FSMO Roles

Question 1

Which server role is responsible for the following? ____________manages authentication of users and devices on the network, enforces security policies assigned to those users and devices, and allows for management and administration of the network. Many other services and applications are dependent on this role.

Answer 1

Active Directory Domain services (Domain Controller)

Question 2

Because of the critical and foundational nature of AD, organizations tend to set up redundant

Answer 2

Domain Controllers

Question 3

____ is a role in Windows Server that leases IP addresses to devices that want to connect to the network.

Answer 3

DHCP (Dynamic Host Configuration Protocol) Server

Question 4

While many organizations use Windows Server as a ____ server, some organizations prefer to let their firewall, network switch, or all-in-one router handle ____.

Answer 4

DHCP

Question 5

What role helps translate a human-readable web address that looks like www.microsoft.com into an IP address a machine can resolve, such as 131.107.0.89.

Answer 5

DNS server

Question 6

___ is important because it is one of the industry standards that allow people to browse the internet, and it plays a role in filtering out malicious websites.

Answer 6

DNS

Question 7

What role provides services that allow users to store and share files on a given network. Permissions on shares can be configured to allow only certain groups or individuals to access or modify files.

Answer 7

File and Storage services

Question 8

What role in Windows Server provides a virtualization platform that allows organizations to run many virtual machines on a single physical computer in order to more efficiently utilize resources and isolate workloads.

Answer 8

Hyper-V

Question 9

What Windows Server role provides centralized management of and access to networked printers, so that everyone on the network with the right permissions can connect to these devices.

Answer 9

Print and document services

Question 10

Similar to roles, ________ are optional Windows Server components that provide helper functionality.

Answer 10

features

Question 11

Microsoft defines ________ as “software programs that, although they are not directly parts of roles, can support or augment the functionality of one or more roles, or improve the functionality of the server.”

Answer 11

features

Question 12

Windows PowerShell, BitLocker, and SNMP are examples of ________ in Windows Server.

Answer 12

features

Question 13

What are the 5 FISMO roles in Active Directory

Answer 13

1. Schema Master 2. Domain Naming Master 3. RID Master 4. Infrastructure Master 5. PDC Emulator

Question 14

The Schema Master is an ________-level FSMO role

Answer 14

enterprise.

Question 15

How many Schema Master roles can there be in an Active Directory forest

Answer 15

One

Question 16

The Schema Master role owner is the only domain controller in an Active Directory forest that contains a

Answer 16

writable schema partition

Question 17

the domain controller that owns the Schema Master FSMO role must be available to modify its ______ _____

Answer 17

forest’s schema.

Question 18

raising the functional level of the forest and upgrading the operating system of a domain controller to a higher version than currently exists in the forest will introduce updates to _____ ________ ______

Answer 18

Active Directory schema.

Question 19

Can the Schema Master role be lost with little to no immediate operational impact? Yes or No? and Why?

Answer 19

Yes. Because the Schema Master role has little overhead and unless schema changes are needed, it can remain offline indefinitely without noticeable effect

Question 20

The Schema Master role should only be seized when ?

Answer 20

The domain controller that owns the role cannot be brought back online

Question 21

The Domain Naming Master is an ________-level role

Answer 21

enterprise

Question 22

There can be more than one Domain Naming Master in the Active Directory forest True or False?

Answer 22

False There can only be one Domain Naming Master in the Active Directory forest

Question 23

Which FSMO (Operations Master) Role is capable of adding & removing domains and applications partitions to the forest?

Answer 23

Domain Naming Master - the DNM role owner is the only domain controller in a forest that can add new domains or app partitions or remove them.

Question 24

Can you remove a domain or application partitions from the forest without the Domain Naming Master? Yes or No?

Answer 24

No

Question 25

The Domain Naming Master role has little overhead and its loss can be expected to result in little to no operational impact, why is that?

Answer 25

Because the addition and removal of domains and partitions are performed infrequently and are rarely time-critical operations.

Question 26

When should the Domain Naming Master role be seized?

Answer 26

Only when the domain controller that owns the role cannot be brought back online.

Question 27

What does RID stand for?

Answer 27

Relative Identifier Master

Question 28

Is the RID Master a domain-level or enterprise-level role

Answer 28

Domain-level

Question 29

How many RID Masters are there.

Answer 29

One for each domain in an Active Directory forest

Question 30

What is the RID Master role owner is responsible for?

Answer 30

Assigning blocks of Security Identifiers (SID) to different DCs they can use for newly created objects.

Question 31

___ _____ consist of a unique, contiguous range of RIDs

Answer 31

RID Pools

Question 32

When are RIDs used?

Answer 32

during object creation to generate the new object’s unique Security Identifier (“SID”)

Question 33

Which role master is responsible for moving objects from one domain to another within a forest?

