You are currently offline, waiting for your internet to reconnect

Error "The parameter is incorrect" Attempting to Import LDF File for Authoritative Restore

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.

When Active Directory objects on a domain controller are deleted or become corrupted, you may have to restore them using a system state backup that contains the Active Directory database. You may then have to use the Ntdsutil.exe tool to mark the restored versions of these objects as authoritative.

On a domain controller that is running at least Windows Server 2003 with Service Pack 1 or later Windows versions, the Ntdsutil tool writes back links for the objects that are restored authoritatively into LDF files.

 If you have enabled credential roaming for some users which need to be restored, following error may occur:

ldifde -i -k -f ar_xxxx.ldf
Connecting to ""
Logging in as current user using SSPI
Importing directory from file ""
Loading entries...............................
Add error on line <xxx>: Invalid Syntax
The server side error is "The parameter is incorrect."
28 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please specify the log file path via the -j option.


The problem is caused by an incorrect format of the LDF file created when doing the authoritative restore in the Ntdsutil tool. 

The LDF file contains a syntax error in line modifying following attributes:

  • msPKIDPAPIMasterKeys
  • msPKIAccountCredentials
  • msPKIRoamingTimeStamp

 These attributes can be found on user objects, where credential roaming is enabled.


You can use the following script to remove the msPKI attributes that are causing the problem from the LDF file. 

---- remove_msPKI_entries.vbs ----

Const forReading = 1
Const forWriting = 2
Const insideEntry = 0
Const foundNewEntry = 1
Dim  deleteEntry
Dim  strNextLine
Dim  state
Dim state1
Dim  strPath
Dim  strLdifdeFileName
Dim  strLdifdeFileFullPath
Dim  strNewLdifdeFileName
Dim strNewLdifdeFileFullPath
Dim  strtempFileName
Dim strtempFileFullPath
If wscript.Arguments.Count <> 2 Then
 wscript.echo( "=======================================================================================" )
 wscript.echo( "Usage: cscript remove-msPKI-attrs.vbs <old_ldifde_back_links_file> <new_ldifde_back_links_file>" )
 wscript.echo( "" )
 wscript.echo( "Example: cscript remove-msPKI-attrs.vbs")
 wscript.echo( "" )
 wscript.echo( "msPKIDPAPIMasterKeys, msPKIAccountCredentials, msPKIRoamingTimeStamp back links will be deleted from")
 wscript.echo( "<old_ldifde_back_links_file> and remaining entries will be written into <new_ldifde_back_links_file>" )
 wscript.echo( "" )
 wscript.echo( "NOTE: If <new_ldifde_back_links_file> is already existing in current directory... its contents will be overwritten" )
 wscript.echo( "=======================================================================================" )
 wscript.Quit -1
End If 
Set objFSO    =  CreateObject("Scripting.FileSystemObject")
'All the files assumed to be in current directory
strPath    = "."
strLdifdeFileName   = wscript.Arguments(0)
strLdifdeFileFullPath  = objFSO.BuildPath(strPath, strLdifdeFileName)

strNewLdifdeFileName   = wscript.Arguments(1)
strNewLdifdeFileFullPath = objFSO.BuildPath(strPath, strNewLdifdeFileName)
strtempFileName    = objFSO.GetTempName
strtempFileFullPath  = objFSO.BuildPath(strPath, strtempFileName) 
'Open the given ldifde file for reading
Set objLdifdeFile  = objFSO.OpenTextFile( strLdifdeFileFullPath, forReading )
'Open a temporary file for writing
Set objNewLdifdeFile  = objFSO.OpenTextFile( strNewLdifdeFileFullPath, forWriting, true ) 
state =   foundNewEntry
Do Until objLdifdeFile.AtEndOfStream
 strNextLine  = objLdifdeFile.Readline
 If state = foundNewEntry Then
  state   = insideEntry
  set objtempFile  =  objFSO.OpenTextFile( strtempFileFullPath, forWriting, true)
 End If
 objtempFile.WriteLine( strNextLine ) 
 If StrComp( strNextLine, "-" ) = 0 Then
  state   = foundNewEntry
  set objtempFile =  objFSO.OpenTextFile( strtempFileFullPath, forReading )
  state1    = foundNewEntry
  deleteEntry  = 0
  Do Until objtempFile.AtEndOfStream
   strNextLine = objtempFile.ReadLine
   If state1 = insideEntry Then
    state1  = foundNewEntry
    If Instr( strNextLine, "msPKIDPAPIMasterKeys") <> 0 Then
     deleteEntry  = 1
    ElseIf Instr( strNextLine, "msPKIAccountCredentials" ) <> 0 Then
     deleteEntry  = 1
    ElseIf Instr( strNextLine, "msPKIRoamingTimeStamp" ) <> 0 Then
     deleteEntry  = 1
    End If
   ElseIf InStr( strNextLine, "ChangeType:" ) = 0 Then
    state1  = insideEntry
   End If
  set objtempFile  =  objFSO.OpenTextFile( strtempFileFullPath, forReading )
  If deleteEntry = 0 Then
   Do Until objtempFile.AtEndOfStream
    StrNextLine   =  objtempFile.ReadLine
    objNewLdifdeFile.WriteLine( strNextLine )
  End If
  objFSO.DeleteFile( strtempFileFullPath )
 End If


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2014074 - Last Review: 12/12/2015 05:44:35 - Revision: 5.0

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003 R2 Enterprise x64 Edition, Windows Server 2008 Enterprise, Windows Server 2008 R2 Enterprise

  • kbnosurvey kbarchive KB2014074