You will first need to create a Registered LDAP Server in ePO under Actions | Configuration | Registered Servers. I recommend pointing to the domain itself rather than to a specific DC. ePO is not required to be on the domain that it is querying.
You can use Encryption Users to assign the users to the systems just as you have done before. However, in the upper left of the LDAP picker, you will see an option for "Look in:" which is a drop down that will allow you to select users from either the domain you have registered or user directory.
You can also use the Add Local Domain Users option in the Product Policy. This will automatically assign Active Directory users that has previously logged into that specific system. Do not add more than 5000 users to any system as the PBFS could run out of space and ideally the user assignments should be a one to one match of user to system.
Password changes will only be captured on a client system in which MDE is installed and the user changing the password is the user that logged into preboot. Specific information can be found in KB79339.
There is an option in the product policy under SSO that will enable MDE to check the LastPassSet timestamp for the current user in AD against the timestamp for the Preboot user. If they are out of sync, the user will be prompted to lock and unlock their system for MDE to capture the password.