1-800-691-1991 | 9am - 8pm ET
EN

VSS errors related to NTDS writer failures

KB ID: 1697
Product: Veeam Agent for Microsoft Windows, Veeam Backup & Replication
Version: ALL
Published: 2012-12-03
Last Modified: 2021-07-08

Challenge

This article discusses an error that occurs due to VSS and Veeam's Guest Processing technique for Domain Controllers. It is relevant to all backup jobs for both virtual and physical Domain Controllers.
A job processing a Domain Controller with Application-Aware Processing fails with one of the following errors:
Unable to release guest. Details: Unfreeze error: [Backup job failed. Cannot create a shadow copy of the volumes containing writer's data. A VSS critical writer has failed. Writer name: [NTDS]. Class ID: [{b2014c9e-8711-4c5c-a5a9-3cf384484757}]. Instance ID: [{66fddc15-0e4c-4a2a-ad31-32eaf6dae8a3}]. Writer\'s state: [VSS_WS_FAILED_AT_POST_SNAPSHOT]. Error code: [0x800423f4].]
Error: VSSControl: 0 Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
Cannot prepare the [NTDS] data to a subsequent restore operation.
Cannot process NTDS data.
Cannot create a backup copy of the BCD.
Error: VSSControl: -1 Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
Cannot prepare the [NTDS] data to a subsequent restore operation.
Cannot process NTDS data.
Cannot create a backup copy of the BCD. Cannot get [BcdStore] object. COM error: Code: 0xffffffff

Solution

The actions listed in this section are to be performed within the Guest OS of the DC that is having these issues.

Attempt each of the following troubleshooting angles individually, testing the job after each.
Reboot the Domain Controller
As these errors are related to the Microsoft VSS subsystem, a reboot often is the fastest way to alleviate any issue which may be occurring at the OS level.
Isolate Anti-Virus Interference

Disabling the anti-virus temporarily can help isolate whether the issue is related to interference from the anti-virus. Disable\uninstall the anti-virus fully and run the Veeam job. If the job works, reenable\reinstall the antivirus, and if the job begins to fail again, the anti-virus needs to be investigated.

Many anti-virus solutions have developed modules that monitor and prevent access to the boot configuration data (BCD). These "boot protection modules" have been observed to prevent Veeam's Application-Aware Processing processing from working with Domain Controllers. During the backup job's Application-Aware Processing step, for Domain Controllers only, the BCD is temporarily modified to enable SafeBoot.

For more information about anti-virus exclusions recommended for Veeam Backup & Replication review: https://www.veeam.com/kb1999

Verify that the NTDS VSS writer is stable
From an elevated command prompt run the following command:
vssadmin list writers
Example results:
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {ee24b741-eaf7-4663-8f95-b92ae8c5e164}
State: [1] Stable
Last error: No error

If the NTDS writer is not listed as "State: [1]Stable", reboot the Domain Controller.

If the NTDS VSS writer fails to remain stable and job failures persist, further investigation using VSS Trace may be necessary. 

Note: If the NTDS writer does not appear in the list, it is advisable to contact Microsoft support to investigate why the writer is not present.

More information

Isolating VSS issue using Windows Server Backup

As an isolation step, enable the Windows Server Backup feature within Server Manager. Then perform a full backup, including the system state.

If this fails with a similar VSS error, there is likely an OS level issue which will require deeper investigation. Veeam Support will do it's best to assist with investigating, and will be available to work with you and Microsoft Support.

Rarer Solutions
The following are solutions that have been reported to Veeam Support by multiple customers facing an NTDS VSS issue. While rare, these have been shown to resolve OS issues that may be preventing the VSS operations from completing. They are provided here to aid in the possible resolution of edge cases.

Verify that there are no .bak keys in the ProfileList within the Registry.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

example of .bak profile in list
Example of .bak profile
Check for WMI repository corruption and rebuild the WMI repository.
KB ID: 1697
Product: Veeam Agent for Microsoft Windows, Veeam Backup & Replication
Version: ALL
Published: 2012-12-03
Last Modified: 2021-07-08

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Your report was sent to the responsible team. Our representative will contact you by email you provided.
We're working on it please try again later
Knowledge base content request
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please go back try again later.