"Logon failure: the target account name is incorrect" error when promoting domain controllers or creating replicas

This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.

Symptoms

When you try to promote domain controllers in new child domains or create replicas, you may receive the following error message:
Logon Failure: The target account name is incorrect
This error may occur when you are promoting a large number of domain controllers for newly created subordinate domains or new trees in the forest while you are logged on with administrative credentials from a different domain.

You may also receive one of the following error messages when you run the Active Directory Installation Wizard (Dcpromo.exe):
The operation failed because the Directory Service failed to create the object CN=NewDomainName,CN=Partitions,CN=Configuration, DC=2467_19L03ROOT1,DC=ForestRootDomain,DC=com Check the event log for possible system errors.

The directory cannot validate the proposed naming context (or partition) name because it does not hold a replica nor can it contact a replica of the naming context above the proposed naming context. Please ensure that the parent naming context is properly registered in DNS, and at least one replica of this naming context is reachable by the Domain Naming master.
-or-
The directory service failed to create the server object for CN=NTDS Settings,CN=DCPXADS02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo,DC=com on server dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com. Please ensure the network credentials provided have sufficient access to add a replica. "Logon Failure: The target account name is incorrect."

Cause

This issue may occur if the Service Principle Name (SPN) for the domain that is hosting the replica has not been propagated to the domain that contains the account that you use when you run Dcpromo.exe. This propagation may have been delayed because of replication latencies.

Resolution

To resolve this issue, wait for replication to complete before you create Active Directory directory service replicas.

If you cannot wait for replication to complete, use the domain administrator account from the domain that will contain the new replicas. Alternatively, make sure that all domain controllers in the root domain have replicated, and then create the replicas by using the root domain administrator account. To force replication, use tools such as Replmon.exe or Repadmin.exe. Replmon.exe and Repadmin.exe are included in the Windows 2000 Support Tools. For additional information about these tools, click the following article numbers to view the articles in the Microsoft Knowledge Base:
301423 HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer
229896 Using Repadmin.exe to Troubleshoot Active Directory Replication

More Information

This issue can also occur while you are logged on as an administrator from the root domain, because a referral ticket must be issued to the child domain before the service ticket can be passed to the child domain. If the referral is requested from a replica in the root that may not have information about the new domain controllers in the child domains, use an administrative account from the child domain. This will allow you to use a service ticket issued by the child domain.

When you review the Dcpromo.log file on grand child domain controllers, it may contain entries similar to the following:
mm/dd hh:mm:ss [INFO] Replicating CN=Configuration,DC=rootdomaindc1,
DC1,DC=companyname,DC=com: received 1325 out of 1472 objects.
mm/dd hh:mm:ss [INFO] Replicating CN=Configuration,DC=rooddomaindc1,
DC=dcpromo,DC=com: received 1472 out of 1472 objects.
mm/dd hh:mm:ss [INFO] Replicated the configuration container.
mm/dd hh:mm:ss [INFO] Error - The Directory Service failed to create
the object CN=2467_19L03GRND1,CN=Partitions,CN=Configuration,
DC=2467_19L03ROOT1,DC=dcpromo,DC=com. Please check the event
log for possible system errors. (8586)
mm/dd hh:mm:ss [INFO] NtdsInstall for
2467_19L03GRND1.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com returned 8586
mm/dd hh:mm:ss [INFO] DsRolepInstallDs returned 8586
mm/dd hh:mm:ss [ERROR] Failed to install the directory service (8586)
mm/dd hh:mm:ss [INFO] The attempted domain controller operation has completed
mm/dd hh:mm:ss [INFO] DsRolepSetOperationDone returned 0
Note This sample ticket and the other entries have been wrapped for readability.

