I'll give you my understanding of what happens, but if it's critical, you should contact ServiceNow and get an authoritative answer.
My understanding is that the first time S/N attempts to discover a server, it tries the credentials one at a time. If the first one fails, it tries the second. If that fails, it tries the third. And so on.
The problem comes into play when a credential locks out after a number of failed logons is attempted. If your credentials are validated through LDAP, then a failure on multiple systems can lead to the lock-up of that account.
When a credential succeeds, an entry is made in the credentials affinity table and that credential is used thereafter.
MY ADVICE FOR YOU: change the userid portion of each credential to make it unique. If you're using "servicenow", in 3 domains ( dev, test & prod ), rename it to servicenowdev, servicenowtest and servicenowprod. Even though you are keeping the domains. That way one domain can't lock out a userid for another.
EXPERIMENT: Here's a thought for you. Can you put all discovery on hold long enough to "boot strap" the credentials?
1. Turn off all discovery.
2.Setup a discovery to scan just one domain, say dev.
3. Disable all credentials except for the credentials for the dev domain.
4. Run the discovery job. Everything should run and the credential affinity table should be populated with the credentials for that dev domain.
5. Now repeat steps 2,3&4 for each of the domains.
Once the experiment is over, turn your regular discovery jobs back on and see if things work better.
