3.1.1.5.1.3 Uniqueness Constraints
During an originating update of the Add, Modify, and Undelete operations on a DC with functional level DS_BEHAVIOR_WIN2012R2 or greater, the server enforces the following constraint for the servicePrincipalName and userPrincipalName attributes if present on the object.
In AD DS, if the DC functional level is DS_BEHAVIOR_WIN2012R2 or greater, then the new attribute value must be unique within the entire forest. If the DC is not a GC, then the DC must issue an LDAP search against a GC to determine uniqueness. The following additional considerations for uniqueness checking are relevant for Windows Server 2012 R2 operating system with [MSKB-3070083] and Windows Server 2016 operating system and later:
userPrincipalName uniqueness is not checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute (see section 6.1.1.2.4.1.2) is set to "1".
servicePrincipalName uniqueness is not checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute is set to "2".
Neither userPrincipalName nor servicePrincipalName uniqueness is checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute is set to "3".
userPrincipalName and servicePrincipalName uniqueness is checked if the DoNotVerifyUPNAndOrSPNUniqueness character of the dsHeuristics attribute is set to any value other than "1", "2", or "3".
In AD LDS, if the DC functional level is DS_BEHAVIOR_WIN2012R2 or greater, then the new attribute value must be unique within its own partition.
If another object exists with a duplicate userPrincipalName value, the operation fails with an extended error of ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST. If another object exists with a duplicate servicePrincipalName value, the operation fails with an extended error of ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST.
Uniqueness constraints are not enforced for replicated updates.