I'm trying to figure out if something is wrong with my configuration. If I change an accounts AD password while the user is logged in- they get prompted to update. If the user is logged off, they get the keychain error and can only create a new keychain or enter the old keychain password. I was under the assumption that NoMAD would be able to sync the keychain with the new AD password and avoid that mess. Is there something else I need to do to make it work that way?
Can you post either a run down of your NoMAD Configuration Profile or a plist (with any sensitive items redacted) so we can look at it? There are a number of settings you need to apply to get the keychain to sync properly. It's not "configured" as such out of the box.
You can look at all the settings available for the free NoMAD application here in case you didn't already have that link.
Edit: Actually, in reading your post again, I think you're seeing expected behavior. NoMAD can only sync items while a user is logged in. So if someone is logged out of the device, and their password changes in AD, it's not going to sync until after the next login. They will still need to log in using their older password and then NoMAD should prompt them to enter the new account password once it realizes they don't match up.
If that's basically what you're seeing, then I'm afraid there isn't anything misconfigured. It's not magic. NoMAD can't read an AD account password, it really only just verifies that the password it has stored, or what you enter, is correct against the directory. If it's not able to authenticate successfully, then you get prompted to enter the correct password, and it then stores that password for future use. Make sense?
It does make sense after thinking about it last night. If the NoMAD client isn't running and the password is changed, not much it can do. I did not get a ton of pop up windows for apps trying to get my keychain password, so that is a plus.