If your AD setup involves a multi-domain forest, you should specify one functioning credential as the
"bind DN/password", which is used to connect to AD to determine the full identity of the user being authenticated.
This allows them to just type in "joe" or "annie" as the user name, and have the system automatically figure out
that they are "joe@europe.contoso.com" and "annie@japan.contoso.com" respectively.
Without this value, users will have to type "joe@europe" and "annie@japan" (or "europe\joe") by themselves.
This field must be the full user principal name with domain name, like "joe@europe.contoso.com", or
a LDAP-style distinguished name, such as "CN=Joe Chin,OU=europe,DC=contoso,DC=com".