Recently did some digging for a customer and here are some of the questions and answers that I came up with, as well as info and articles to give more background.
Can we prove that setting the MaxConcurrentAPI to 10 is enough for long term performance? What can we monitor to insure we are not surprised or can be proactive in resolution?
I would take this as a 2 step approach, and the first is to figure what the theoretical value should be for each server and you can do this by following the steps in this article http://support.microsoft.com/kb/2688798 , you will first have to gather the performance counter information and then calculate the optimal value for each server. Then using the performance counters Semaphore Holders and Semaphore Hold Time monitor them while the server is underload (Probably be best if you monitor them for a couple of days on regular basis). If they are blank then you have configured settings correctly, if they have a value to them then you need to troubleshoot Netlogon and review the Architecture/Servers
What other servers should we add the MaxConcurrentAPI to?
Using the NetLogon Performance counters listed in this article http://support.microsoft.com/kb/2688798 review all SharePoint Servers and all Domain Controllers for domains that are used for authentication in SharePoint, any server where the counters Semaphore Holders and Semaphore Hold Time have a value greater than 0 you will want to find the optimal value using the same article and then set MaxConcurrentAPI
Should we bring the setting to the same across the board or can we have different settings on the servers?
No you should not set the same value to each server, this value should be optimized per server.
" One size does not fit all. The MaxConcurrentApi value may have to be a different value for each server. This situation can be caused by multiple application servers gaining authentication from a single domain controller or by similar scenarios in which multiple servers provide a larger volume of load with which the domain controller must deal. "
Specifies the maximum number of simultaneous, logon-related, application programming interface (API) calls that can be transmitted across a secure channel at any one time. API calls can be transmitted concurrently only on secure channels that are digitally signed or encrypted. The default value is optimal for most installations, but you can add this entry to the registry to increase its value. Increasing this value can improve efficiency. However, larger values can exhaust the resources of the domain controller communicating on the secure channel.
0 = One call at a time on member workstations and domain controllers, and two concurrent calls on member servers.
1 - 10 = Number of concurrent calls. This limit applies to workstations, domain controllers, and servers of Windows 2003 family.
1 – 150 = Number of concurrent calls. This limit applies to workstations, domain controllers, and servers of Windows 2008 family.