Ok need some help here.

Environment: IDM 301, running on Netware 6.5 sp4 edir8.7.0.8, 2 IDVaults,
one is an old legacy tree that synchronizes all users to the new tree.
We then have an Active Directory (w2k3) shim in place to synchronize only
certain users depending on resource access.

We have universal password set up in the New Tree. This is all temporary
until we get the old tree shut down. then it will just be the new tree
synching with AD. We log into the old tree and new tree for mappings and
resource access, and yes this has been very fun.

Issue: We have been running like this since IDM 2.0 and worked very
well. After we upgraded to IDM301 I upgraded all the drivers and we seem
to have a speradic password mis-match. We get calls that the user can
not access resources in the AD domain. They have not changed their
passwords or anything else. They just can't access the
mappings "password not correct" We reset their UP and then it works
fine. This has been going on for about 2 months and is not ever the same
user. It seems as though some event gets triggered and it sends bad
information to the AD and sets the password to something else in AD until
we go back and reset it ??

I am at whit's end with this, can not figure out why or how. I can not
duplicate the error, therefore can not get a trace on the event that
causes this.

Has anyone experienced this and how did you fix it ?