If the Agent was not installed on a Domain Controller, everything worked fine. As soon as the Agent was installed on a DC member server, lockouts would occur.
We tried uninstalling / reinstalling the agent thinking something was corrupted in the Agent on Domain Controller servers, but that didn't help.
Mismatched NTLM settings between client and AD servers.
Some NTLM settings were different for the Domain controllers from the rest of our clients. Making these match resolved this issue.