I've been setting up off-site backups for the most critical elements of the company I work at. One of these critical elements is the DC.
Now, the company is fairly small, so has only a single forest, and two DC servers on separate physical machines (one's virtualized, however). That said, a critical fault in the server room could destroy both of these machines.
So, I'm trying to create a DC backup for a critical-case scenario. I keep reading online that backing up the System State is enough, but I have a feeling this is only valid if you want to be able to restore the DC on the same server where the backup was taken. I've tried taking a System State backup and then restoring it on an isolated VM (same server, same updates), and this... didn't go so well; the restore went fine, but then I couldn't contact the local DC, even if I ensured the VM had the same IP as before (still isolated, of course). None of the DC-related administrative consoles worked either. There was even a warning during restoration that restoring a System State from another machine is not suggested.
Thus, I feel this is the wrong approach. So... what IS the right approach, if I want to backup our DC off-site, to cover a critical failure? A complete backup of the C: drive + System State or I could just backup the whole drive for that virtualized DC, but I'm trying to make the backup as small as possible...
EDIT: I'm trying to make the backup as small as possible NOT to skip on costs, but on upload times.
PS. I'm using the Azure Backup application, but I don't think it's that relevant. All of our DCs are currently running Windows Server 2016.
A system state restore could work, but the only method supported by Microsoft is a full system image recovery. This includes system state.
A complete forest recovery is complex, so you need to review the following document and create your own document with the required steps:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide
This is a common approach and it's the wrong approach.
You're protecting one of the company's most important information technology assets. Treat it as such. Nothing less than a full backup of the DC is acceptable. You can use the built in Windows Server Backup to make a full, bare metal recovery backup of the DC.
DC's are typically small. You could probably fit the entirety of a full backup of the DC on a $20.00 USB drive. Don't skimp.
I get it... backup software and storage can be costly... especially over time. I hear no end of IT admins talking about ways to reduce those costs. Don't trade your ability to recover anything and/or everything simply to reduce costs. You need to determine how much protection (in the form of backups) you need to have and how to balance that need with what you have available in your IT budget. Backups are like insurance. How much insurance do you want/need to have and how much are you willing to pay for it?
I don't want to be the person who has to explain to the CEO that we can't recover a critical piece of IT infrastructure because we were trying to save a few dollars.
My approach to backups is that it's better to have them and not need them than to need them and not have them.
From an operational and technical perspective, I'd much rather restore a full BMR backup of a DC then to try and restore the System State of the DC to a new machine.