The last days I have been troubleshooting Azure AD password writeback error in customer environment.

The environment has two on-premises forest and one Azure AD tenant. On-premises forests doesn’t have trust relationship between them but all required network ports were opened between the forests.



Port list from



When user from forest A tries to reset password via “Self-Service Password Reset” service it works like a charm. Worth to mention is that password change via cloud works and AAD Connect server has been installed to forest A.

When user from forest B tries to reset password from Self-Service Password Reset service reset fails with “hr=80004005, unspecified error” code with event ID 6329 & 33001. Password change works as expected.

EventId 6329.png

Event ID 33001.png

Yesterday we found the reason for this error. For some reason AAD Connect server wants to communicate with TCP 445 (SMB) port with Forest B domain controllers during password reset interaction. Port is not mentioned in official documentation but it’s definitely needed, at least in multi-forest environment. After TCP 445 was added to firewall configuration password resets started to work immediately to Forest B also, event IDs 31001 & 31002 reporting password reset successful.



Hope this helps 🙂