Hello,
following the application of Microsoft's Security Update for Windows Server of October 2018, we have encountered an issue for AD connections where parent domain group members are not removed from Universal groups in child domains, because the LDAP Modify request using the SID silently fails in this scenario.
Our development team is working with Microsoft. You can find more information regarding this issue here:
support.oneidentity.com/.../263513
We will update the KB as we learn more.