The sync task is documented here. Once you've configured LDAP authentication you can optionally enable this so that the LDAP users are pulled into Moodle. If you don't enable this then LDAP users get created in Moodle the first time they successfully authenticate. Check that your Contexts (auth_ldap | contexts) setting is what you want. If it's too high up the hierarchy then you might end up with users in Moodle that you don't actually want, e.g. domain administrator or service accounts.
When the sync task runs any AD users that have been deleted are not returned. The Removed ext user (auth_ldap | removeuser) setting controls what Moodle will do: "Keep internal" - leave the user untouched, "Suspend internal" - suspend the user in Moodle, "Full delete internal" - delete the user in Moodle. This will depend on the way you manage users in AD and what your teachers/trainers expect to happen to users in Moodle. I normally don't delete users in AD, just suspend them so I wouldn't use "Full delete internal". I might move suspended AD users to another OU in which case they also may not be returned by the synch task (depending on the LDAP context) in which case this setting also applies: keep, suspend or delete. Moodle will unsuspend users if they re-appear in LDAP but cannot undelete them.
This is from memory as I don't have an AD to test with currently: I think if you've selected "MS ActiveDirectory" for the User type (auth_ldap | user_type) Moodle knows to read the userAccountControl attribute in AD to get the suspended status. So you should just need to change Synchronise local user suspension status (auth_ldap | sync_suspended) to "Yes" to get corresponding Moodle users suspended.
Even if you don't enable the sync task, if you suspend or delete an AD user then they won't be able to log into Moodle as the AD server won't authenticate them.