Check DNS. For now it looks like it is messed up.
The as-domain ("@") A resource record should always point to nearest domain controllers, and should not point anywhere else. I.e. in AD domain "example.com" should be a DNS record "example.com. A dc.ad.dre.ss" for each domain controller, and shouldn't be any other "example.com." A entries.
These records should be added automatically when you add a domain controller.
This is the way redundancy and distributed filesystem for SYSVOL is implemented. Clients connect to domain's sysvol via "\\example.com\SYSVOL", i.e. use domain FQDN to access it, and if everything is configured properly they'll end up talking with some domain controller.
Windows keep sysvol files on different domain controllers in sync, so you could update GPOs on any controller, and they'll end up distributed to other DCs automatically. However, this is not done in realtime, and this is one of reasons why GPOs could not work immediately after update.
I want to mention some Samba4 AD controller behaviour here. Samba4 has no integrated provision of syncing files in SYSVOL, and you have to do this externally (usually this is done via rsync, maybe lsycnd). There are also problems synching from Samba4 DC to Windows DC. For example, Zentyal DC (which is based on Samba4 and Debian) only supports syncing of SYSVOL from Windows to Zentyal or from Zentyal to Zentyal.
In any case, if you own a registered domain name "example.com", do not create Active Directory with the same name, else you will not be able to use naked "example.com" name for, say, web site. This is known MS AD drawback. Microsoft also doesn't recommend this; they recommend to create some subdomain and start AD tree from there.
