Active Directory Backup
Veeam supports Application-Aware Processing for consistent backup of Active Directory, for Virtual Machine and Physical Servers.
Best Practices
For Microsoft Active Directory, check the tombstone lifetime settings, as described in Veeam Explorers User Guide at Veeam Help Center. Veeam Explorers
There is no need to back up all Microsoft Active Directory Domain controllers (DCs), but according to Microsoft best practices, you should back up at least two writeable Domain controllers (DCs) for each domain regularly, where you will have multiple backups to choose from. It’s not supported to restore from a read-only domain controllers (RODC)
It’s also recommended to back up the Domain Controllers (DCs) with the most Flexible Single Master Operations (FSMO) roles, otherwise, you will have to transfer the roles manually after the restore with ntdsutil seize command.
You can run netdom query fsmo to check which FSMO roles the Domain controller has.
Job configuration
Application-aware image processing option must be enabled in the job properties and the right credential must be provided as well. For the backup and restore of Active Directory Domain Controllers to work properly you should:
Enable application-aware image processing for Active directory first, and second make sure that the used account has administrator privileges, or as an alternative, use gMSA to avoid using admin privileges. It’s worth noting that the administrative account does not need to be member of the Domain Admins group but just the Administrators group within the Domain.
References
Help Center - Tombstone Lifetime Settings