I came across this issue, which is “supposed” to be fixed in Exchange 2010 SP1+ and the latest Exchange 2010 SP1 management pack for SCOM.
As soon as SCOM starts monitoring the Exchange boxes, the extest_guid account which it uses gets locked out. You can unlock the account, but it will get locked out soon. If SCOM is not in the picture, everything works fine.
Having had PSS looking into the issue for a while, nothing worthwhile came out. Their explanation was that the issue is fixed in 2010 SP1. But I was having the issue even with SP1 and latest management pack.
This KB article explains the exact issue and gives a resolution. Then it goes onto say “don’t do it in production”. I don’t know why MS release these kind of KBs if they don’t want it to be applied
The workaround for me was the one they used for Exchange 2010 RTM deployments.
Select the properties of the extest_guid account and check “Do not require Kerberos pre-authentication”.
I have seen in various forums that this “fix” doesn’t work for some!