3.1.1.5.1.3 Uniqueness Constraints

  • Article
  • 2 minutes to read

During an originating update of the Add, Modify, and Undelete operations on a DC with functional level DS_BEHAVIOR_WIN2012R2 or greater, the server enforces the following constraint for the servicePrincipalName and userPrincipalName attributes if present on the object.

  • In AD DS, if the DC functional level is DS_BEHAVIOR_WIN2012R2 or greater, then the new attribute value must be unique within the entire forest. If the DC is not a GC, then the DC must issue an LDAP search against a GC to determine uniqueness. The following additional considerations for uniqueness checking are relevant:

    • userPrincipalName (UPN) uniqueness is checked only if bit 0 of the DoNotVerifyUPNAndOrSPNUniqueness dsHeuristic attribute (section 6.1.1.2.4.1.2) is set to 1.

    • servicePrincipalName (SPN (2)) uniqueness is checked only if bit 1 of the DoNotVerifyUPNAndOrSPNUniqueness dsHeuristic attribute value (section 6.1.1.2.4.1.2) is set to 1.

    • servicePrincipalName alias uniqueness is checked only if bit 2 of the DoNotVerifyUPNAndOrSPNUniqueness dsHeuristic attribute value (section 6.1.1.2.4.1.2) is set to 1 and if the current user is not admin or local system.

      Note: sPNMappings are defined in [MS-ADA3] section 2.276.

      The format of an entry is x=a,b,c. In this context, a, b, and c are all aliases of x.

      The first part of a servicePrincipalName is the SERVICE, for example SERVICE/foo. When the servicePrincipalName alias uniqueness feature is on the new value SERVICE, the name must be unique, including its aliases. For example if CIFS is an alias of HOST, then setting the servicePrincipalName to CIFS/foo will actually check uniqueness for both CIFS/foo and HOST/foo.

      Note: The uniqueness checking additions for userPrincipalName and servicePrincipalName described earlier are relevant to Windows Server 2012 R2 operating system with [MSKB-3070083] installed and to the operating systems specified in [MSFT-CVE-2021-42282], each with its related MSKB article download installed. These features are also supported in Windows 11, version 22H2 operating system and later.

  • In AD LDS, if the DC functional level is DS_BEHAVIOR_WIN2012R2 or greater, then the new attribute value must be unique within its own partition.

If another object exists with a duplicate userPrincipalName value, the operation fails with an extended error of ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST. If another object exists with a duplicate servicePrincipalName value, the operation fails with an extended error of ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST.

Uniqueness constraints are not enforced for replicated updates.