I have many domains with many DCs and want to use this as external source for searching users and assign tokens.
Best solution would be using the global catalog.
I found the following informations about admin sources.
In Active Directory, identity sources that are not Global Catalogs are used for administrative operations. Basically this Presentation has been discussing Administrative Identity Sources so far. When you assign tokens, enable ODA or RBA within Authentication Manager, you are using an Administrative Identity Source.
An Admin Identity Source is required. If you do not have a Global Catalog Identity Source, then AM will also use the Admin Identity Source when users login to authenticate with SecurID
If you want to administer Active Directory domain users in Authentication Manager, you must add an identity source for each domain that contains users who will authenticate with Authentication Manager.
For example, if an Active Directory forest has three domains and one Global Catalog, and you want to authenticate users in two of the domains, you must add an identity source for each of the two domains.
If you have an Active Directory forest, and you configure multiple identity sources within it, you can optionally configure an Active Directory Global Catalog as an identity source that the other Active Directory identity sources can use for finding and authenticating users, and resolving group membership within the forest.
You must create the Admin Identity Source(s) 1st
The GC is searched only during Authentication
When using the AM Security console to do Administration work on a User, you would be using an Admin Source Identity Source. Optionally you can add a Global Catalog, which is only used to speed up Authentication lookups when users log in with SecurID. If you do not have a Global Catalog, authentications are done against the Admin source external Identity Source.
So is it not possible to search users and assign tokens with global catalog? There is a limit of 30 admin identity stores, right? What is the solution for more than 30 identity stores?
A GC can look up and respond to a userid lookup request faster than the Admin connection, on busy systems...is only needed if you have so much authentication work going on (thousands and thousands of logins per unit time) that adding GC's can save a user some wait cycles to process a login. If you truly have a large number of domains and unique DC's each with unique top level domains (they do not share the same forest) and that exceeds 30, you can add a new RSA Authentication Manager realm (a new primary with it's own set of replicas, and it's own license) and set up Trusted Realm authentication between them. All users are logging in seamlessly from anywhere, but they are managed on two separate RSA environments that can send authentications over to the other realm. This is one example of how RSA Authentication Manager can be scaled up massively.
Another way is: Some customers who have well over 100,000 users in multiple domains have used 3rd party tools to create all their AD users as internal database users in RSA, and they do not use RSA LDAP connections at all...the 3rd party tool handles getting huge lists of users in and out of the RSA Auth Manager database about as seamlessly as if they did have LDAP connections. Logins with large amounts of users is as fast as possible since all lookups are internal. IBM Security Identity Manager is one example that can use the Admin SDK to build a connector to RSA, and creates/manages all internal database users you can assign authenticators to.