According to Realm Configuration HOW-TO,

The directory realm supports two approaches to the representation of roles in the directory:

• Roles as explicit directory entries
  Roles may be represented by explicit directory entries. A role entry is usually an LDAP group entry with one attribute containing the name of the role and another whose values are the distinguished names or usernames of the users in that role. The following attributes configure a directory search to find the names of roles associated with the authenticated user:

• roleBase – the base entry for the role search. If not specified, the search base is the top-level directory context.
• roleSubtree – the search scope. Set to true if you wish to search the entire subtree rooted at the roleBase entry. The default value of false requests a single-level search including the top level only.
• roleSearch – the LDAP search filter for selecting role entries. It optionally includes pattern replacements "{0}" for the distinguished name and/or "{1}" for the username of the authenticated user.
• roleName – the attribute in a role entry containing the name of that role

• Roles as an attribute of the user entry
  Role names may also be held as the values of an attribute in the user’s directory entry. Use userRoleName to specify the name of this attribute.

A combination of both approaches to role representation may be used.

So one way is to use an attribute if you have something appropriate. There are tools out there that can do "mass update" or "bulk modify" of AD attributes. If you don’t want to contaminate the AD is to wrap it around with ADAM. You can create proxy objects in ADAM that points to AD users and either add attributes in ADAM. See Understanding ADAM bind redirection for more info.