Error: Failed to enable DC SafeBoot mode

[RobMiller86]

Yeah I don't know. I have 1 2019 DC that with 23.3.3.264 S1 and all of the steps listed in this thread above completed, it still fails. Remove S1, everything works fine. Once installed, no combination so far has worked on this particular DC. Guess we will try one final time with a full uninstall, and reapply the fixes, and if not, I'll have to open an S1 ticket. S1 really needs to make this easier.

[gigarun]

Nothing solve in my case. Removed SentinelOne solve. Add another backup solution is also an alternative.

[david.domask]

Hi Thomas and welcome to the forums.

Sorry to hear about the issues, but to confirm, removing SentinelOne assisted here? The solutions from earlier in the thread did not assist? Removing AV naturally will prevent AV from incorrectly interfering with backup operations, but obviously this is not a long term solution, so it's probably best to check the behavior with Veeam Support to confirm the behavior, then reach out to SentinelOne if you have not already.

Thanks!

[vmikhelson]

@SomewhereinSC

In addition to:
cd "\Program Files\SentinelOne\Sentinel Agent 24.1.4.257" *** Elevated CLI, current agent version ***
sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot true -k "<pass>"
sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot *** To verify ***

1. sentinelctl unload -a -k "<pass>"
2. sentinelctl load -a

It will allow to avoid the unnecessary reboot.

-Vladimir

[ShenRaiden]

We are still dealing with this too. Sometimes it works, and sometimes it does not. S1 has been a real pain with backing up DCs. I'm dealing with 1 DC now that throws this no matter what I do:

Failed to prepare guest for hot backup. Details: VSSControl: -805306334 Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
Cannot prepare the [NTDS] data to a subsequent restore operation.
Cannot process NTDS data.
Updating BCD failed.
Cannot execute [SetIntegerElement] method of [\\SERVERNAME\root\wmi:BcdObject.Id="{cd0922c3-4ef8-11ee-9786-8af7d491816a}",StoreFilePath=""].
COM error: Code: 0xd0000022

Will be opening an S1 ticket I guess to see what they say.

In the exact same situation, have you found any solution?
So far, the only thing i could manage to do after trying everything else is turning that failed status into a warning, so it actually performs the backup, yet it's not backing up the NTDS, so it's a half-useful (pretty useless) solution.

[david.domask]

Hi ShenRaiden, welcome to the forums.

Sorry to hear about the challenges with SentinelOne and backups of the DCs -- did the suggestions from vmikhelson in the post above yours help or the config changes proposed on the previous page? What was the result?

[ShenRaiden]

Thank You for welcoming me David, I work for a MSP company, so I have a multitenant situation. Sadly, nothing helped so far.
As of now I've spent 60+ hours on this, I've implemented all the possible, safe, solutions, yet nothing worked.

This is a problem I already faced in the past, and the "sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot true -k "PASSPHRASE"" command had been the solution (it is still working for most of my customers DCs).


Worth mentioning, this tenant has 3 domain controllers; They were working fine with the above command prompted. Then a month ago "DC1" started failing... then after a couple of weeks also "DC2"... and after a week maybe, even "DC3"....... then suddenly, without me doing anything relevant on it, "DC3" started working again a couple of days ago. O.o

So, now DC1 and DC2 give that error everytime I try to perform the job, and DC3 works fine. Mind that, configuration-wise, they're the same (compared their configuration files). O.O!

We're using SentinelOne (agents version is 24.1.5.277, i will request the company managing S1 to update them asap, but i'm not positive about a resolution coming from this), and for this particular tenant I've even added some exceptions for some of the veeam processes and folders, with no good results.

The verification command "sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot" returns "true", yet I would say it is still interferring somehow.

I've expanded the available space for VSS, succesfully performed a shadow copy manually (to verify), but still getting the error on the job.

This is the infamous error, same as RobMiller86:

<Failed to prepare guest for hot backup. Details: VSSControl: -805306334 Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
Cannot prepare the [NTDS] data to a subsequent restore operation.
Cannot process NTDS data.
Updating BCD failed.
Cannot execute [SetIntegerElement] method of [\\MyDC\root\wmi:BcdObject.Id="{74b16b4e-7439-11ee-9dc0-dd1cc76b4b19}",StoreFilePath=""].
COM error: Code: 0xd0000022>

Doing the backup causes this, the only error among the VSSWriters:

<Writer name: 'SqlServerWriter'
Writer Id: {a65faa63-5ea8-4ebc-9dbd-a0c4db26912a}
Writer Instance Id: {12ec3752-22db-4f33-bd78-c835561ef59d}
State: [8] Failed
Last error: Non-retryable error>

Restarting the service fixes it's status, then it brakes again after a backup.

Credentials for the job are fine.
I won't disable SafeBootProtection, i won't exclude vsswriters and their protection as none of this is good, security-wise.

I've almost finished the google pages with results pertaining this issue, so when I saw RobMiller86's comment (which is the only post with the exact same error i've found so far among hundreds) I decided to ask if He/They managed to find a proper solution.

As of now, the only thing I could do to "get it working", meaning going from Failure to Warning, is to check the box "try application processing, but ignore failures" in the application-aware settings for the specific vm.
Yet I can't be satisfied with this, since it's not backing up the NTDS, and we're talking about a domain controller with AD here, so backing up without that becomes pretty useless.

Anyone has a solution?