[ActiveDir] Question about Kerberos Errors

[Rachui, Scott]

I have a question about Kerberos that I hope you guy can help me with.  In our environment, our client base (servers and workstations) has a different DNS name than the domain where their authenticating DCs reside.  They are members of the same Active Directory domain, but due to decisions made a long time ago, their DNS information does not match the AD domain where they reside.  As an example:   DC1 is in CHILD.DOMAIN.COM but all application servers are listed (in DNS only) as being in DOMAIN.COM even though their computer objects are in CHILD.DOMAIN.COM.  This is for ease of lookup, I'm told.  Additionally, workstations have a location code added so that they show up as LOCATION.DOMAIN.COM.   Both the servicePrincipalName and the dNSHostName report the server and workstation objects as being in the domain mentioned above.  I have checked, and the primary DNS suffix for each machine maps to the dNSHostName.   So, my workstation has the following SPN:   HOST/<workstationname>.LOCATION.DOMAIN.COM HOST//<workstationname>   And one of our Exchange Servers has the following SPN:   SMTPSVC/<servername> SMTPSVC/<servername>.DOMAIN.COM HOST/<servername> HOST/<servername>.DOMAIN.COM   Now the problem:  We are getting floods of Audit Failures (Event ID 675 and 676) and also NETLOGON failures (5722, 5723, and 5790) on a regular basis on all of our DCs.  In some cases, a single computer will log literally thousands of these events and still not get locked out (which I would expect if they are attempting to authenticate and failing).  It has been hinted to me multiple times that one of the reasons we are experiencing this is due to the way our servers/workstations are set up in DNS.   Can someone confirm or deny this for me?  If there is any published literature that I can look at or show my management, that would also be very helpful.   Thanks!   Scott Rachui