I want to get User-ID going but can't get an agent installed on our AD. How do I go about doing that?
There are two things you can do here.
First if you want to go pure agentless, you can use the on-box user ID agent on the Palo Alto Firewall. Basically this involves creating a domain service account and letting the firewall use it to dig into the user mapping logs of the AD. Here is a detailed explanation from Palo Alto regarding how to set-up properly the service account as well as configuring the firewall to use it on its on-box agent.
A word of caution however, I've tried deploying this on our environment but it had negative effects on the AD, eating up a whole lot of resources originating from the activities of the service account. Although Palo Alto said they fixed this on version 7.1 and above (was using 6.0 when I tested) , you might be better off testing this first on non production systems just to be on the safe side.
Second option would be if that the concern is just installing an agent on the AD server itself, you can install the agent on a separate windows terminal. Run the agent from there connecting to the AD and communicating the mappings to all your firewalls.