An excellent post. Easy and to the point. Wish I had discovered this much before. The upshot is:
- Enable debugging on a domain controller:
nltest /dbflag:0x2080ffff
- Disable debugging after a bit:
nltest /dbflag:0x0
- Check the logs at
%windir%\debug\netlogon.log
to find out where/ what is locking the account.