Hello Nick,
First we can cover the potential for replicating a hosted feature service to an enterprise geodatabase:
While it could be possible to replicate a hosted feature service to your enterprise geodatabase, there is not currently a supported/documented workflow. It may be possible through a script and use of the sync workflow. The createReplica operation can be used to generate JSON of the data, which could then be dumped into the enterprise geodatabase. The replica will persist on the hosted feature service, so edits on both ends can continue to be synced. This would be quite an undertaking in Python, but it is definitely something to consider if you must go that way. If you're interested in going down this rabbit hole we can definitely talk about this in more detail.
The second topic would be the recording of "Esri_Anonymous" as the identity for editor tracking:
"Esri_Anonymous" is the identity that is used when a service is unsecured. If the service is secured, then users will be prompted for credentials when accessing the service, and the credentials provided (in your case Active Directory) will be used as the identity.
Another caveat about this workflow is Collector and it's use of the identity. The authentication tier for your ArcGIS Server should be GIS-tier (as opposed to web-tier) so Collector can interact properly with your ArcGIS Server and pass the identity of field workers. GIS-tier authentication is token based, and Active Directory can still be used as the user store and role store. With GIS-tier, ArcGIS Server will check the credentials and issue a token for valid users. Web-tier authentication is handled by the web server (IIS or Java), so it acts as more of a gatekeeper. This configuration may be ideal for Single Sign-On workflows in web browsers and other clients, but isn't the best option when looking at editor tracking in Collector.
When you configure GIS-tier authentication and secure these services for use through Collector, you will see two credential prompts in the app. The first is to ArcGIS Online, the user needs to verify they are a part of your organization so they can view the web maps you've set up. The second prompt will be when they open the web map. This will verify they are allowed to view the secure feature service, but most importantly, they are providing that identity to be recorded for editor tracking. If they are using these maps offline, they should only have to provide the ArcGIS Server credentials when they first download the map and when they sync, because those will be the only times they are interacting with the service (and needing a token to prove they are who they say they are).
If any of this information is unclear, let me know! There's a lot of moving parts when it comes to Web GIS and I'd like to make sure everyone that comes across this issue is able to get what they need out of this conversation.
Thanks,
Scott