BJ,
Options include;
1. Export users and tokens in the Security Console - Administration.
Download your AM server's key first, then export the encrypted file destined for the same server because if will be encrypted with public key. When AD changes are done, and you have either repaired or re-created the AD external Identity source, you can import your users and tokens back in. At the time you perform the Tokens/User export, the file will contain assigned tokens and PINs if created, so changes after that won't be captured in the file.
2. Wait to perform any scheduled or Right Now External Identity Source clean-ups until after AD changes are made. A clean-up can often find and fix changes that only affect 1 critical field at a time, e.g. if the User last name changes, but other things remain same, this will be fixed immediately, or if User DN changes, but samaccountname, first and last names remain the same, we can fix that too. If multiple things change we might not be able to find and reconcile the users. So first option might be best, or at least used as a backup. You could remove your Identity sources, make AD changes, then add them back and see if AM can reconcile, and if not, import the Tokens/Users which should find the users because they will essentially be the same, and preserve the token assignments.
Refer to attached PowerPoint, which I do not believe is available in RSA Link, to gain some extra understanding of how the AM database uses a pointer called EXUID to something in the external Identity Source (typically ObjectGUID in AD) to find the user everytime an Admin looks them up, assigns them a token, as well as everytime they logon.
