Error adding AD Users to AD LDS roles

After attempting to add an AD user to the AD LDS readers group we received the following error:

Operation failed. Error code: 0x2095
A directory service error has occurred.
00002095: SvcErr: DSID-032A08CB, problem 5012 (DIR_ERROR), data 6

We set the logging level to 4 for:

• Security Events
  
• Name Resolution
• Directory Access

at which point we get the following error

Log Name:      ADAM (PDirectory)
Source:        ADAM [PDirectory] General
Date:          18/09/2012 11:41:38 AM
Event ID:      1175
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          PNET\SVC-ADLDS
Computer:      WEB1.p.net
Description:
Internal event: A privileged operation (rights required = 0x) on object CN=Readers,CN=Roles,O=P,C=Directory failed because a non-security related error occurred.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ADAM [PDirectory] General" />
    <EventID Qualifiers="16384">1175</EventID>
    <Level>4</Level>
    <Task>8</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-09-18T01:41:38.000000000Z" />
    <EventRecordID>625</EventRecordID>
    <Channel>ADAM (PDirectory)</Channel>
    <Computer>WEB1.p.net</Computer>
    <Security UserID="S-1-5-21-1469259761-726080277-10498456-67182" />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>CN=Readers,CN=Roles,O=Parl,C=Directory</Data>
  </EventData>
</Event>

We've looked and a document described this error for AD Controllers using systems less than AD 2003 SP1. While this isn't a domain controller, we did check and all the DCs are later versions.

The server hosting AD LDS is an Windows Server 2K8 R2 box. The errors above apply when trying to add domain users to other roles such as administrators and occur regardless of what user is being added. We can add AD LDS user objects to these groups however. Notably this is the first attempt to update these roles membership since deployment, up until now we've just had the defaul admins we set at install using the service. Also, as far as I'm aware no special config was performed, the install was more or less a next -> next scenario. Post install we updated the schema for one object class, but the same configuration in test didn't exhibit any issues.

We've also checked the DNS and that appears to be resolving fine.

If anyone has any ideas it'll be greatly appreciated.