Installation of a certificate authority integrated into Active Directory using Windows PowerShell fails with error message "A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)".

Assume the following scenario:

  • A certification authority (Enterprise CA) integrated into Active Directory is installed using Windows PowerShell (Install-AdcsCertificationAuthority).
  • The role configuration fails with the following error message:
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)

When installing via the graphical interface using the server manager, you don't even get that far because the option to install an Enterprise CA is grayed out and not selectable.

Cause and solution

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The error code "ERROR_DS_RANGE_CONSTRAINT" means that the selected option to install an enterprise certificate authority is not available because a dependency on Active Directory is not met.

The solution can be found in the file certocm.log in the Windows installation directory (usually C:\Windows).

Among others, the following reasons can be considered for the error:

  • The machine is not a member of a domain, which causes the error code ENUM_ENTERPRISE_UNAVAIL_REASON_DOMAIN_NOT_JOINED will generate.
  • The logged-in user does not have permissions to install a certificate authority (Enterprise CA) integrated into Active Directory, which causes the error code ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS will generate. By default, only members of the Enterprise Administrators group can install such certificate authorities, however, the right may be delegated.

Related links

External sources

en_USEnglish