System State Backups using NTbackup fail with error 0x800423f4 (relating to volume shadow copy)

Question

We have a Windows Server 2003 R2 running Service Pack 2. It is a domain controller (Global Catalog) and our main internal DNS server. We run a System State backup of the machine to back up Active Directory information and save the backup to a different server.

This server has a single drive (C:), and we do have Shadow Copies enabled for the volume (which are completing successfully).

The System State Backup is now failing with the following listed in the backup logs:

Volume shadow copy creation: Attempt 1. "Event Log Writer" has reported an error 0x800423f4. This is part of System State. The backup cannot continue.

Error returned while creating the volume shadow copy:800423f4 Aborting Backup.

---

The operation did not successfully complete.

---

When doing a vssadmin list writers, we sometimes get the following reported for the Event Log Writer (other times it says that it is in the state of "[1] Stable" with "No error"):

Writer name: 'Event Log Writer' Writer Id: {eee8c692-67ed-4250-8d86-390603070d00} Writer Instance Id: {c7194e96-868a-49e5-ba99-89b61977753c} State: [8] Failed Last error: Retryable error

We have tried disabling the event log service via the registry, rebooting, deleting the event log files from the drive, then re-enabling the service via the registry and rebooting, but this didn't seem to solve the issue.

We also get an error message when in the event viewer when trying to open the log for the "File Replication Service" of "Unable to complete the operation on 'File Replication Service'. The security descriptor structure is invalid."

I have searched the error via Google and tried a number of different things, but nothing has seemed to help.

Any suggestions on what we might try to get the Event Log Writer to behave would be greatly appreciated!

Answer 1

The issue was resolved by fixing the Event Viewer error when opening the "File Replication Service" log:

"Unable to complete the operation on 'File Replication Service'. The security descriptor structure is invalid."

The registry value for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD was blank. I entered the value from another domain controller:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

This resolved the error when opening that log file, and resolved the issue with System State Backups failing.

Answer 2

Microsoft seems to have issued a hotfix for this problem and error code. I would test it well, though.

Answer 3

Isn't having shadow copies/previous versions on the same volume as your sysvol share an unsupported config? I can't find any definitive info on this right now, but there's something nagging at the back of my mind about it...

Answer 4

Had the following issue

Event Log Writer" has reported an error 0x800423f4. This is part of System State. The backup cannot continue.

Found the problem was a lack of disk space on the System partition. Once I cleaned it up a bit, the system state went through no problem

Answer 5

1. Open Registry editor
2. Expand HKLM\System\CurrentControlSet\Services\Eventlog\Security
3. Check the value of the registry key "File" and make sure its set to
   %SystemRoot%\System32\Config\SecEvent.Evt