There are two parts here.

1. ipaExternalGroup is only handled for trust to AD configurations. The compat tree configuration for that is only set up when you run ipa-adtrust-install --enable-compat on the specific master (turning the master into a trust controller). When you have no external group members configured for some external groups (this is a concept in IPA, 'ipa group-add --external' and 'ipa group-add-member --external'), and these groups aren't included into some POSIX groups, you should not see any of AD groups pulled in.

2. Second part is actual addition of the 'objectclass: ipaExternalGroup' into the entries under cn=groups,cn=compat,$BASEDN. This happens after /usr/share/ipa/updates/50-externalmembers.update file is automatically imported on IPA upgrade. The file content is:

$ cat install/updates/50-externalmembers.update
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup

The upgrade should happen during replica deployment as one of last steps before enabling optional services. You can see that in the replica installation log with 'Applying LDAP updates'. But I think there might be an ordering discrepancy because the base compat tree configuration is in install/updates/80-schema_compat.update so it is ran after 50-externalmembers.update. And since at that point cn=groups,cn=Schema ... does not exist yet, it is not applied.