Active Directory replication failed with logon failure: the target account name is incorrect
Logon Failure: The target account name is incorrect.
The destination domain controller cannot authenticate to the source DC using Kerberos because the service principal name (SPN) required for the replication operation cannot be resolved correctly by the KDC. The KDC either cannot find the SPN in the global catalog, the SPN exists on the wrong account, or the account holding the SPN has been deleted or become inconsistent. This is distinct from error -2146893022 (target principal name incorrect), which indicates the KDC found the SPN but the source DC could not decrypt the service ticket.
Logon Failure: The target account name is incorrect.
Why it happens
The SPN required for the replication operation (E3514235-4B06-11D1-AB04-00C04FC2DCD2/<NTDS Settings GUID>/<domain>) does not exist in the global catalog searched by the KDC.
The source domain controller's computer account has been deleted from the directory, so the SPN that should be registered on it is absent.
The SPN has been registered on the wrong computer account — for example, after a DC was forcibly demoted, reinstalled, or its metadata was cleaned up incorrectly.
The destination DC's system time is significantly skewed relative to the source DC or domain, causing Kerberos ticket validation to fail.
On an RODC, the KDC service failed to start after a restore of the krbtgt account (or the krbtgt account for the RODC was deleted), producing error 1396 alongside Event ID 1645.
How to fix it
Check the Directory Services event log on the destination DC for Event ID 1645. This event records the three-part SPN being looked up and the KDC that was contacted. Note the SPN and the KDC name.
From the KDC identified in Event 1645, run: `nltest /dsgetdc:<forest root domain> /gc` to confirm GC availability, then search the GC for the SPN: `ldifde -f spn_search.ldf -s <GC> -t 3268 -d "" -r "(servicePrincipalName=E3514235-4B06-11D1-AB04-00C04FC2DCD2/<NTDS Settings GUID>*)"`. If the SPN is absent, it needs to be recreated.
If the source DC computer account has been deleted: restore the account from the AD Recycle Bin (if enabled) or from a backup, then verify the SPN registers correctly. If the account cannot be restored, the DC must be force-demoted and the metadata cleaned up with `ntdsutil`.
If the SPN is on the wrong account (e.g., from an incomplete metadata cleanup): remove the stale SPN with `setspn -D <SPN> <WrongAccount>` and allow Active Directory to recreate it correctly on the source DC's computer account, or run `netdom computername <SourceDC> /makeprimary` to correct the primary computer name association.
Check for time skew: run `w32tm /query /status` on both source and destination DCs. Kerberos requires clocks to be within 5 minutes. Correct any skew by ensuring both DCs sync from the PDC Emulator or a reliable NTP source.
For RODC scenarios with a deleted krbtgt account: restore the krbtgt account from backup or use `repadmin /rodcpwdrepl` to force password replication after the account is recreated, then restart the KDC service on the RODC.
