If port 389 (636 if using SSL) is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral.
When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in. This is important, because if something happens to the computer account in AD, like someone resets the account or deletes it, you may get an error that say that a trust relationship doesn't exist between the computer and the domain.
In most cases, a Domain Controller will hold a copy of the Global Catalog.
A Global Catalog (GC) is a partial set of objects in domains in a forest.
If one fails, then the others will continue to offer authentication services without having to make one "primary" like you would have had to do in the NT4 days. These are also called Operations Master roles as well. If the server holding this role is offline, you won't be able to make changes to the AD namespace, which includes things like adding new child domains.