I tried something like this back in 2017, I was working with 39 sites throughout the US, 2 locations had Domain Controllers (for AD integration), and we had 200+ users.
We ran into issues as we continued to add 10+ sites. We began to see that the AD integration wouldn't work, or would work sporadically. That meant the content filtering would work... sometimes.
We opened up a case with Meraki and they said it was "working as designed" and we needed to have more domain controllers, or we couldn't use AD-Integration. They recommended, one DC-per-site because of how the MX constantly polls the DCs for related logon events. We were told the DCs weren't responding in time to the requests from 39 sites. The whole design was overloading the domain controllers, which would break the AD-integration and content filtering.
Anyone know if the technology has improved?
I just re-read through the related articles, and they don't seem to have changed.
Bonus: We were coming from a SONICWALL deployment that was able to perform the task above without issue because of their hub-spoke design.
There have been no changes in this area. I can see why this would be an issue as well. Each MX has to monitor the security log of each AD controller to watch for the login events happening. You end up with a lot of MXs requesting all the same data.
You could consider using Cisco Umbrella either with an Umbrella agent on each machine or the virtual appliance. With this the AD groups and users get synced into the Umbrella cloud, so the agents work against the cloud rather than against the AD controllers.