ISSUE
Active Directory System Discovery fails suddenly with 0x8007202B
LOGS
adsysdis.log:
ERROR: Failed to bind to 'LDAP://CN=COMPUTERS,DC=DIRCONTOSO,DC=INT' (0x8007202B)~ ERROR: Failed to bind to 'LDAP://CN=COMPUTERS,DC=ROOTCONTOSO,DC=CORP' (0x8007202B)~ ERROR: Failed to bind to 'LDAP://OU=DOMAIN CONTROLLERS,DC=ROOTCONTOSO,DC=CORP' (0x8007202B)~ ERROR: Failed to bind to 'LDAP://OU=SCCMTEST,DC=DIRCONTOSO,DC=INT' (0x8007202B)~ ERROR: Failed to bind to 'LDAP://OU=SERVERS,DC=DIRCONTOSO,DC=INT' (0x8007202B)~ ERROR: Failed to bind to 'LDAP://OU=WINDOWS 2019 - GPO2019 L2,OU=SERVERS,DC=UATHWLROOT,DC=CORP' (0x8007202B)~
0x8007202B means:
Error Code: 0x202B (8235)
Error Name: ERROR_DS_REFERRAL
Error Source: Windows
Error Message: A referral was returned from the server.
REASON
The cause is that when SCCM primary server accesses LDAP , the Kerberos authentication failed due to unknown reasons. Then it falls back to NTLM, which failed due to 3-part SPN hardening patch applied on the DCs.
For details, refer to this article – https://support.microsoft.com/en-us/topic/kb5011233-protections-in-cve-2022-21920-may-block-ntlm-authentication-if-kerberos-authentication-is-not-successful-dd415f99-a30c-4664-ba37-83d33fb071f4
SOLUTION
Log a ticket to Microsoft