In my deployment, I use Universal distro groups, and I point to the GC, this way I can span domains within my forest. To LDAP there is no difference in distro and security groups, so Wildfire/Openfire can leverage either one, Microsoft on the other hand does do things differently with the groups.
Also keep in mind not to nest groups.
The purpose of AD groups is to show them in the roster of your client like Spark. This way your users can be predefined in AD and show up in Spark. In the Admin Console you will have to “publish” the group, but once complete, it does work well.