windows 2016 lockdown policy

The default Administrator account won't get locked out.  Manually created admins (users given admin rights by you such as adding a user to the domain admins account) will be locked out.  Make sure you know the password to the administrator account.

Thanks for your reply.

How do we protect the administrator account from brute force attack if the lock down policy does not lock out after the set number of failed login attempts?

Any advice appreciated.

Set a very secure password for the account.  On client computers, the administrator account is disabled as a security precaution.  You could disable the domain administrator account, but you would need to make sure you have admins available to unlock locked accounts in the event of an attack.  If you have multiple admins, it's unlikely they would all be compromised at the same time so there should always be an available admin to unlock accounts.

OK thanks. I think the idea of disabling the administrator account is probably the best solution (after creating a clone) as no doubt everyone knows there will be a user called administrator and therefore making it susceptible to brute for attacks. Does that sound reasonable?

Many thanks 

I encourage you to read my article for more insight about the dangers of a lockout-policy and what really helps against brute-forcing.
https://www.experts-exchange.com/articles/35353/Account-lockout-policies-The-Good-The-Bad-and-The-Ugly.html