You seek to understand how the Symantec Protection Engine (SPE) handles Active Directory (AD) authentication when there are multiple Domain Controllers (DCs) configured in the domaindnszones.
SPE uses the network stack from the OS to make connections to LDAP to connect to AD for authentication. If performing a query, such as a nslookup, on domaindnszones.example.local returns the address of a DC that the OS is unable to connect to, then the SPE will be unable to connect as well.