In Active Directory, identity sources that are not Global Catalogs are used for administrative operations, such as enabling users for on-demand authentication and risk-based authentication. If you are not using a Global Catalog, this type of identity source is also used for finding and authenticating users. This type of identity source also maps to a domain controller.
If you want to administer Active Directory domain users in Authentication Manager, you must add an identity source for each domain that contains users who will authenticate with Authentication Manager.
For example, if an Active Directory forest has three domains and one Global Catalog, and you want to authenticate users in two of the domains, you must add an identity source for each of the two domains.
Note: Authentication Manager supports up to 30 identity sources that are not Global Catalogs per deployment. This limit does not include using the internal database as an identity source.
An identity source that is not a Global Catalog can use group membership data from all three types of Active Directory security groups: Universal Security, Global, and Domain Local. Authentication Manager does not support distribution groups of any kind for restricted agent access.
To support group-to-group membership in Active Directory, you must set the domain functional level to Windows 2003 or 2008. For more information about how to raise the domain functional level, go to http://support.microsoft.com/kb/322692.
Note: The default organizational unit “Groups” does not exist in the default Active Directory installation. Make sure you specify a valid container for the User Group Base DN when adding the identity source.