I have a active directory domain ad.example.com and I configured an UPN alias example.com
When a user tries to logon as [email protected] how does it know the domain is actually ad.example.com?
Don't I need a SRV record or something in the parent zone to hint to the AD?
The account's UPN is unique within the forest and is replicated to all DC's in the forest. When the authenticating DC locates the account, it locates the domain.
From what I've read elsewhere:
As a domain member Windows doesn't try to figure out what realm you're in – it always talks to the KDCs for its default realm (the one that it was joined to), and the initial Kerberos AS-REQ sends the whole UPN as an enterprise name, allowing the KDC to do that job instead.
So the Kerberos principal in AS-REQ looks like
user\@[email protected], and it becomes your KDC's job to figure out where that user actually is (I assume by searching the forest's Global Catalog for a user with matchinguserPrincipalNameattribute).But as a standalone (workgroup) client connecting to an AD-member server, however, Windows wouldn't have a "default realm" yet – in that situation it would indeed make queries for AD-specific
_msdcsSRV records at the UPN suffix.