We recently upgraded our active directory controller from 2003 to 2008 R2. After the upgrade the backup team came to me and said backups were failing on the new DCs. Running a “vssadmin list writers” would show that the system writer was missing. I tried running the usual repair process for VSS (permissions and reregister DLLs) but nothing was working. Additionally, every time you restart the volume shadow service the following event would show in the application log.
Log Name: Application
Source: Microsoft-Windows-CAPI2A
Event ID: 512
Task Category: None
Level: Error
Description:
The Cryptographic Services service failed to initialize the VSS backup “System Writer” object.
Details:
Could not open the EventSystem service for query.
System Error:
Access is denied.
After some troubleshooting and Googling I found the answer. The problem was with a GPO that was being applied to the DCs. The GPO was put in place years ago by someone in the backup team to give their service account access to some of the services on the machine. The problem was with the service EventSystem (COM+ Event System). The SERVICE account needs read permission to that service for VSS to function properly, this permission was missing from the GPO. I added the NT AUTHORITY/SERVICE account with read permission to the GPO and ran a GPUPDATE /force on the DCs. Restart the Cryptography service and the volume shadow service and the system writer is now back and happy.
Jonathon Harper 