KB - Self Service Password Reset write-back problem – error hr=80230818

Table of Contents

This is a knowledgebase item. Hope it helps you out someday, as I seen this on my job when a customer have the same issues.

Now, since you landed on this page, I assume you’ve got the following issue:

1. Azure AD SelfService Password Reset worked like a charm for quite some time.
2. All of the sudden it stopped working, and you have no idea why. You have checked the permissions on the service account, and all looks good.
3. You are in a hybrid setup, and use password write back. All checkmarks are green.
4. Azure AD audit logs contain OnPremisesAdminActionRequired or ADAdminActionRequired as failure.

Your users are prompted with this error when trying to do a password reset using Azure AD Self Service Password Reset Portal.

On your ADConnect server, you will find this event:

Synchronization Engine returned an error hr=80230818, message=The management agent run was terminated because a domain controller could not be contacted.

Event ID: 33001
Source: PasswordResetService

TrackingId: xxxxxxxxxxxxxxxxxxxxxxxxxx, Reason: Synchronization Engine returned an error hr=80230818, message=The management agent run was terminated because a domain controller could not be contacted., Context: cloudAnchor:xxxxxxxxxxxxxxxxxxxxxxxxxx, SourceAnchorValue: xxxxxxxxxxxxxxxxxxx, UserPrincipalName: xxxxxxxxxxxxxxxxxxxxxxxx, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230818, message=The management agent run was terminated because a domain controller could not be contacted.

   at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)

   at AADPasswordReset.SynchronizationEngineManagedHandle.ChangePassword(String cloudAnchor, String sourceAnchor, String oldPassword, String newPassword)

   at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ChangePassword(String changePasswordXMLRequestString)

How to fix

The fix is to use an FQDN format, instead of the NETBIOS name in your AD-Connect configuration for your Domain Controllers.

Open the Synchronization Service Manager -> Connectors -> open the Active Directory Domain Services window -> Configure Directory Partitions -> and click under “Domain controller connection settings” then click configure.

Here you’ll see the list of DCs that Azure AD Connect connects to and in which order. Make sure that your DC’s are formatted in a Fully Qualified Domain Name like “DC01.domain.com“.

IMPORTENT:

Change only settings here if you know what to do