If NTLM is disabled, RMAD will automatically use Kerberos. RMAD will work in an environment where NTLM is disabled, provided the RMAD server is joined to the domain, it will then use Kerberos for authentication. However, our best practice is to install RMAD on a standalone server, not joined to the domain. It is in this scenario that RMAD still relies on NTLM for authentication.
解决办法
We tested In a Windows Server 2019 not joined to the domain and we were able to get the backups to succeed by using preinstalled backup agents and setting the account used to access the backup agents on the Agent tab of the collection as username@FQDN (the UPN for the account). We configured the RMAD server to use the same DNS servers as the Domain uses.
By using the UPN for the account, it tells windows the domain portion which then allows it to query DNS for the Kerberos SRV record. For this to work Windows has to be able to find the SRV records for the DCs.