To limit the discovery to a single domain shouldn’t be a problem, but how about the IP subnets?
I’m still not sure how this would be done. The thing is, all we get from the ActiveDirectory (or domain) query is domain and computer name (Netbios name). Now we can do a DNS lookup for that host name - this should theoretically return its IP address (assuming the DNS names and NetBIOS names match - not always the case).

But what else? How should we recognize the hosts by subnets?