Can DPM 2007 back up virtualized Domain Controllers?

Question

I'm reading this article on caveats and best-practices for running DCs in VMs. It states that the only way to back up a virtualized DC would be to use Windows Server Backup on the guest, due to interactions with Active Directory, and USN rollback, and yadda yadda. Is this accurate? My organization uses DPM 2007 for backups, with system states and full disk backups (from within the guest server, not the VHD from the host) going on each virtual DC daily. If using DPM is supported, what are the correct practices to back up and restore virtual DCs?

Answer 1

A brief and very simplified explanation:

When "restoring", using a snapshot, the active directory database on the DC in question will not update its own invocation ID, leaving other DC's unaware of the fact that it has been restored.

Since the information about object "up-to-dateness" in an active directory partition in correlation to its replication partners depend on self-contained information (in the form of database and object USN's), the Domain Controller can not possibly be aware that it has been restored either, and so you run the risk of leaving objects on the DC in a stale state.

This is not just yadda yadda, blah blah blah, this is serious stuff, you might end up destroying more than you rebuild.

The issue of USN rollbacks due to unsupported recovery methods like snapshot reverts is covered extensively in this KB-article: http://support.microsoft.com/kb/875495. Here is an example from the real world

The bottom line is:

Snapshots are not valid as AD DS backups!

If you intend to back up your Domain Controller for active directory disaster recovery purposes (which I can only recommend), be sure to back up the system state of the VM, not the VHD. I haven't used DPM myself, but as I understand you can have DPM automatically retrieve the system state backup from wbadmin on the VM