Regarding my previous issues, dyndns_update = True, combined with changing idmap settings
resolved both issues for sudo and groups losing members from the cache.
I will use stap (and likely perf etc.) to go further into the performance issues tomorrow.
Thanks again for your assistance.