When you review the Dcpromoui.log file on grand child domain controllers, it may contain entries similar to the following:
dcpromoui 188.4FC 0355       Calling DsRoleGetDcOperationResults
dcpromoui 188.4FC 0356 Error 0x0 (!0 => error)
dcpromoui 188.4FC 0357 Operation results:
dcpromoui 188.4FC 0358 OperationStatus : 0x218A !0 =>
error
dcpromoui 188.4FC 0359 DisplayString : The Directory
Service failed to create the object CN=2467_19L03GRND1,CN=Partitions
,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo,DC=com.
Please check the event log for possible system errors.
dcpromoui 188.4FC 035A ServerInstalledSite : (null)
dcpromoui 188.4FC 035B OperationResultsFlags: 0x0
dcpromoui 188.4FC 035C Enter ProgressDialog::UpdateText The
Directory Service failed to create the object CN=2467_19L03GRND1
,CN=Partitions,CN=Configuration,DC=2467_19L03ROOT1
,DC=dcpromo,DC=com. Please check the event
log for possible system errors.
dcpromoui 188.4FC 035D Enter State::SetOperationResults
Message The Directory Service failed to create the object
CN=2467_19L03GRND1,CN=Partitions,CN=Configuration,DC=2467_19L03ROOT1
,DC=dcpromo,DC=com. Please check the event
log for possible system errors.
dcpromoui 188.4FC 035E Enter State::SetOperationResultsFlags 0x0
dcpromoui 188.4FC 035F Exception caught
dcpromoui 188.4FC 0360 catch completed
dcpromoui 188.4FC 0361 handling exception
dcpromoui 188.4FC 0362 Enter State::ClearHiddenWhileUnattended
dcpromoui 188.4FC 0363 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 188.4FC 0364 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 188.4FC 0365 Enter EnableConsoleLocking
dcpromoui 188.4FC 0366 Enter RegistryKey::Create SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
dcpromoui 188.4FC 0367 Enter RegistryKey::SetValue-DWORD
DisableLockWorkstation
dcpromoui 188.4FC 0368 Enter State::SetOperationResults result FAILURE
dcpromoui 188.4FC 0369 Enter ProgressDialog::UpdateText
dcpromoui 188.4FC 036A Enter State::IsOperationRetryAllowed
dcpromoui 188.4FC 036B true
dcpromoui 188.4FC 036C Enter ComposeFailureMessage
dcpromoui 188.4FC 036D Enter GetErrorMessage 8007218A
dcpromoui 188.4FC 036E Enter State::GetOperationResults
Message The Directory Service failed to create the object
CN=2467_19L03GRND1,CN=Partitions,CN=Configuration,DC=2467_19L03ROOT1
,DC=dcpromo,DC=com. Please check the event log for possible system errors.
dcpromoui 188.4FC 036F Enter State::GetOperationResultsFlags 0x0
dcpromoui 188.4FC 0370 Enter State::SetFailureMessage The
operation failed because:

The Directory Service failed to create the object CN=2467_19L03GRND1
,CN=Partitions,CN=Configuration,DC=2467_19L03ROOT1
,DC=dcpromo,DC=com. Please check the event
log for possible system errors.

"The directory cannot validate the proposed naming context (or
partition) name because it does not hold a replica nor can it
contact a replica of the naming context above the proposed naming
context. Please ensure that the parent naming context is properly
registered in DNS, and at least one replica of this naming context
is reachable by the Domain Naming master."
dcpromoui 188.4FC 0371 Enter State::GetFailureMessage
The operation failed because:

The Directory Service failed to create the object CN=2467_19L03GRND1
,CN=Partitions,CN=Configuration,DC=2467_19L03ROOT1
,DC=dcpromo,DC=com. Please check the event
log for possible system errors.

"The directory cannot validate the proposed naming context (or
partition) name because it does not hold a replica nor can it
contact a replica of the naming context above the proposed naming
context. Please ensure that the parent naming context is properly
registered in DNS, and at least one replica of this naming context
is reachable by the Domain Naming master."
dcpromoui 188.4FC 0372 MessageBox: Active Directory Installation
Failed : The operation failed because:

The Directory Service failed to create the object CN=2467_19L03GRND1
,CN=Partitions,CN=Configuration,DC=2467_19L03ROOT1
,DC=dcpromo,DC=com. Please check the event
log for possible system errors.

