see in your ebox.log what ldap is doing, sometimes it complains about an user or group name too long, special characters etc, try to sync again...
give more details, are you trying to synchronize a tree, an entire forest (hate the ms slang), maybe forcing the directives with "gpupdate /force" then trying to synchronize again, anyway give us more details