![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting question on Microsoft Windows forum!
Based on provided screenshot error message The operation failed because SPN value provided for addition/modification is not unique forest-wide which occurs when attempting to join a Windows 11 laptop to an Active Directory domain. It is probable of that Active Directory is still aware of the old hostname's SPN, preventing a new computer account with that same hostname from being created and registered with its default SPNs. This often happens if the computer account wasn't fully purged, or if there's an orphaned SPN. You can try the following potential troubleshooting steps.
1.Verify Computer Account Deletion:
- Double-check Active Directory Users and Computers (ADUC): Even if you think it's deleted, thoroughly search for the computer object in all OUs, including the "Computers" container and any custom OUs you might have.
- Check "Deleted Objects" container (if enabled): If your forest functional level supports the AD Recycle Bin, check the "Deleted Objects" container to ensure it's not merely in a soft-deleted state.
2.Checking for Orphaned SPNs:
- Use setspn to query for the SPN: This is the most direct way to find the offending SPN. Open an elevated Command Prompt or PowerShell on a Domain Controller and run the following command to performs a duplicate SPN check across the entire forest.:
- setspn -X
- If the environment has multiple domains, the SPN might exist elsewhere.
- setspn -L hostname
- Once you've identified the object, use setspn -D to delete the specific SPN. Be extremely careful with this command, as deleting the wrong SPN can cause service disruptions.
- setspn -D <SPN> hostname
- more information for SPN command https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setspn
3.Check for Stale DNS Records:
- While you mentioned DNS was deleted, it's worth a quick recheck, especially for any lingering PTR records if you use reverse DNS.
- Open DNS Management: On a Domain Controller, open DNS Manager.
- Check Forward Lookup Zones: Verify that there are no A records for the hostname.
- Check Reverse Lookup Zones: If you use reverse lookup, ensure there are no PTR records for the IP address the laptop would acquire.
- Force DNS Replication: If you have multiple DNS servers, force replication to ensure all servers are up to date.
4.Replication Status:
- Ensure that Active Directory replication is healthy across all Domain Controllers. If replication is not working correctly, a deletion on one DC might not have propagated to others, leading to the SPN still existing on a different DC.
- Use repadmin /showrepl: Run this command on a Domain Controller to check replication status. Address any replication errors.
5.Try Joining Again:
- After performing the above steps, especially after successfully deleting any orphaned SPNs, attempt to join the Windows 11 laptop to the domain again with its original hostname.
Hope the above information is helpful!