If the Sym Agent was not installed on a Domain Controller, everything worked fine.  As soon as the Sym Agent was installed on a DC member server, lockouts would occur. 

We tried uninstalling / reinstalling the agent thinking something was corrupted in the Agent on Domain Controller servers, but that didn't help.

After upgrade to ITMS 8.6 RU2 w/ all v2 point fixes installed.

Mismatched NTLM settings between client and AD servers.

Some NTLM settings were different for the Domain controllers from the rest of the clients.  Making these match resolved this issue.