Quick question of authentication precedence

This has probably been answered all over the place, but to be honest I'm
pretty overwhelmed by how many topics and replies there are. I'm not sure
exactly what the term is that refers to what I'm looking for either so I
can't exactly search it.. Anyhow the question I have is this..
What is the order of authentication when using SmartCards over the network?
Little bit of background info to make my question a little bit more
understandable:
In our network we have 2 domains, admin and school (school having dc1 and
dc2). DC1 and DC2 can talk to each other just fine, generally dc1 is teachers
and aides, etc.. and DC2 is student stuff.. Before we made the switch to an
Active Directory setup, we had "everyone" full control on the admin server
(W2K). Now the admin server at this time, was it's own seperate domain and we
were using NT on the student domain controllers. On NT trust relations were
only existant if you added and actively(No phun intended) set them up. Summer
hit and we ordered 3 (2 for dc1 and dc2 and 1 for webserver) pretty "juiced"
(for what we need them for) servers..They came in with Server 2003 (and the
proper licensing of course). We didn't need to upgrade our admin server so we
left it as Windows 2000. Having all this Active Directory stuff around we
decided to merge them all into one forest.. Well as you can imagine everyone
on the admin server included the dc1 and dc2 servers as well because they
were all on the same tier (I know this isn't proper term. I appologize..)..
Well because moving from Windows NT 4 to Windows 2003 is such a major ordeal
much making sure all the applications needed were installed and re-setup,
folders were all moved over properly, kixtart scripts working, etc We
totally never even seen the issue with Everyone on the admin server including
other domains on the same tier.. Major blunder on our behalf but noted for
future.. The question we have is regarding the order of precedence..
Basically my question is analogous to how Windows NT determined browse
masters.. Let's say for a moment we never moved the admin server into the
forest, and that we had a SmartCard reader installed on the admin
workstations, and had told the admin server to require smartcard
authentication. If we then moved it into the active directory forest, would
doing this bypass the security of the smarcard. In other words does Active
Directory security supercede SmartCard or does Windows always check SmartCard
stuff before if checks access control lists? What level/layer does SmartCard
work on? Our idea is that the damage is already done, we accept that and were
looking to move forward but put in place something that will always supercede
whatever happends on the "forest" end of things, and of course if "that
system" passes, then move onto the other authentication stuff. Like we don't
want someone sitting down at dc1 or 2 firing up mmc and going into manage
users and say remote computer and type in the admin server and totally bypass
smartcard stuff.. Sorry for the really long post, I just hope it helped
explain our dilema and question. Thanks in advance I really appreciate any
assistance

-- StakFallT