Unable to demote a Windows 2008 DC, why?

This is using MS Windows server 2008 based AD domain. There are 2 DC, and the first one is the primary DNS server for all the member servers and client PCs. However, found the the 2nd DC (DC02) wasn't replicate with the 1st one, so I decided to demote it to be a member server.

I ran the DCPROMO, and when the process about to start, an error message occurred - Operation failed because: Managing the network session with DC01 failed. "Logon failure: the target account name is incorrect". In DNS manager, the DC01 DNS is working, but attempt to open DC02 DNS shows "no access".

An application event was logged as follows:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          24/06/2015 4:35:17 PM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC02.abc.com
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cdifs2$. The target name used was ldap/CDI-cdifs.abc.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ABC.COM) is different from the client domain (ABC.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Appreciate for any suggestion and resolution.