The question is when does RSA AM does the LDAP query/fetch to an Windows AD identity source? and is it a preset interval
AM looks to AD in real time.
The AM Operations Console configures External LDAP Identity Sources, up to 29 of them, each of which point to a User and a Group Base DN. A top level scope would see every UserID in a Domain, and possibly every item in AD. However it is scoped, when an AM Admin uses the Security console it is searching LDAP whenever it is displaying UserIDs from an external Identity Source.
When a user from AD authenticates to AM, AM looks up that user in real time. If the user does not exist in AD or the internal database you would see a logon failure due to 'failed to resolve user'. However if your connection from AM to AD breaks (you should configure a failover URL to another Domain Controller) every UserID in that Identity Source will fail with 'failed to resolve user'.
For sites with 10s of thousands of users, or more, it could be beneficial to configure a Global Catalog connection in addition to your Administrative Identity Source. GCs are used just for Authentication user lookups, not Admin work in the Security Console.
There is a PowerPoint overview of LDAP external Identity Sources, which you can download from the following Knowledge Base article
000033238 - How to create an external LDAP identity source in RSA Authentication Manager 8.1 SP1 or later
I can't attach files here, otherwise I would have.
Retrieving data ...