We started seeing a strange problem this past Tuesday afternoon. Some of the servers in our AD domain started to show bad password in AD. (The computer object's bad password time keeps incrementing).
I tried to manually reset the password using both netdom and powershell's reset-computermachinepassword commands and both seem to be successfull (the pwdlastset attribute updates to current date/time) and I reboot the computer, yet the bad password time attribute keeps incrementing.
I wouldn't not be concerned except any services on these servers that uses a non local system/network service account (i.e. a explicit service account in AD) will lock out the service account in question and the service will fail.
Currently our sharepoint and sql environments are all down because of this.
I have a case open with microsoft but am not getting anywhere with them. Their solution is to keep increasing the password lockout count in group policy to a larger #. (we had it at 3 for the last 6 years, they increased it to 8, now they want us to increase it to 999 or remove the value all together which is not safe).
One of the techs @ MS said he saw something similar a few months ago with another customer, and he escalated it and it was solved but he doesn't know how it was resolved. He tried to escalate my case but the escalated tech was clueless.
This started very suddenly on Tuesday. Only thing we changed was removed forefront client security (which MS ended support on 7/14) and installed SCCM agent along with SCCM endpoint protection. We've since removed both of those and the problem has not gone away.
Would appreciate any feedback!