DC Promo Error target principal name incorrect

Try this
http://technet.microsoft.com/en-us/library/replication-error-2146893022-the-target-principal-name-is-incorrect(v=ws.10).aspx#BKMK_Causes

Resolutions
Run dcdiag /test:checksecurityerror on the source DC

SPNs may be missing, invalid or duplicated due to simple replication latency, especially following promotion, or replication failures.

Duplicate SPNs may cause bad SPN to name mappings.

DCDIAG /TEST:CheckSecurityErrorr can check for missing or duplicate SPNs and other errors.

Run this command on the console of all source DCs that fail "outbound" replication with the SEC_E_WRONG_PRINCIPAL error.

You can check SPN registration against a specific location using the syntax:

dcdiag /test:checksecurityerror replsource:<remote dc>
Verify that Kerberos encrypted network traffic reached the intended Kerberos target (name-to-IP mapping).

When inbound replicating Active Directory, destination DCs search their local copy of Active Directory for the objectGUID of the source DCs NTDS Settings objects, then query the active DNS Server for a matching DC GUIDed CNAME record which is then mapped to a host "A" / "AAAA" record containing the source DCs IP address. Active Directory performs name resolution fallback that includes queries for fully qualified computer names in DNS or single-label hostnames in WINS (note: DNS servers can also perform WINS lookups in fallback scenarios).

Stale NTDS Settings objects, bad name-to-IP mappings in DNS and WINS host records, stale entries in HOST files can all cause a destination DC to submit Kerberos-encrypted traffic to the wrong Kerberos target.

There are two methods to check for this condition:

Take a network trace.

Or

Manually verify that name DNS / NetBIOS name queries resolve to the intended target computer.

The first command gave this result:

C:\Users\administrator> dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Goole
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Goole\GOOLE
      Starting test: Connectivity
         ......................... GOOLE passed test Connectivity

Doing primary tests

   Testing server: Goole\GOOLE
      Starting test: CheckSecurityError
         No KDC found for domain client.local in site Goole (1355, NULL)
         [GOOLE] Unable to contact a KDC for the destination domain in it's own
         site.  This means either there are no available KDC's for this domain
         in the site, *including* the destination DC itself, or we're having
         network or packet fragmentation issues connecting to it.  We'll check
         packet fragmentation connection to the destination DC, make
         recommendations, and continue.
          The KDC on GOOLE isn't responsive, please verify that it's running
         and advertising.
         [GOOLE] No security related replication errors were found on this DC!
         To target the connection to a specific source DC use /ReplSource:<DC>.
         ......................... GOOLE passed test CheckSecurityError


   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : client

   Running enterprise tests on : client.local

C:\Users\administrator>

The other DC gives this response

C:\Users\administrator> dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Halifax\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Halifax\DC1
      Starting test: CheckSecurityError
         [DC1] No security related replication errors were found on this DC!
         To target the connection to a specific source DC use /ReplSource:<DC>.
         ......................... DC1 passed test CheckSecurityError


   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : client

   Running enterprise tests on : client.local

C:\Users\administrator>

It looks like the 1st server hiccuped but passed the test. You could force removal

http://technet.microsoft.com/en-us/library/cc731871(v=ws.10).aspx

To force the removal of a domain controller by using the Windows interface
At a command prompt, type the following command, and then press ENTER:
dcpromo /forceremoval

If the domain controller hosts any operations master (also known as flexible single master operations or FSMO) roles, or if it is a Domain Name System (DNS) server or a global catalog server, warnings appear that explain how the forced removal will affect the rest of the environment. After you read each warning, click Yes. If you want to suppress the warnings in advance of the removal operation, you must force the removal of Active Directory Domain Services (AD DS) by using an answer file. In the answer file, specify the parameter demotefsmo=yes.

On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

On the Force the Removal of Active Directory Domain Services page, review the information about forcing the removal of AD DS and metadata cleanup requirements, and then click Next.

On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next.

On the Summary page, review your selections. Click Back to change any selections, if necessary.

To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.

When you are sure that your selections are accurate, click Next to remove AD DS.
You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the removal of AD DS when you are prompted to do so.

Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

In Roles Summary, click Remove Roles.

If necessary, review the information on the Before You Begin page, and then click Next.

On the Remove Server Roles page, clear the Active Directory Domain Services check box, and then click Next.

On the Confirm Removal Selections page, click Remove.

On the Removal Results page, click Close, and then click Yes to restart the server.

If you force removal via dcpromo to demote it.  Can I re-promote it with the same name at a later date?

The dc which wont demote right now holds no fsmo roles so should be safe to do it.