How to fix Veeam Active Directory backup corruption


Lewis, our trusty Veeam specialist has some tips for you

Here's a scenario for you:

You need to restore a Domain Controller (DC), running Server 2012, back to a Hypervisor for testing. This might be via a SureBackup or in a disaster recovery situation using Veeam Backup and replication. However, upon successful restoration of the Virtual Machine files you encounter any of the following...


In all these circumstances you find that starting in DSRM allows the computer with the DC role to start and remain stable.


Veeam's Change Block Tracking driver (CBT) has failed to take a consistent copy of the active directory database correctly (NTDS.dit) and has corrupted the NTDS.dit within the Veeam backup of the DC. Although this is the case the Veeam console reports that the backup was taken successfully.

This is currently a known bug which Veeam are working on.


To resolve this issue, disable CBT from the backup job which contains the DC. If the DC is part of a collection of virtual servers in a single job, it may be worth creating a separate Job for the DC with CBT disabled. This will allow leaving CBT enabled on the existing job to allow for faster incremental backups of the other servers.

Please note:- If the NTDS.dit is already corrupted, disabling CBT in the current job will not fix the corruption. It will also significantly increase the time taken to complete incremental backups.
A new job/chain will need to be created. If you have already started a new job due to recent backup failures problems CBT does not run on the first backup job so you can just disable it and continue.

More information

To test the consistency of the NTDS.dit in your current backup follow the following procedure.

Use Veeam to perform a file level restore of the NTDS folder from the DC: e.g. C:WindowsNTDS (This will depend on where you have selected to create this folder.) This folder need to be copied to a location on the DC i.e C:Temp

Open up an administrative command prompt and type Esentutl /g

e.g. esentutl /g C:tempNTDSntds.dit

The Esentutl tool will confirm whether AD/NTDS is corrupted.

Please note:- This does not mean that your live AD/NTDS.dit on the DC is corrupted. This just shows that the AD/NTDS.dit within the backup has been corrupted due to CBT. You can confirm this by looking at event viewer in the following areas. You can also perform the same integrity check on the live ntds.dit by using one of the following methods.

Method 1

  1. Stop the Active Directory Domain services. (Warning this stops AD from functioning in the live environment). This will need to be planned downtime.
  2. Open an elevated command prompt and type Esentutl /g C:WindowsNTDSNTDS.dit (change your path accordingly)
  3. Start the Active Directory Domain Services

Method 2

  1. From an elevated command prompt type the following Diskshadow
  2. Set Verbose on - gives some extra output
  3. Add volume C - this adds the specified volume to the shadow copy set, if you want another volume, type one more command e.g. Add volume D
  4. Set Context Persistent - required parameter for shadow copy if you plan to mount it. You will need to delete the snapshot manually afterwards
  5. Create - starts process of creation, when it finishes you will have shadow copy ID
  6. Expose shadow copy ID X: (or any other letter) - mounts a shadow copy as a drive letter specified
  7. Exit Diskshadow - Exits Diskshadow
  8. At an elevated Command prompt type Esentutl /g X:WindowsNTDSNTDS.dit (change your path depending on the drive letter of your mounted snapshot)
  9. Once finished type Diskshadow
  10. Delete shadows exposed x: (change your path depending on the drive letter of your mounted snapshot) - dismounts and deletes shadow copy

More info about these commands can be found here:

let's start the ball rolling

Fill in the form or use the contact details below and we’ll get our expert team to put together a package that’s personal to your business.
0114 299 4050