I used this to migrate a certificate authority
my root CA from a Win2003 AD server
oldserver to a Win2008R2 member server
newserver (with different name). After completing this task, I wanted to install the web enrollment role service on
newserver, but that fails with (translated from German)
The certification authority web enrollment cannot be installed.
Active Directory Certificate services setup failed with the following error code: The parameter is incorrect. 0x80070057 (WIN32: 87)
I verified that
oldserver does not appear anywhere under
In server manager under
AD Certificate Services/Enterprise PKI/my root CA all entries are either http with
newserver or ldap with
my root CA instead of a specific server name.
In Active Directory Sites and Services, under
Services/Public Key Services/AIA/ there
newserver$ has full access on
my root CA. Under
Services/Public Key Services/CDP/ there are folders
newserverand each contains
my root CA and
my root CA(1) and
my root CA(3). For all of these,
newserver$ has full access rights.
All this looks to me as if I had done everything right - so what could be wrong?
This was a consequence of exactly following the procedure suggested by Microsoft:
As a consequence, I did not directly install the Web Enrollment. However, as I meanwhile found out, the registry contains a setting that states that Web Enrollment is already installed. Changing the setupstatus from 0x6003 to 0x6001 as suggested solved the problem.
User contributions licensed under CC BY-SA 3.0