"The directory cannot validate the proposed naming context (or
partition) name because it does not hold a replica nor can it
contact a replica of the naming context above the proposed naming
context. Please ensure that the parent naming context is properly
registered in DNS, and at least one replica of this naming context
is reachable by the Domain Naming master."
When you review the Dcpromo.log file on the replica in the child domain, it may contain entries similar to the following:
mm/dd hh:mm:ss [INFO] Configuring the local server to host 
the Directory Service
mm/dd hh:mm:ss [INFO] Creating the ntdsa object for this server
on dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com.
mm/dd hh:mm:ss [INFO] Error - The Directory Service failed to
create the server object for CN=NTDS Settings,CN=DCPXADS02
,CN=Servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo
,DC=com on server dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1
.dcpromo.com. Please ensure the network credentials provided have
sufficient access to add a replica. (1396)
mm/dd hh:mm:ss [INFO] NtdsInstall for
2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com returned 1396
mm/dd hh:mm:ss [INFO] NtdsInstall parameters:
mm/dd hh:mm:ss [INFO] Flags: 4
mm/dd hh:mm:ss [INFO] DitPath: D:\WINDOWS\NTDS
mm/dd hh:mm:ss [INFO] LogPath: D:\WINDOWS\NTDS
mm/dd hh:mm:ss [INFO] SiteName: Default-First-Site-Name
mm/dd hh:mm:ss [INFO] DnsDomainName:
2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com
mm/dd hh:mm:ss [INFO] FlatDomainName:
mm/dd hh:mm:ss [INFO] DnsTreeRoot: (NULL)
mm/dd hh:mm:ss [INFO] ReplServerName:
dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com
mm/dd hh:mm:ss [INFO] Credentials: 00904130
mm/dd hh:mm:ss [INFO] pfnUpdateStatus: 748C13D7
mm/dd hh:mm:ss [INFO] AdminPassword: 00000000
mm/dd hh:mm:ss [INFO] DsRolepInstallDs returned 1396
mm/dd hh:mm:ss [ERROR] Failed to install to Directory Service (1396)
When you review the Dcpromoui.log file on the replica in the domain, it may contain entries similar to the following:
dcpromoui 198.768 0331       Calling DsRoleGetDcOperationResults
dcpromoui 198.768 0332 Error 0x0 (!0 => error)
dcpromoui 198.768 0333 Operation results:
dcpromoui 198.768 0334 OperationStatus : 0x574 !0 => error
dcpromoui 198.768 0335 DisplayString : The Directory Service
failed to create the server object for CN=NTDS Settings,CN=DCPXADS02
,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration
,DC=2467_19L03ROOT1,DC=dcpromo,DC=com on server dcpxads01
.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com. Please ensure
the network credentials provided have sufficient access to add a replica.
dcpromoui 198.768 0336 ServerInstalledSite : (null)
dcpromoui 198.768 0337 OperationResultsFlags: 0x0
dcpromoui 198.768 0338 Enter ProgressDialog::UpdateText The
Directory Service failed to create the server object for CN=NTDS Settings
,CN=DCPXADS02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo
,DC=com on server dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1
.dcpromo.com. Please ensure
the network credentials provided have sufficient access to add a replica.
dcpromoui 198.768 0339 Enter State::SetOperationResultsMessage
The Directory Service failed to create the server object for CN=NTDS Settings
,CN=DCPXADS02,CN=Servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo
,DC=com on server dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1
.dcpromo.com. Please ensure the network credentials provided have
sufficient access to add a replica.
dcpromoui 198.768 033A Enter State::SetOperationResultsFlags 0x0
dcpromoui 198.768 033B Exception caught
dcpromoui 198.768 033C catch completed
dcpromoui 198.768 033D handling exception
dcpromoui 198.768 033E Enter State::ClearHiddenWhileUnattended
dcpromoui 198.768 033F Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 198.768 0340 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 198.768 0341 Enter EnableConsoleLocking
dcpromoui 198.768 0342 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 198.768 0343 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 198.768 0344 Enter RegistryKey::Create SOFTWARE\Microsoft
\Windows NT\CurrentVersion\Winlogon
dcpromoui 198.768 0345 Enter RegistryKey::SetValue-DWORD
DisableLockWorkstation
dcpromoui 198.768 0346 Enter State::SetOperationResults result FAILURE
dcpromoui 198.768 0347 Enter ProgressDialog::UpdateText
dcpromoui 198.768 0348 Enter State::IsOperationRetryAllowed
dcpromoui 198.768 0349 true
dcpromoui 198.768 034A Enter ComposeFailureMessage
dcpromoui 198.768 034B Enter GetErrorMessage 80070574
dcpromoui 198.768 034C Enter State::GetOperationResultsMessage The
Directory Service failed to create the server object for CN=NTDS Settings
,CN=DCPXADS02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo,DC=com on server
dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com. Please ensure
the network credentials provided have sufficient access to add a replica.
dcpromoui 198.768 034D Enter State::GetOperationResultsFlags 0x0
dcpromoui 198.768 034E Enter State::SetFailureMessage The
operation failed because:

The Directory Service failed to create the server object for CN=NTDS Settings
,CN=DCPXADS02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo,DC=com on server
dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com. Please ensure
the network credentials provided have sufficient access to add a replica.

"Logon Failure: The target account name is incorrect."
dcpromoui 198.768 034F Enter State::GetFailureMessage The operation
failed because:

The Directory Service failed to create the server object for CN=NTDS Settings
,CN=DCPXADS02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo,DC=com on server
dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com. Please ensure
the network credentials provided have sufficient access to add a replica.

"Logon Failure: The target account name is incorrect."
dcpromoui 198.768 0350 MessageBox: Active Directory Installation
Failed : The operation failed because:

The Directory Service failed to create the server object for CN=NTDS Settings
,CN=DCPXADS02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=2467_19L03ROOT1,DC=dcpromo,DC=com on server
dcpxads01.2467_19L03CHLD1.2467_19L03ROOT1.dcpromo.com. Please ensure
the network credentials provided have sufficient access to add a replica.

"Logon Failure: The target account name is incorrect."
Properties

Article ID: 296993 - Last Review: Dec 16, 2009 - Revision: 1

Feedback