Windows

>do we need to upgrade to Windows Advance Server 2003

Nope. It would be nice, but you don't NEED to.

You need to figure out what is running on the XP boxes that is locking out the user accounts. I've dealt with this myself, so I have some suggestions on where to look.

1) Check out the Scheduled Tasks on the XP boxes. Jobs in Scheduled Tasks all now can run under any account, including a user account (used to be in the NT times with the AT command, all jobs ran as SYSTEM). If you set up a Scheduled Task to run under your user account, you have to type in the password for the user account. THEN later on, if the password for that user account is changed on your domain controllers, the saved password for the Task is NOT changed. Scheduled Tasks keep the password as typed in; those passwords do not change when a password is changed on a DC. Therefore, when the Task tries to run, it starts up and tries to run as the user account with the wrong password. This will fail authentication, since the password is different. When the Tasks fails a few times (depending on what your Account Lockout is set for), then the user account is locked out.

I had this experience before but both in Win2K environment. I have search to MS kbase(i forgot the link already) and they advice to upgrade the server and client to at least sp3. I did work. Maybe your problem is related.

Our DC controllers are running under SP4 already and all patches were updated from the internet.

One more thing, I've seized all the master role from a defective server using the NTDSUTILS command, im trying to remove the defective DC controller which previously holds all the operations master role, the message is "DSA object cannot be deleted". I want to delete the server but it wont allow me. THe DOmain Naming Master also cannto be contacted. Oh boy, this is what we called "DISASTER"