If NTLM is disabled, RMAD will automatically use Kerberos. RMAD will work in an environment where NTLM is disabled, provided the RMAD server is joined to the domain, it will then use Kerberos for authentication. However, our best practice is to install RMAD on a standalone server, not joined to the domain. It is in this scenario that RMAD still relies on NTLM for authentication.