IF you have SEP's NTP installed on the DCs, can you do a test for me?
On a computer that's on the same subnet as the client computers that have problems seeing the DCs, open a comand prompt and run
ping -t dcipaddress
and let it run.
See if there are gaps in the pings..........
I have discovered that SEP will see itself as being attacked at times, and literally block all pings to and from everything for roughly 20 seconds or so. This is only with NTP installed. (other options settings like DOS, etc do not matter, this happens if NTP is installed and enabled under certain conditions)
If a workstation cannot ping a DC, it will not use it, and other side-effects such as scripts not running, policies not being applied and so on can result.
It's rare, so I don't expect it, but if it's happening, you will see gaps of about 5 or 6 ping "drops" while you run a ping -t to the DC and let it run all day.
Make sure ALL of your network drivers are current, and SEP is fully current (RU5) on ALL machines, servers, DCs, clients, etc.
Are there any "unusual" software packages installed on anything? Do the DCs do anything other than function as domain controllers?