In LDAP/Kerberos terms world, where do I use which domain parts?

First off, LDAP != Kerberos. If you want to use Kerberos to communicating with an Active Directory domain, which is what I assume you want to do, the clues are here or by Googling how to configure a Kerberos client to authenticate against AD. LDAP is different, and you really need to give a hell of a lot more detail to know what it is you want configured on what platform. I assume it is Unix or Linux, but a very specific version and what kind of authentication (console, GUI, Squid web proxy) is in order.

The Kerberos realm you want to use should be example.com in your case. You could even go so far as to create kerb.example.com for your realm and alias example.com to it on the servers you wish to use kerberos on. The sub-domain would contain any Kerberos-related SRV records you might create.

For your hosting server, I would strongly recommend creating another A-record for your hosting server (host1.example.com for example) and configure the server's network services to consider that its primary address. "example.com" would still point to it, but only for web-hosting reasons. Otherwise you'd have to alias ".COM" as a realm of "EXAMPLE.COM" for network services hosted on the hosting server, and that could have bad side-effects.

The reason for this is because of how Kerberos figures out realms. A DNS name is decoded into a realm by taking the first label of the DNS name as the hostname, and any labels after that as the realm. So, "sub.example.com" would belong on the EXAMPLE.COM realm, and "example.com" would belong in the ".COM" realm. By naming the server for Kerberos purposes something with three DNS labels instead of two you can avoid placing large parts of the internet in your Kerberos realm.

Aliases are set in the /etc/krb5.conf file