@dmellor,
I tested copying the same service and then I changed the authorization source to a copy of my original (but using AD over SSL, port 636).
Before I get where I am at now, I had a problem close to yours, but that was because I was using port 636 with none security. Then I had the problem attached. It was solved using also AD over SSL.
You need, as well, to check if your AD is listenning 636 requests and check the windows firewall.
In my case, everything related to authentication seems to work fine, but the roles are not get. I can even browse the AD subtree from the authentication source primary tab.