Putting your AD server before Pi-hole in your DNS resolution chain will make your AD server the only client of Pi-hole. Without further measures, you won't be able to attribute DNS requests to individual clients that way.
I think your intended original configuration was correct:
Clients --> Pi-hole -------> public DNS resolvers
| ^
+-- via CF --> Windows AD Server -+
But your actual CF configuration looks wrong:
I guess that's your router on 192.168.1.1?
In your case, that should be your AD's IP address.
If for some reasons you would still need your router to also answer some of the DNS requests relating to local names, you could create a custom dnsmasq configuration file for a distinctive second target (i.e. an additional Conditional.Forwarding).