The link below lists the permissions set for the Directory services account and the Active Directory containers these rights are assigned to:
http://ciscounitytools.com/HelpFiles/PW501/PWHelpPermissionsSet_ENU.htm#ExchangeDirService
You use the Active Directory Users and Computers Microsoft Management Console to view and check the rights on the containers in the child domains by right-clicking, selecting properties, and selecting the Security tab. Find the Directory services account, highlight it, and then click the "Advanced" tab. Ensure the permissions are set. Also, ensure these is a check in the box which precedes "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here."