How to back up Domain Controllers that are Virtual Machines
It's so simple to back up VMs in Acronis Cloud, but what if the VM is a domain controller? I already have the agent installed on the Hyper-V host backing up all guest VMs. But in the case that there are multiple DCs should I instead install the agent on the VM directly and run an entire machine backup with Active Directory application-aware enabled? To avoid the USN rollback as mentioned below? I'm thinking that the answer is "yes", but wanted some feedback before I make any changes.
Per the Acronis documentation:
Protecting a domain controller
A machine running Active Directory Domain Services can be protected by application-aware backup. If a domain contains more than one domain controller, and you recover one of them, a nonauthoritative restore is performed and a USN rollback will not occur after the recovery.
The USN rollback issue is avoided when the backup is captured using Microsoft VSS, which is used natively by default when you take agent-less backup of Hyper-V VMs (using Agent for Hyper-V). There is possibility to disable using VSS while processing the VM by disabling "Volume Shadow Copy for Virtual Machines" backup option, but by default it's turned on.
The application-aware backup option you refer to, is available via agent running inside guest OS of the VM and/or in agent-less mode when backing up VMware vSphere VM (by Agents for VMware). This option is not available yet for agent-less backup of Hyper-V VMs. However from perspective of protecting DCs it is usually sufficient to just ensure that backup is captured using VSS ("VSS for VMs" option mentioned above is enabled). The application-aware backup option (when protection for Active Directory is enabled) adds more checks to guarantee that VSS was used correctly - for example it checks the state of VSS writers responsible for particular application and ensures that they were used correctly.
Normally capturing successful snapshot (checkpoint) of the VM automatically means that VSS was used correctly, so these checks may be omitted. Still if you need 100% guarantee, it makes sense to use agent (regular Agent for Windows) running inside VM which hosts the DC.
So from this answer I take it that we *should* be okay with just the Hyper-V backup (so long as VSS is enabled and working), but if you really want to be safe, you can also (or instead) perform an “in-VM app-aware Entire Machine with AD backup…”
Anyone tested a restore of a DC from a Hyper-V VM backup to verify it works and that it can sync back up with the other DCs?