Impact of removing SPN "HOST/<Computer-name>.<domain>" from computer object "<Computer-name>"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 47%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
ShamsElDin, Tamer
5
Reputation points
Hello,
During a migration from one Windows server "windows-server.lab" to a NAS storage, what will be the impact of removing the SPN "HOST/windows-server.lab" from the computer object "CN=Windows-Server,CN=Computers,DC=lab" and creating the SPN under the NAS storage's computer object?
Assuming that post switchover, the FQDN of "windows-server.lab" will change its DNS record to point to the NAS storage, + I will create a new FQDN for the Windows server so it can be used for access for some time.
I know that moving the SPN from one computer object to another is critical for Kerberos authentication, otherwise, tickets will be encrypted using the computer object's password, different from the password of the desired computer object.
I am wondering if the SPN "which is based on HOST/<Computer-name>.<domain>" is special and can't be removed from the original computer object "<Computer-name>".
Thank you
Windows for business | Windows Server | User experience | Other
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 62%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
David Greenwalt 1 Reputation point2025-12-09T15:09:47.11+00:00 Hey, I have the same question. Did you find anything out since May?
Sign in to comment
Sign in to answer