We got it all finished up finally!
Turns out that using the aforementioned "ad" backend for idamp in the smb.conf file is bad juju. I found someone mention (in the deep recesses of Google) that the "ad" backend will automatically use Domain Users as the primary gid unless you specify otherwise in the Unix Attributes in Active Directory.
Given that we don't have Domain Admin access, we opted to stray away from that and go back to the default backend. Once we did that, our groups came back up no problem.
We also found that if we disable Winbind, we lose our Group maps for some reason. My guess is it's related to NSSwitch.conf somewhere, but I'm good with leaving it enabled. I'm just happy to have something functional.
Thanks again for the advice