Answer 33

RID Master

Question 34

As the PDC in a domain typically receives the most attention from administrators, leaving this role, _______ , assigned to the domain PDC helps ensure reliable availability.

Answer 34

RID Master

Question 35

The loss of a domain’s __________ will eventually lead to result in an inability to create new objects within the domain

Answer 35

RID Master

Question 36

Bringing a RID Master back online after having seized its role can has no possibility of introducing duplicate RIDs into the domain. True or False

Answer 36

False Bringing a RID Master back online after having seized its role can potentially introduce duplicate RIDs into the domain.

Question 37

What does the PDC stand for?

Answer 37

Primary domain controller

Question 38

Is the PDC Emulator a domain-level or forest-level role?

Answer 38

domain

Question 39

How many PDC Emulators are there in an AD Forest?

Answer 39

One

Question 40

While role owner is responsible for backwards compatibility?

Answer 40

PDCE

Question 41

______ mimics the single-master behavior of a Windows NT primary domain controller.

Answer 41

PDCE

Question 42

To address backward compatibility concerns, the ___________ registers as the target domain controller for legacy applications that perform writable operations and certain administrative tools that are unaware of the multi-master behavior of Active Directory domain controllers.

Answer 42

PDCE

Question 43

Each ___________ serves as the master time source within it’s domain.

Answer 43

PDCE

Question 44

The PDCE in forest root domain serves as the preferred ___________ server in the forest

Answer 44

Network Time Protocol (“NTP”)

Question 45

The PDCE in every other domain within the forest synchronizes its clock to the ______________

Answer 45

forest root PDCE

Question 46

non-PDCE domain controllers synchronize their clocks to their domain’s _____, and domain-joined hosts synchronize their clocks to their preferred ___________.

Answer 46

PDCE

domain controller

Question 47

Kerberos authentication will fail if the difference between a requesting host’s clock and the clock of the authenticating domain controller exceeds _________

Answer 47

5 minutes

Question 48

Processing. When computer and user passwords are changed or reset by a non-PDCE domain controller, the committed update is immediately replicated to the __________

Answer 48

domain’s PDCE

Question 49

If an account attempts to authenticate against a domain controller that has not yet received a recent password change through scheduled replication, the request is passed through to the

Answer 49

domain PDCE

Question 50

The ______ will attempt to process the authentication request and instruct the requesting domain controller to either accept or reject the authentication request.

Answer 50

PDCE

Question 51

All Group Policy Object (“GPO”) updates are committed to the ______________

Answer 51

domain PDCE

Question 52

Committing Group Group Policy Object (“GPO”) updates to the domain PDCE prevents what?

Answer 52

potential for versioning conflicts that could occur if a GPO was modified on two domain controllers at approximately the same time

Question 53

Domain-level roles can only be transferred to domain controllers in the same domain True or False

Answer 53

True

Question 54

Where can enterprise-level roles be transferred to?

Answer 54

any suitable domain controller in the forest.

Question 55

When a domain controller is demoted you can control where the FSMO roles will be transferred. True or False

Answer 55

False While there are rules that govern how the domain controller being demoted will decide where to transfer its FSMO roles, there is no way to directly control where its FSMO roles will be transferred.

Question 56

What are the 3 ideal methods of moving a FSMO role

Answer 56

1. Management Console 2. PowerShell 3. ntdsutil.exe

Question 57

In order to keep multiple objects from having the same SID, the _________ grants each DC the privilege of assigning certain SIDs.

Answer 57

RID Master

Question 58

How many Schema masters can there be?

Answer 58

One per forest

Question 59

How many Domain Naming Masters can there be.

Answer 59

One per forest

Question 60

How many Relative ID (RID) Masters can there be?

Answer 60

One per domain

Question 61

How many Primary Domain Controller (PDC) Emulators can there be

Answer 61

One per domain

Question 62

How many Infrastructure Masters can there be?

Answer 62

One per domain

Question 63

What role synchronizes the time across DCs in a domain

Answer 63

PDCE (Primary Domain Controller)

Question 64

When a user enters a wrong password to login, it’s the DC with which role that is consulted to check if the password has really been changed without partner DC knowledge?

Answer 64

PDC Emulator role

Question 66

In order to keep multiple objects from having the same SID, the __________ grants each DC the privilege of assigning certain SIDs.

Answer 66

RID Master

Question 67

The DC with the ________________ role is the authoritative DC in the domain.

Answer 67

Primary Domain Controller Emulator

Question 68

How many RIDs does a RID master give every DC at a time.

Answer 68

A pool of 500 RIDs

Question 69

When a new domain account or group is created, the DC assigns the new account a ___ and a ____ that’s taken from its local allocated RID pool.

Answer 69

SID and a RID

Question 70

_______________. is a blueprint which describes the rules about the type of objects that can be stored in the AD as well as the attributes related to these objects.

Answer 70

Active Directory (AD) Schema