I'm wondering:
Dave,
Why are you hacking my brain?
One commonly thinks, when the word "hybrid" is used, of an infrastructure that combines on-premise (or at least private data centre) and public cloud. But "hybrid" also works in the other direction - across the heterogeneous systems within a particular location. It is rare for an organisation to base itself entirely on one …
It seems to me that the best hybrid setup would be to use Linux/BSD servers with windows (and other) workstations, well firewalled behind the Linux/BSD servers for intarweb access, with windows running ONLY on those workstations where the business softwar MUST run windows.
properly administered, this kind of configuration has potential for high reliability. A private cloud for 'shared things' can help with that as well.
The biggest problem has been how Micro-shaft (particularly with Win-10-nic) is changing the authentication methods (again) on the network in ways that are ahead of Samba's supported features. When Samba is _BARELY_ able to act as an Active Directory domain controller, Micro-shaft moves the target again with their "Micro-shaft Login", one login to rule them all etc.
Some would say "one word: Kerberos" and they're probably right, but Kerberos has its own issues with timeouts etc. and from what I read about it, can be very irritating.
I'd think that RHEL or CentOS would've come up with a one-size solution for this kind of thing by now...
(go with that, get support)