AD (Active Directory) is part of the system state of a DC (domain controller). When you back up the system state of a DC, the AD also gets backed up. The BESA needs to be a domain admin in order to backup the system state of a DC because of AD.
Method 1 - Backup and Restore the entire AD
All you need to back up the system state of a DC which includes AD is a RAWS licence. No additional licence is required. You need to install the remote agent on the DC to do the backup.
With this method, you cannot selectively choose an AD object to restore. You either restore the entire AD or not at all. Suppose the id of a VIP is accidentally deleted and it needs to be restored. If the last good backup of a DC is done last night and this backup has the VIP id, then you can do an authoritative restore of the AD to roll-back AD to the state it was at the time of the DC backup. All the changes made to AD since the backup would be lost, e.g. if someone changes his password after the DC backup, it will be lost and he will have to use his previous password. The changes lost by reverting AD to the time of the DC backup may be minimal if the AD is not active or the DC backup is not far back from the present. However, if the backup of the DC is done some time ago, then the information loss caused by reverting the AD to the time of the DC backup may not be acceptable. Thus, if you are using this method, make sure that the backups of your DC is frequent enough so that the information loss caused by reverting AD to the time of the DC backup is minimised.
To learn more about authoritative AD restore, read the Preparing for Disaster Recovery chapter of the Admin Guide.
Method 2 - Backup and Restore a single AD object for one DC
Suppose your AD is very active and any information loss like that described in Method 1 is not acceptable, then you would need the capability to restore each individual AD object. To have this capability, you would need to purchase an ADRA (Active Directory Recovery Agent) licence for BE 2010 and below, or an Agent for Applications and Databases licence for BE 2012.
With the proper licence installed, you would be able to do GRT restores of AD. When you expand the system state backup of the DC, you would be able to see the individual AD objects, like a user-id, and you can select this object to restore to the DC. Note that in this scenario, I am assuming that you have purchased only one ADRA or Agent for Applications and Databases licence. You would have to designate a particular DC to have the capability of GRT restore for AD. For the other DC's, you would have to manually turn off GRT for AD. Otherwise, you would be in violation of licencing terms. For example, for BE 2010, you would edit the backup jobs for the other DC's and use this dialog to turn off GRT for AD.
This method takes advantage of AD's ability to replicate changes from one DC to another. If there are a lot of DC's in the domain and/or a geographically dispersed or busy network, then this replication may take some time. For example, a VIP's user-id is accidentally deleted at a remote site which is in the same domain as the main office. When the deleted user-id is restored onto a DC in the main office, it will take time for it to be replicated to the DC at the remote site. This delay may not be acceptable because until the user-id is replicated to the remote site, the user cannot logon to the domain. It is not possible to speed things up by restoring the user-id to the DC on the remote because the user-id is part of the AD from the DC in the main office and it can only be restored to that particular DC.
Note that for this method, the other DC's AD would still be backed up using Method 1. This is for redundancy, in case the DC with the AD GRT fails and its AD backups are no good.
Method 3 - Backup and Restore a single AD object for every DC
To avoid the AD replication delay described above, each DC would need to have GRT restores of its AD. In this case, you would need to purchase an ADRA (Active Directory Recovery Agent) licence (for BE 2010 and below), or an Agent for Applications and Databases licence (for BE 2012) for each DC. With these licences, if a VIP user-id is deleted at the remote site, it can be restored to the DC at the remote site and it is accessible immediately.
Method 1 - This is the cheapest option because only a RAWS licence is required. The disadvantage is that the entire AD needs to be restored to recover any AD object.
Method 2 - Only 1 ADRA (Active Directory Recovery Agent) licence (for BE 2010 and below), or an Agent for Applications and Databases licence (for BE 2012) is required for each domain. There will be a delay for the restored AD object to be propagated to all the DC's in the domain.
Method 3 - 1 ADRA (Active Directory Recovery Agent) licence (for BE 2010 and below), or an Agent for Applications and Databases licence (for BE 2012) is required for each DC in the domain. The advantage of this is that the AD object can be restored to which DC that it is required. Most installations will not require this extra AD recovery speed and Method 2 would suffice.