I have a active directory domain ad.example.com and I configured an UPN alias example.com
When a user tries to logon as user@example.com how does it know the domain is actually ad.example.com?
Don't I need a SRV record or something in the parent zone to hint to the AD?
The account's UPN is unique within the forest and is replicated to all DC's in the forest. When the authenticating DC locates the account, it locates the domain.
From what I've read elsewhere:
As a domain member Windows doesn't try to figure out what realm you're in – it always talks to the KDCs for its default realm (the one that it was joined to), and the initial Kerberos AS-REQ sends the whole UPN as an enterprise name, allowing the KDC to do that job instead.
So the Kerberos principal in AS-REQ looks like user\@example.com@AD.EXAMPLE.COM, and it becomes your KDC's job to figure out where that user actually is (I assume by searching the forest's Global Catalog for a user with matching userPrincipalName attribute).
But as a standalone (workgroup) client connecting to an AD-member server, however, Windows wouldn't have a "default realm" yet – in that situation it would indeed make queries for AD-specific _msdcs SRV records at the UPN suffix.
