You can achieve this by configuring the SRV records registered by the domain controller.
When the NetLogon service of the domain controller will register two "types" of SRV records:
- The site specific records that allow clients on the same site de locate the domain controller.
- The generic records that allow clients which do not know in which site they are in, or have to an IP address that doesn't belong to any subnet nor site
If you want the DC to be used only by clients which are in the same site of the DC (the point 1) then you can instruct your domain controller NOT to register its generic records (the point 2). In order to do that, follow those stepts:
- Edit the group policy and find the following parameter: Computer Configuration > Policies > Administrative Templates > System > Net logon > DC Locator DNS record > Specify DC Locator DNS records not registered by the DCs.
- Enable this parameter and in the field you have to type all the records that you don't want to see in the DNS (those keywords are explained here). So type the following (the separator is a space character): LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd.
- Do not delete the DsaCname, this is used for the replication.
- Restart the NetLogon service
At this point your DC is invisible for clients outside of the site. But it is possible that clients picked up that DC before your changes. In that case you can just be patient. Clients are re-discovering DCs every 12 hours. So after 12 hours you should only see clients in the same site.
Also, if applications have hardcoded this DC, they might still continue to use it (you can have a look here if that's a concern: https://learn.microsoft.com/en-us/archive/blogs/pie/how-to-detect-applications-using-hardcoded-dc-name-or-ip). But if that's a new DC then the problem doesn't exist since the applications will not have the time to hardcode to that DC yet.