Error on creating/editing AD account on different domain but same forest

We get strange problem on IDM 5.5 for AD account. we have two group users on different domains. One is in ou=users, dc=abc, dc=ad, the other is ou=users, ou=subcomp, dc=defg, dc=internal. They both are in same forest. When we create two AD resource adapters with same host name and port number but different container, assign/unassign user account on the first has no any problem. But same operation via second adapter most time give us error. Unable to set user info:

'SetInfo(): 0X80070005: , 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 , Access is denied.

or

no error but the account is not created in AD, idm does not give error.

or

sometimes it works.

The gaveway logs saying error to get attribute.

Does anyone know what is going on?

[824 byte] By [janexa] at [2007-11-27 1:00:37]