Reading the full help for Add-BitLockerKeyProtector :
"Active Directory Domain Services (AD DS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector."
It seems that AD DS account is not compatible with Operating System, the error with Enable-BitLocker seems indicate other thing.
Is there a way to implement TPM + AD DS account authentication to unlock OS volumes?