AM looks to AD in real time.
The AM Operations Console configures External LDAP Identity Sources, up to 29 of them, each of which point to a User and a Group Base DN. A top level scope would see every UserID in a Domain, and possibly every item in AD. However it is scoped, when an AM Admin uses the Security console it is searching LDAP whenever it is displaying UserIDs from an external Identity Source.
When a user from AD authenticates to AM, AM looks up that user in real time. If the user does not exist in AD or the internal database you would see a logon failure due to 'failed to resolve user'. However if your connection from AM to AD breaks (you should configure a failover URL to another Domain Controller) every UserID in that Identity Source will fail with 'failed to resolve user'.
For sites with 10s of thousands of users, or more, it could be beneficial to configure a Global Catalog connection in addition to your Administrative Identity Source. GCs are used just for Authentication user lookups, not Admin work in the Security Console.
