Can you post either a run down of your NoMAD Configuration Profile or a plist (with any sensitive items redacted) so we can look at it? There are a number of settings you need to apply to get the keychain to sync properly. It's not "configured" as such out of the box.
You can look at all the settings available for the free NoMAD application here in case you didn't already have that link.
Edit: Actually, in reading your post again, I think you're seeing expected behavior. NoMAD can only sync items while a user is logged in. So if someone is logged out of the device, and their password changes in AD, it's not going to sync until after the next login. They will still need to log in using their older password and then NoMAD should prompt them to enter the new account password once it realizes they don't match up.
If that's basically what you're seeing, then I'm afraid there isn't anything misconfigured. It's not magic. NoMAD can't read an AD account password, it really only just verifies that the password it has stored, or what you enter, is correct against the directory. If it's not able to authenticate successfully, then you get prompted to enter the correct password, and it then stores that password for future use. Make sense?
