There are several ways to work with and use backup data sets when working with DCs in Windows Server 2008 R2. Backups are performed with Windows Server Backup or through its corresponding Wbadmin.exe command-line tool. Both are Windows Server 2008 R2 features and must be added to the server to be made available. They are not installed by default. Backups are not discrete. They capture critical volumes in their entirety. On a DC, these volumes include the following:
The system volume
The boot volume
The volume hosting the SYSVOL share
The volume that hosts the AD DS database
The volume that hosts the AD DS logs
If you want to protect only the system state data, you must use the Ntdsutil.exe command-line tool. To do so, you must use the new IFM subcommand available in Ntdsutil.exe to capture this information for Install From Media installations. If the installation is for a read-only DC, this tool automatically strips AD DS secrets from the data to create secure installation media. Backup operators cannot create scheduled backups; only members of the local Administrators group have this privilege in Windows Server 2008 R2.
In most cases, this means being a member of the Domain Admins group on DCs. If a server is down, you must use a local copy of the Windows Recovery Environment (WinRE) to restore the system. WinRE can either be installed locally or found on the Windows Server 2008 R2 installation media. I would recommend that you perform backups every night while employees are not working to avoid having a slow system.