The use of AD in SEPM is clumsy and opaque. It is easy to get stuck.
For instance, the option to Sync a client group with an AD group does not really do that. You can ADD an AD group to your client tree, but once that is done then it will only show those clients who had Symantec installed at the time the AD group was added. Which means you will end up with an out-of-date, useless client group list as computers are added to and deleted from the AD group on the DC.
In addition, the Remote Push setup wizard makes you select a group, but it is not clear at all why. The next page allows you to select an AD group or workgroup, but it seems to not get the information about the computers in the group from AD. Instead it does some kind of port scan, which for me does not find all of the computers whether they are offline or not.
Then if you try to add the missing computers by searching for a hostname, the result will be an IP address (i.e. NOT a hostname) added to the remote push list. You do know why we use hostnames for managing network clients rather than static IPs, right?
The client list under an AD group in SEPD should list ALL members of the corresponding AD group, with status adornments/notations etc. to indicate online/offline/SEP installed. Sync, if is even needed, should reload that list from AD. If in doing that one of the managed computers is going to drop off the list, that is a special case the user needs to resolve, either by moving the client to another group (which probably already happened if the groups really are synced to AD) or removing it from the list.
And the remote push setup similarly should use the AD list as the starting point, rather than some port scan (for which the timeout setting is displayed too late to have any effect.)