Individually, the terms 'domain' and 'realm' mean nearly the same thing, but for different systems. Realms and realm names come from the Kerberos authentication protocol, where they serve practically the same purpose as domains and domain names. They have no direct relation, strictly speaking, but in practice nearly all Kerberos realms are named after the corresponding DNS domain.

Within Active Directory, AD 'domains' are an integrated system of DNS, LDAP, Kerberos, and various other components. An AD domain uses a DNS domain for server lookups, and the DNS domain name acts as a namespace for user accounts. Generally, an AD domain controller also acts as a DNS server for the corresponding DNS domain.

For example, user accounts have UPNs such as fred@ad.example.com, which are made from the plain username suffixed with the case-insensitive DNS domain name (or a choice of several custom "UPN suffixes"). Service SPNs are formed in the same way.

But internally these names are converted to the equivalent "Kerberos principal name", which has a similar format and looks like fred@AD.EXAMPLE.COM. The Kerberos realm name is always case-sensitive and by convention always uppercase. Each Active Directory domain acts as a Kerberos realm, and has exactly one realm name (even if multiple UPN suffixes are configured). Every AD domain controller also acts as a Kerberos KDC for the corresponding Kerberos realm.

(Normally, the only time you'll directly see Kerberos realms is when working with user authentication, e.g. configuring SSO for a Linux server.)

Accounts also have legacy NT4-style names, such as EXAMPLE\fred, prefixed with the NT4 domain name which is also uppercase but without any dots in it. Don't confuse this with a Kerberos realm name.

So what's the relation between AD domains, DNS domains, and Kerberos realms?

• Each AD domain is a Kerberos realm, and each AD account is Kerberos principal. So the Kerberos realm is a subset of the AD domain. (However, Kerberos can also be used standalone without AD.)
• Each AD domain relies on a DNS domain, but neither is a subset of the other (DNS may exist outside AD).
• Kerberos uses (but does not require) DNS. Kerberos realms are usually named according to DNS domains, but otherwise neither is a subset of the other.