[...]
Here is the reason:
> (Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
> [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and
> setting GID=0!
So the group was found and saved, but SSSD decided the group is not
eligible to be returned for the OS. This could be because SSSD filtered
the group type (domain-local groups from trusted domains are filtered)
or because the sssd is configured to use POSIX attributes, but the
object doesn't have them.
Increasing the debug_level some more would show more messages,