kerberos authentication is not possible.
Additionally, it is not possible to use only LDAPS tcp/636 in place of tcp/389 if you have certificates installed on your domain controllers. This would not provide any useful benefit, as LDAPS is primarily intended for applications that authenticate using a simple bind (username+password).