samba - Jun 2016 - Hardened UNC Paths, Badlock, encryption defaults?

Hi,

Microsoft some time ago introduced Hardened UNC Paths, and in April 
published the Badlock security fixes, which seem to be related to that. 
Samba at the same time published versions 4.4.1 (and 4.4.2).

Even after reading the release notes of Samba 4.4.1 several times, I 
still do not know whether I must manually adjust smb.conf to be 
protected from these vulnerabilities.

What I do know is that Windows 10 cannot access the Netlogon share of 
samba-4.4.3 running as NT4-DC, unless I disable 
RequireMutualAuthentication and RequireIntegrity on the clients.

Is this the way it is intended to work, or should Samba with activated 
badlock patches provide Authentication and Integrity?
Would this configuration also work with older Windows Clients (mostly 
Win7, but one has to be XP for a few more weeks).
Is there a difference in UNC hardening and Badlock patches when Samba 
runs as NT4-PDC compared with running as AD-DC?

And probably related: can the connection from Windows to Samba be fully 
encrypted? I suspect this requires at least Windows 8 and Samba 4.4.2, 
right?
Must samba be running as AD-DC?
Is full encryption default in that combination?
If not what must be done to activate it? Same as for activating badlock 
protection?

Klaus