Since our install of IDM we have synchronized our Vault and AD in only one
direction (Vault to AD).

We are moving forward with some projects that require bi-directional
synchronization with the AD.

All is well except for Groups behavior. I notice that when an update from
the Vault is applied to AD then I am receiving a modify action back from AD
for the group, replacing the total group contents with what is now in AD.
The driver is consuming the action that it just performed to the AD, sort
of. Vault performs an ADD and AD pushes back with a replace.

Also if the group is very large I notice that AD only seems to be sending
the first 5000 members. If I do an update of one of these groups then AD
pushes back with the first 5000 and destroys the group in the Vault.

Are there any guidelines or best practices for AD group synchronization?