Active Directory System Discovery fails suddenly with 0x8007202B

ISSUE

Active Directory System Discovery fails suddenly with 0x8007202B

LOGS

adsysdis.log:

ERROR: Failed to bind to 'LDAP://CN=COMPUTERS,DC=DIRCONTOSO,DC=INT' (0x8007202B)~
ERROR: Failed to bind to 'LDAP://CN=COMPUTERS,DC=ROOTCONTOSO,DC=CORP' (0x8007202B)~
ERROR: Failed to bind to 'LDAP://OU=DOMAIN CONTROLLERS,DC=ROOTCONTOSO,DC=CORP' (0x8007202B)~
ERROR: Failed to bind to 'LDAP://OU=SCCMTEST,DC=DIRCONTOSO,DC=INT' (0x8007202B)~
ERROR: Failed to bind to 'LDAP://OU=SERVERS,DC=DIRCONTOSO,DC=INT' (0x8007202B)~
ERROR: Failed to bind to 'LDAP://OU=WINDOWS 2019 - GPO2019 L2,OU=SERVERS,DC=UATHWLROOT,DC=CORP' (0x8007202B)~

0x8007202B means:

Error Code: 0x202B (8235)
Error Name: ERROR_DS_REFERRAL
Error Source: Windows
Error Message: A referral was returned from the server.

REASON

The cause is that when SCCM primary server accesses LDAP , the Kerberos authentication failed due to unknown reasons. Then it falls back to NTLM, which failed due to 3-part SPN hardening patch applied on the DCs.

For details, refer to this article – https://support.microsoft.com/en-us/topic/kb5011233-protections-in-cve-2022-21920-may-block-ntlm-authentication-if-kerberos-authentication-is-not-successful-dd415f99-a30c-4664-ba37-83d33fb071f4

SOLUTION

Log a ticket to Microsoft

References

• KB5011233: Protections in CVE-2022-21920 may block NTLM authentication if Kerberos authentication is not successful
• CVE-2022-21920