Questions about ktpass/kerberos with Active Directory

I got a few questions about Kerberos with Active Directory, specifically about the ktpass tool.

The example AD I'm using (everything is on 2012R2 level):
Active Directory Domain Name: ad.example.com
Domain Controller: dc.ad.example.com
Service Server Name: server.ad.example.com
Service User Name: [email protected]

I use this as reference invocation of ktpass command:

ktpass /princ SERVICE-NAME/[email protected]
       /mapuser [email protected]
       /pass * /ptype KRB5_NT_PRICIPAL /crypto AES128-SHA1

Output on my Test System:

Targeting domain controller: dc.ad.example.com
Using legacy password setting method
Successfully mapped SERVICE-NAME/server.ad.example.com to [email protected].
Type the password for SERVICE-NAME/server.ad.example.com:
Type the password again to confirm:
Key created.

Now the questions:

• The /mapuser parameter maps the Kerberos principal to the user, is this the same as doing it with setspn -U -S SERVICE-NAME/server.ad.example.com test-service-user? Or is there some other mapping done too? If so how do undo that mapping?
• If I look up the test-service-user using the "Active Directory Users and Computers" tool, I see that the "User logon name" has been replaced with "SERVICE-NAME/server.ad.example.com", does that mean there is only one Kerberos principal per user possible?
• I have not specified the /out parameter - yet it states "Key created.", does this mean it has updated the password of the test-service-user or has a key been stored somewhere else (where?)?
• What does "legacy password setting method" mean?