Regarding my previous issues, dyndns_update = True, combined with changing idmap settings resolved both issues for sudo and groups losing members from the cache.
I will use stap (and likely perf etc.) to go further into the performance issues tomorrow. Thanks again for your assistance.