1-800-691-1991 | 9am - 8pm ET
EN

VSS errors related to NTDS writer failures

KB ID: 1697
Product: Veeam Agent for Microsoft Windows
Veeam Backup & Replication
Version: ALL
Published: 2012-12-03
Last Modified: 2021-09-14
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

This article discusses an error that occurs due to VSS and Veeam's Guest Processing technique for Domain Controllers. It is relevant to all backup jobs for both virtual and physical Domain Controllers.
A job processing a Domain Controller with Application-Aware Processing fails with one of the following errors:
Unable to release guest. Details: Unfreeze error: [Backup job failed. Cannot create a shadow copy of the volumes containing writer's data. A VSS critical writer has failed. Writer name: [NTDS]. Class ID: [{b2014c9e-8711-4c5c-a5a9-3cf384484757}]. Instance ID: [{66fddc15-0e4c-4a2a-ad31-32eaf6dae8a3}]. Writer\'s state: [VSS_WS_FAILED_AT_POST_SNAPSHOT]. Error code: [0x800423f4].]
Error: VSSControl: 0 Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
Cannot prepare the [NTDS] data to a subsequent restore operation.
Cannot process NTDS data.
Cannot create a backup copy of the BCD.
Error: VSSControl: -1 Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
Cannot prepare the [NTDS] data to a subsequent restore operation.
Cannot process NTDS data.
Cannot create a backup copy of the BCD. Cannot get [BcdStore] object. COM error: Code: 0xffffffff

Solution

The actions listed in this section are to be performed within the Guest OS of the DC that is having these issues.

Attempt each of the following troubleshooting angles individually, testing the job after each.
Reboot the Domain Controller
As these errors are related to the Microsoft VSS subsystem, a reboot often is the fastest way to alleviate any issue which may be occurring at the OS level.
Isolate Anti-Virus Interference

Disabling the anti-virus temporarily can help isolate whether the issue is related to interference from the anti-virus. Disable\uninstall the anti-virus fully and run the Veeam job. If the job works, reenable\reinstall the antivirus, and if the job begins to fail again, the anti-virus needs to be investigated.

Many anti-virus solutions have developed modules that monitor and prevent access to the boot configuration data (BCD). These "boot protection modules" have been observed to prevent Veeam's Application-Aware Processing processing from working with Domain Controllers. During the backup job's Application-Aware Processing step, for Domain Controllers only, the BCD is temporarily modified to enable SafeBoot.

For more information about anti-virus exclusions recommended for Veeam Backup & Replication review: https://www.veeam.com/kb1999

Verify that the NTDS VSS writer is stable
From an elevated command prompt run the following command:
vssadmin list writers
Example results:
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {ee24b741-eaf7-4663-8f95-b92ae8c5e164}
State: [1] Stable
Last error: No error

If the NTDS writer is not listed as "State: [1]Stable", reboot the Domain Controller.

If the NTDS VSS writer fails to remain stable and job failures persist, further investigation using VSS Trace may be necessary. 

Note: If the NTDS writer does not appear in the list, it is advisable to contact Microsoft support to investigate why the writer is not present.

More information

Isolating VSS issue using Windows Server Backup

As an isolation step, enable the Windows Server Backup feature within Server Manager. Then perform a full backup, including the system state.

If this fails with a similar VSS error, there is likely an OS-level issue that will require deeper investigation. Veeam Support will do its best to assist with investigating and will be available to work with you and Microsoft Support.

Rarer Solutions
The following are solutions that have been reported to Veeam Support by multiple customers facing an NTDS VSS issue. While rare, these have been shown to resolve OS issues that may be preventing the VSS operations from completing. They are provided here to aid in the possible resolution of edge cases.

Verify that there are no .bak keys in the ProfileList within the Registry.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

example of .bak profile in list
Example of .bak profile
Check for WMI repository corruption and rebuild the WMI repository.
Click here to send feedback regarding this KB, or suggest content for a new KB.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you for your interest in Veeam products!
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.