For full AD coverage, you need to backup at least one domain controller with a file system backup, with system state enabled. This will allow you to do an authoritative AD restore (i.e overwrite the entire AD database and schema with the one from the backup). Or restore an individual DC. You can restore individual objects from this backup but it requires lot of manual steps and effort.
If you want to restore granular objects, like a deleted user or deleted group, then make sure you have a backup with the active directory agent. Note that the active directory agent is only for granular recoveries, you cannot restore an entire domain with it.
So use both agents for the best coverage and ease of restore.
If you are doing VSA backups of a domain controller you can enable appaware to backup AD using this method too: https://documentation.commvault.com/2023e/expert/14246_requirements_for_application_aware_backups.html