There are a couple scenarios for this process. Say a AD user is logging into the site, assume their username is not stored in the Kentico db at all. When they authenticate, it goes to AD and authenticates them and creates a user in Kentico. If you choose to have the AD roles auto imported, it will also create and assign the user to those roles if the roles don't exist.
Now assume you have a user who already authenticated but used Forms, so their username was created manually in Kentico. Directly from Kentico documentation:
If an existing forms user has the same user name as a domain user that is logging in, the system signs in the forms user. As a result, the system cannot create an account for the domain user. You can avoid this behavior by renaming the existing forms user.
The purpose of the import tool will allow a one-time dump of users from AD (unless you use a command line and automate it later) into Kentico. So when the user authenticates from AD, they will use this imported user. So long story short is, if mixed mode authentication is setup, AD is tried first, then Forms.