multiple LDAP and krbtgt tickets generated

I was doing some testing to understand Kerberos behavior, I have a user Alice logged into a machine part of lab.local domain, after sign in, I run net user \dc\sysvol to trigger service ticket request for the cifs service, as per my understanding the client now should have two tickets in the cache the first is the TGT and the other is the TGS for cifs service, by running klist, I found that there are two TGT tickets identified by krbtgt account and two LDAP TGS tickets and one cifs ticket, I want to know why there are two TGT not only one and why the LDAP tickets exist ? I added an image for the klist command enter image description here

The two krbtgt/* tickets are issued with different flags. Ticket #1 is the normal TGT that you received during login, while ticket #0 is a copy that the KDC issued with the forwarded flag for unconstrained delegation. It's not entirely clear whether it was received by this machine from elsewhere or whether it's about to be forwarded to another machine from yours, though I suspect it's the latter. (Note how the service tickets have the ok_as_delegate flag, indicating that those services are marked to allow unconstrained delegation to them.)

The two ldap/* tickets are issued for different principal names – notice that ticket #2 has a two-component principal while ticket #4 has a three-component one. While typical Kerberos uses only the basic two-component service/fqdn service principal format, certain Active Directory services extend this to a three-component service/fqdn/instance (which is not unlike how traditional Kerberos has user/instance). In this case the 3rd component is the AD domain name that the LDAP server (the DC) is responsible for; I'm not entirely clear on the purpose, although I believe it was documented somewhere in MS docs.