Update on this,
We enabled BESrelay verbose logging on the root server and we are now seeing a binding on 636 on the FDQN of the domain and not the DC, ie: costco.local:636 vs dc1.costco.local:636
We were never seeing an actual connection attempt/denial on the DC configured in Bigfix, we were seeing traffic on the 3269 port.
At this point we will chuck it to being an issue on the infra and not much we can do with Bigfix at this point.
The “crazy part” though is that it’s sporadic… so coinflip on each connection attempt and you sometimes hit the same DC and are happy I guess?
Fun times!