Error Message: The Parameter Is Incorrect. 0x80070057 (WIN32: 87)

If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message: If you use the Certutil.exe tool to parse this error message, you receive the following information:

When you install an Enterprise CA, a security check is performed to determine one of two things:

• Make sure that the user who is installing the CA has the required permissions and user rights to add or merge security descriptors in the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com Active Directory node.
• Make sure that the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com node already exist in Active Directory. If it does not, create it.

You must be a member of the Enterprise Administrators group to add or merge security descriptors in the node. Also, your token must have the must have the SeRestorePrivilege user right. If your token does not have this right, the security descriptor add or merge process does not succeed and generates the following Lightweight Directory Access Protocol (LDAP) error message:

Grant the SeRestorePrivilege user right directly to the user account that is performing the Enterprise CA installation. Or, assign this right to the Enterprise Administrators group.

This behavior is by design.