In Active Directory, identity sources that are not Global Catalogs are used for administrative operations, such as enabling users for on-demand authentication and risk-based authentication. If you are not using a Global Catalog, this type of identity source is also used for finding and authenticating users. This type of identity source also maps to a domain controller.
If you want to administer Active Directory domain users in Authentication Manager, you must add an identity source for each domain that contains users who will authenticate with Authentication Manager.
For example, if an Active Directory forest has three domains and one Global Catalog, and you want to authenticate users in two of the domains, you must add an identity source for each of the two domains.
Note: Authentication Manager supports up to 30 identity sources that are not Global Catalogs per deployment. This limit does not include using the internal database as an identity source.
An identity source that is not a Global Catalog can use group membership data from all three types of Active Directory security groups: Universal Security, Global, and Domain Local. Authentication Manager does not support distribution groups of any kind for restricted agent access.