I suggest:
- Leave the Administrator account in the 'default' provider.
- Set the AD/Internal Hybrid to soft-failover to the default.
This way you can always log in to the Ignition gateway if the AD link fails or you mess up a setting and break the AD functionality (which would otherwise lock you out).
Make sure that 'Administrator' username and role in your AD setup is spelt exactly the same as in the default.
This is probably the only user you'll need in the default user source unless you want to create an account for someone outside of your organisation.