From what I've read elsewhere:
As a domain member Windows doesn't try to figure out what realm you're in – it always talks to the KDCs for its default realm (the one that it was joined to), and the initial Kerberos AS-REQ sends the whole UPN as an enterprise name, allowing the KDC to do that job instead.
So the Kerberos principal in AS-REQ looks like user\@example.com@AD.EXAMPLE.COM
, and it becomes your KDC's job to figure out where that user actually is (I assume by searching the forest's Global Catalog for a user with matching userPrincipalName
attribute).
But as a standalone (workgroup) client connecting to an AD-member server, however, Windows wouldn't have a "default realm" yet – in that situation it would indeed make queries for AD-specific _msdcs
SRV records at the UPN suffix.