Error Message: The Parameter Is Incorrect. 0x80070057 (WIN32: 87)

Article translations Article translations
Article ID: 305193 - View products that this article applies to.
This article was previously published under Q305193
Expand all | Collapse all

SYMPTOMS

If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message:
An error was detected while configuring Certificate Services. The Certificate Services Wizard will need to be rerun to complete the configuration. Certificate Services Setup failed with the following error: The parameter is incorrect. 0x80070057 (WIN32: 87)
If you use the Certutil.exe tool to parse this error message, you receive the following information:
0x80070057 (WIN32: 87) -- 2147942487 (-2147024809)
Error message text: The parameter is incorrect.

CAUSE

When you install an Enterprise CA, a security check is performed to determine one of two things:
  • Make sure that the user who is installing the CA has the required permissions and user rights to add or merge security descriptors in the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com Active Directory node.
  • Make sure that the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com node already exist in Active Directory. If it does not, create it.
You must be a member of the Enterprise Administrators group to add or merge security descriptors in the node. Also, your token must have the must have the SeRestorePrivilege user right. If your token does not have this right, the security descriptor add or merge process does not succeed and generates the following Lightweight Directory Access Protocol (LDAP) error message:
Error code: LDAP_CONSTRAINT_VIOLATION
Value: 0x13
Descriptions: There was a constraint violation.

RESOLUTION

Grant the SeRestorePrivilege user right directly to the user account that is performing the Enterprise CA installation. Or, assign this right to the Enterprise Administrators group.

STATUS

This behavior is by design.

Properties

Article ID: 305193 - Last Review: March 1, 2007 - Revision: 2.2
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kberrmsg kbprb KB305193

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com