For the domain join, you can set the password servers to be used for each appliance in the service manager:
The default is that ClearPass will pick the fastest responding server, but if you want to better control it and for example prevent ClearPass in the datacenter to query a domain controller in a branch, this is how you do it.
For the Authentication Source, it might be that you need to create an Authentication source per ClearPass subscriber and create different services with those sources (same content like role-mapping and enforcement policies).
For these type of designs, please involve a qualified ClearPass partner or professional services as this should be considered an advanced configuration.