I've not had that issue. If you get a green ticket you are usually away.
Anything appearing in the Windows event log on the AD controllers? Specifically errors when the MXs attempt to retrieve the groups?
Is the account being used a domain admin?
If you use ldapsearch, are you able to run a query like the below to manually retrieve the list of groups?