best practice is a discussion you should have with McAfee Prof Services, but the connector should be quite happy with thousands of users - if it's taking a long time, be sure that you have performance tuned your db - name index is turned on and working etc.
re how to make it work though, the answers are very different depending on what portion of your AD you need to sync - if it's 80% plus, it's easier to use group mapping logic to skip the users you don't care about and get the connector to look at them all. If it's 20%, then you need to use some search limitations, either a base search, or search groups.
You can get the connector to see all users just by leaving search groups empty, and using a vanilla base search.
AD design reflects here.
You do not have to list every minor branch of your AD tree. Just focus on major trunks.
So have users grouped by major criteria, like country, or major department or operation company or geografic location.
You should not have too many trunks in that tree.
But for performance it is not how many filters (search groups) you have, its the total amount of accounts that need to be synced, what matters.
Both EEPC users and AD users. Those two populations might get vastly different if you do not cleanup frequently enough.