This article is a good method of setting the passwords in Active Directory when the IDC user profile password is updated:
The problem is this method is a one-time attempt. If it fails for any reason, the AD password is not updated until another update in IDC is performed. Is there a better method for keeping IDC passwords in sync with AD that also accounts for retries in the event of an initial failure to update?
The update call will fail, so the enduser will get an error message and can try again. As the update fails, the password history is not affected and the same new password could be submitted again.
The update script could also include a retry. This will only really help if there is a very short term connection issue to AD.
If throwing an error to the user in this situation is not what you want, you could also store the password as an encrypted field in IDM and update AD using a regular sync mapping.