I know my AD server host&port, and I want to install on my ubuntu machine the CA certificate for the AD server.
How can I retrieve the CA certificate from the server?
It's really no different than getting a certificate from a website, since the initial SSL handshake is exactly the same. You can use the answer from here, but use the domain name and port 636 (the default port for LDAPS):
openssl s_client -connect example.com:636 -showcerts
Replace "example.com" with your domain name.