Aha! This (from the domain log) shed some light: (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x0400): Processing user slymedia@grinnell.edu (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x1000): Mapping user [slymedia@grinnell.edu] objectSID [S-1-5-21-71189414-1642862984-1097818727-518801] to unix ID (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_idmap_sid_to_unix] (0x0040): Object SID [S-1-5-21-71189414-1642862984-1097818727-518801] has a RID that is larger than the ldap_idmap_range_size. See the "ID MAPPING" section of sssd-ad(5) for an explanation of how to resolve this issue. (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-71189414-1642862984-1097818727-518801] to a UNIX ID (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x0020): Failed to save user [slymedia@grinnell.edu] (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
So it looks as though I have an incorrect ID Range for these AD accounts. I increased the number of IDs in the range for the AD domain and - low and behold, the accounts are now resolving.
Thank you for your help!