There is a case where if you have your AD connection configured correctly you will not see groups. Users will appear, but not groups and the group cache won't work.
This appears to be the case where the base/root OU is missing. Once its added as an empty value, the mappings can occur properly.
It's very strange because the test shows both users and groups. So it passes, of course.
About the only "trick" I can think of is this: When you add the first OU, actually add two where the first is blank for the "root" lookup and maybe special-case grey text it show show as "root base lookup". Users can still delete accidentally or intentionally but it seems better to do that than nothing at all.