Microsoft KB Archive/305193

= Error Message: The Parameter Is Incorrect. 0x80070057 (WIN32: 87) =

Article ID: 305193

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q305193



SYMPTOMS
If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message:

An error was detected while configuring Certificate Services. The Certificate Services Wizard will need to be rerun to complete the configuration. Certificate Services Setup failed with the following error: The parameter is incorrect. 0x80070057 (WIN32: 87)

If you use the Certutil.exe tool to parse this error message, you receive the following information:

0x80070057 (WIN32: 87) -- 2147942487 (-2147024809)

Error message text: The parameter is incorrect.



CAUSE
When you install an Enterprise CA, a security check is performed to determine one of two things:
 * Make sure that the user who is installing the CA has the required permissions and user rights to add or merge security descriptors in the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com Active Directory node.
 * Make sure that the CN=Public Key Services, CN=Services, CN=Configuration, DC=domainname,DC=com node already exist in Active Directory. If it does not, create it.

You must be a member of the Enterprise Administrators group to add or merge security descriptors in the node. Also, your token must have the must have the SeRestorePrivilege user right. If your token does not have this right, the security descriptor add or merge process does not succeed and generates the following Lightweight Directory Access Protocol (LDAP) error message:

Error code: LDAP_CONSTRAINT_VIOLATION

Value: 0x13

Descriptions: There was a constraint violation.



RESOLUTION
Grant the SeRestorePrivilege user right directly to the user account that is performing the Enterprise CA installation. Or, assign this right to the Enterprise Administrators group.



STATUS
This behavior is by design.

Keywords: kberrmsg kbprb KB305193

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.