Just posting a brief note on how I got AD authentication to work in a forest with subdomains. Apparently if you search via regular LDAP the sync process bombs because it tries to automatically query the subdomain active directory servers (clever!) without first performing a bind operation on them (not clever!). This appears to be a PHP defaults thing and not necessarily a FreePBX thing, but regardless it is a thing that was affecting me.
The workaround is to use the Active Directory Global Catalog search port (3268, or 3269 if you want to patch and use TLS). The downside is that I then get a very large results set… looks like I will have to patch in some filtering.