... No changes were made by anyone. I tracked the problem down to SSSD's not being happy with TLS when talking to AD.
After more research $BOSS discovered the AD hosts had issued themselves new certs, disabling the signed ones we were using. We had a two hour outage because of this. Thanks-no-thanks #MSFT! 😡
Generalistic and moderated instance.