Challenge
As this is an error with VSS and Veeam's Guest Processing technique for Domain Controllers it is relevant to all backup jobs for both virtual and physical Domain Controllers
Veeam Backup & Replication job using Application-Aware Processing to process a Domain Controller fails with one the following errors:
Unable to release guest. Details: Unfreeze error: [Backup job failed. Cannot create a shadow copy of the volumes containing writer's data. A VSS critical writer has failed. Writer name: [NTDS]. Class ID: [{b2014c9e-8711-4c5c-a5a9-3cf384484757}]. Instance ID: [{66fddc15-0e4c-4a2a-ad31-32eaf6dae8a3}]. Writer\'s state: [VSS_WS_FAILED_AT_POST_SNAPSHOT]. Error code: [0x800423f4].]
Error: VSSControl: 0 Backup job failed. Cannot create a shadow copy of the volumes containing writer's data. Cannot prepare the [NTDS] data to a subsequent restore operation. Cannot process NTDS data. Cannot create a backup copy of the BCD.
Error: VSSControl: -1 Backup job failed. Cannot create a shadow copy of the volumes containing writer's data. Cannot prepare the [NTDS] data to a subsequent restore operation. Cannot process NTDS data. Cannot create a backup copy of the BCD. Cannot get [BcdStore] object. COM error: Code: 0xffffffff
Solution
The actions listed in this section are to be performed within the Guest OS of the DC that is having these issues.
The cause is most likely one of the following. If a listed troubleshooting step requires attention, test the Veeam job after performing that troubleshooting task, before proceeding on to further troubleshooting steps.
Verify that the NTDS VSS writer is stable.
From an elevated command prompt run the following command:
vssadmin list writers
The results will appear as:
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {ee24b741-eaf7-4663-8f95-b92ae8c5e164}
State: [1] Stable
Last error: No error
If the NTDS writer is not listed as "State: [1]Stable", reboot the DC (Domain Controller).
Note: If the NTDS writer does not appear in the list, it is advisable to contact Microsoft support for their assistance in investigating why the writer is not present.
Verify that Automatic mounting of new volumes enabled.
From a Run prompt (Win+R) run the program 'diskpart'.
From within DiskPart run the following command.
automount
If the results do not show “Automatic mounting of new volumes enabled.” Run the following command:
automount enable
Verify that there are no .bak keys in the ProfileList within the Registry.
Open the Registry Editor (regedit.exe)
Within the registry navigate to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
There will be a list of Keys, you must remove any ending in .bak
More Information
The Majority of cases are resolved uses the above 3 troubleshooting steps. However in rare cases users have reported having to rebuild the WMI repository.