This article was previously published under Q305193
If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message:
An error was detected while configuring Certificate Services. The Certificate Services Wizard will need to be rerun to complete the configuration. Certificate Services Setup failed with the following error: The parameter is incorrect. 0x80070057 (WIN32: 87)
If you use the Certutil.exe tool to parse this error message, you receive the following information:
0x80070057 (WIN32: 87) -- 2147942487 (-2147024809) Error message text: The parameter is incorrect.
When you install an Enterprise CA, a security check is performed to determine one of two things:
Make sure that the user who is installing the CA has the required permissions and user rights to add or merge security descriptors in the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com Active Directory node.
Make sure that the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com node already exist in Active Directory. If it does not, create it.
You must be a member of the Enterprise Administrators group to add or merge security descriptors in the node. Also, your token must have the must have the SeRestorePrivilege user right. If your token does not have this right, the security descriptor add or merge process does not succeed and generates the following Lightweight Directory Access Protocol (LDAP) error message:
Error code: LDAP_CONSTRAINT_VIOLATION Value: 0x13 Descriptions: There was a constraint violation.
Grant the SeRestorePrivilege user right directly to the user account that is performing the Enterprise CA installation. Or, assign this right to the Enterprise Administrators group.