Ran into the same issue but this time is a little bit different. Since you can only have 1 domain controller on an APM AAA AD Authentication profile, the workaround is to setup a VS and a pool of Domain Controllers, so we have the VS:0 and poolmembers:0 and under the APM policy we say Authenticate using AD Virtual Server we created. This is working great for Authentication but when a user needs to change it's password because of AD password credential expired, APM promts the user to change the password but it fails and the user is stuck on that loop where it enters the credentials and new password does not get changed.
So the situation is the same as above but we are using a VS to be able to authenticate to multiple AD servers by load balancing. Any ideas?