Domain Controller Backups

[collinp]

Is it possible to use a non-domain admin account for 'application-aware image processing' to backup a domain controller?

[foggy]

Hi Collin, no, to perform AAIP on a domain controller, an account that is a member of the DOMAIN\Administrators group is required. Thanks!

[kerard]

Is it possible to use a non-domain admin account for 'application-aware image processing' to backup a domain controller?

I'm seeking update guidance on this, too.

Today, I'm using a dedicated account that is a member of BUILTIN\Administrators in each domain. That account is named as the guest processing account in my jobs protecting domain controllers. Was wondering if we could use BUILTIN\Backup Operators or something privileged like that instead of Administrators.

[veremin]

As mentioned above,

no, to perform AAIP on a domain controller, an account that is a member of the DOMAIN\Administrators group is required

[Andreas Neufert]

The only way would be to do crash consistent backups. At AD object restore you will be asked for the AD database place (if not standard) and for an account that you want to use for restore.
It is important to check that you systems run Windows 2016 or higher and the AD is 2016 mode or higher so that you will not have any replication issues when you restore a crash consistent AD server.
I suggest that when you restore a crash consistent AD server, that you always manually start it in non Non-Authoritative Restore mode.

The other option would be to use an AD admin account but strip down the rights with group policies so that the account can not modify/start anything security related.

The Admin rights are needed for our VSS processing as we on demand use an VSS requestor that need local admin rights for implementing it.