A few things to keep in mind:
1. AD uses a proprietary hashing algorithm. Thus we cannot sync passwords from AD to OpenDJ, because OpenDJ would not be able to validate them. This is why we recommend sending the BIND request to AD for validation.
2. It depends how end users update their password. If they use a web page, you can write the password to both OpenDJ and AD. In this case, you could certainly implement an authentication workflow that checks two servers. See an example of this [here](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/basic.multi_auth_conf). And other workflows can be implemented, as long as you can show a sequence diagram or flow chart of what you expect.
3. If end users use CTL-ALT-DEL to update their windows password, you may need some kind of windows server plugin to catch the password before it's hashed, and propagate it to OpenDJ. Gluu does not offer this kind of product, but there are certainly third party vendors who specialize in password management.