Articles in this section

Known Issue: SentinelOne Causing Domain Controller Backup Failures

Updated

Table of Contents


    Affected Environment

    This issue has been observed when:

    • Backing up Active Directory Domain Controllers
    • Using Veeam Backup & Replication application-aware processing
    • Systems have SentinelOne Agent version 23.2.3.358 installed


     

    Symptoms

    Backup jobs fail during VSS snapshot creation with errors similar to the following:

    Processing SERVER Error: VSSControl: -805306334

    Backup job failed. Cannot create a shadow copy of the volumes containing writer's data.

    Cannot prepare the [NTDS] data for a subsequent restore operation.

    Cannot process NTDS data.

    Updating BCD failed.

    Cannot execute [SetIntegerElement] method of

    [\SERVER\root\wmi:BcdObject.Id="{GUID}",StoreFilePath=""].

    COM error: Code: 0xd0000022


     

    Cause

    The issue is caused by the Safe Boot Protection feature in SentinelOne.

    This feature blocks modifications to Boot Configuration Data (BCD), which interferes with the process Veeam uses to prepare Active Directory for application-aware backups of Domain Controllers.


     

    Workaround: Disable SentinelOne Safe Boot Protection

    Until a permanent fix is provided by SentinelOne or Veeam, the workaround is to disable Safe Boot Protection on the affected system.


     

    Step 1 — Retrieve the SentinelOne Passphrase

    From the SentinelOne Management Console:

    1. Locate the affected endpoint.
    2. Retrieve the agent passphrase for that machine.

    This passphrase is required to change local SentinelOne configuration settings.


     

    Step 2 — Disable Safe Boot Protection

    Log in to the Domain Controller with administrative privileges.

    Open an elevated Command Prompt or PowerShell and run:

    cd "C:\Program Files\SentinelOne\Sentinel Agent 23.2.3.358"


     

    .\SentinelCtl.exe config safeBootProtection false -k "PASSPHRASE"

    Replace PASSPHRASE with the value obtained from the SentinelOne console.


     

    Step 3 — Restart the Server (Recommended)

    Although not strictly required, it is recommended to reboot the system after changing the Safe Boot Protection setting to ensure the change is applied correctly.


     

    Verification

    After disabling Safe Boot Protection:

    1. Run the Veeam backup job again.
    2. Confirm the job successfully completes application-aware processing for the Domain Controller.
    3. Verify the NTDS writer no longer fails during snapshot creation.


     

    Best Practices

    To prevent security software from interfering with backup operations:

    • Apply antivirus exclusions according to the official Veeam KB articles listed above.
    • Ensure exclusions are applied to all Veeam infrastructure components, including:
      • Backup servers
      • Proxies
      • Repositories
      • Mount servers
      • WAN accelerators
    • Validate that endpoint protection solutions are not blocking VSS operations.


     

    Related articles

    Powered by Zendesk