3.1.1.5.1.3 Uniqueness Constraints

During an originating update of the Add, Modify, and Undelete operations on a DC with functional level DS_BEHAVIOR_WIN2012R2 or greater, the server enforces the following constraint for the servicePrincipalName and userPrincipalName attributes if present on the object.

  • In AD DS, if the DC functional level is DS_BEHAVIOR_WIN2012R2 or greater, then the new attribute value must be unique within the entire forest. If the DC is not a GC, then the DC must issue an LDAP search against a GC to determine uniqueness. The following additional considerations for uniqueness checking are relevant for Windows Server 2012 R2 operating system with [MSKB-3070083] and Windows Server 2016 operating system:

    • userPrincipalName uniqueness is not checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute (see section 6.1.1.2.4.1.2) is set to "1".

    • servicePrincipalName uniqueness is not checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute is set to "2".

    • Neither userPrincipalName nor servicePrincipalName uniqueness is checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute is set to "3".

    • userPrincipalName and servicePrincipalName uniqueness is checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute is set to any value other than "1", "2", or "3".

  • In AD LDS, if the DC functional level is DS_BEHAVIOR_WIN2012R2 or greater, then the new attribute value must be unique within its own partition.

If another object exists with a duplicate userPrincipalName value, the operation fails with an extended error of ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST. If another object exists with a duplicate servicePrincipalName value, the operation fails with an extended error of ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST.

Uniqueness constraints are not enforced for replicated updates.

Show: