Certification Authority migration - cannot install Web Enrollment role

I used this to migrate a certificate authority my root CA from a Win2003 AD server oldserver to a Win2008R2 member server newserver (with different name). After completing this task, I wanted to install the web enrollment role service on newserver, but that fails with (translated from German)

The certification authority web enrollment cannot be installed.

Active Directory Certificate services setup failed with the following error code: The parameter is incorrect. 0x80070057 (WIN32: 87)

I verified that oldserver does not appear anywhere under HKLM\SYSTEM\CurrentControlSet\CertServ

In server manager under AD Certificate Services/Enterprise PKI/my root CA all entries are either http with newserver or ldap with my root CA instead of a specific server name.

In Active Directory Sites and Services, under Services/Public Key Services/AIA/ there newserver$ has full access on my root CA. Under Services/Public Key Services/CDP/ there are folders oldserverand newserverand each contains my root CA and my root CA(1) and my root CA(3). For all of these, newserver$ has full access rights.

All this looks to me as if I had done everything right - so what could be wrong?

This was a consequence of exactly following the procedure suggested by Microsoft:

• They suggest to first install only the CA without additional role services
• They suggest to edit the registry settings exoported/imported only regarding server names

As a consequence, I did not directly install the Web Enrollment. However, as I meanwhile found out, the registry contains a setting that states that Web Enrollment is already installed. Changing the setupstatus from 0x6003 to 0x6001 as suggested solved the problem.