FSMO Roles Flashcards
Which server role is responsible for the following? ____________manages authentication of users and devices on the network, enforces security policies assigned to those users and devices, and allows for management and administration of the network. Many other services and applications are dependent on this role.
Active Directory Domain services (Domain Controller)
Because of the critical and foundational nature of AD, organizations tend to set up redundant
Domain Controllers
____ is a role in Windows Server that leases IP addresses to devices that want to connect to the network.
DHCP (Dynamic Host Configuration Protocol) Server
While many organizations use Windows Server as a ____ server, some organizations prefer to let their firewall, network switch, or all-in-one router handle ____.
DHCP
What role helps translate a human-readable web address that looks like www.microsoft.com into an IP address a machine can resolve, such as 131.107.0.89.
DNS server
___ is important because it is one of the industry standards that allow people to browse the internet, and it plays a role in filtering out malicious websites.
DNS
What role provides services that allow users to store and share files on a given network. Permissions on shares can be configured to allow only certain groups or individuals to access or modify files.
File and Storage services
What role in Windows Server provides a virtualization platform that allows organizations to run many virtual machines on a single physical computer in order to more efficiently utilize resources and isolate workloads.
Hyper-V
What Windows Server role provides centralized management of and access to networked printers, so that everyone on the network with the right permissions can connect to these devices.
Print and document services
Similar to roles, ________ are optional Windows Server components that provide helper functionality.
features
Microsoft defines ________ as “software programs that, although they are not directly parts of roles, can support or augment the functionality of one or more roles, or improve the functionality of the server.”
features
Windows PowerShell, BitLocker, and SNMP are examples of ________ in Windows Server.
features
What are the 5 FISMO roles in Active Directory
- Schema Master 2. Domain Naming Master 3. RID Master 4. Infrastructure Master 5. PDC Emulator
The Schema Master is an ________-level FSMO role
enterprise.
How many Schema Master roles can there be in an Active Directory forest
One
The Schema Master role owner is the only domain controller in an Active Directory forest that contains a
writable schema partition
the domain controller that owns the Schema Master FSMO role must be available to modify its ______ _____
forest’s schema.
raising the functional level of the forest and upgrading the operating system of a domain controller to a higher version than currently exists in the forest will introduce updates to _____ ________ ______
Active Directory schema.
Can the Schema Master role be lost with little to no immediate operational impact? Yes or No? and Why?
Yes. Because the Schema Master role has little overhead and unless schema changes are needed, it can remain offline indefinitely without noticeable effect
The Schema Master role should only be seized when ?
The domain controller that owns the role cannot be brought back online
The Domain Naming Master is an ________-level role
enterprise
There can be more than one Domain Naming Master in the Active Directory forest True or False?
False There can only be one Domain Naming Master in the Active Directory forest
Which FSMO (Operations Master) Role is capable of adding & removing domains and applications partitions to the forest?
Domain Naming Master - the DNM role owner is the only domain controller in a forest that can add new domains or app partitions or remove them.
Can you remove a domain or application partitions from the forest without the Domain Naming Master? Yes or No?
No
The Domain Naming Master role has little overhead and its loss can be expected to result in little to no operational impact, why is that?
Because the addition and removal of domains and partitions are performed infrequently and are rarely time-critical operations.
When should the Domain Naming Master role be seized?
Only when the domain controller that owns the role cannot be brought back online.
What does RID stand for?
Relative Identifier Master
Is the RID Master a domain-level or enterprise-level role
Domain-level
How many RID Masters are there.
One for each domain in an Active Directory forest
What is the RID Master role owner is responsible for?
Assigning blocks of Security Identifiers (SID) to different DCs they can use for newly created objects.
___ _____ consist of a unique, contiguous range of RIDs
RID Pools
When are RIDs used?
during object creation to generate the new object’s unique Security Identifier (“SID”)
Which role master is responsible for moving objects from one domain to another within a forest?
RID Master
As the PDC in a domain typically receives the most attention from administrators, leaving this role, _______ , assigned to the domain PDC helps ensure reliable availability.
RID Master
The loss of a domain’s __________ will eventually lead to result in an inability to create new objects within the domain
RID Master
Bringing a RID Master back online after having seized its role can has no possibility of introducing duplicate RIDs into the domain. True or False
False Bringing a RID Master back online after having seized its role can potentially introduce duplicate RIDs into the domain.
What does the PDC stand for?
Primary domain controller
Is the PDC Emulator a domain-level or forest-level role?
domain
How many PDC Emulators are there in an AD Forest?
One
While role owner is responsible for backwards compatibility?
PDCE
______ mimics the single-master behavior of a Windows NT primary domain controller.
PDCE
To address backward compatibility concerns, the ___________ registers as the target domain controller for legacy applications that perform writable operations and certain administrative tools that are unaware of the multi-master behavior of Active Directory domain controllers.
PDCE
Each ___________ serves as the master time source within it’s domain.
PDCE
The PDCE in forest root domain serves as the preferred ___________ server in the forest
Network Time Protocol (“NTP”)
The PDCE in every other domain within the forest synchronizes its clock to the ______________
forest root PDCE
non-PDCE domain controllers synchronize their clocks to their domain’s _____, and domain-joined hosts synchronize their clocks to their preferred ___________.
PDCE
domain controller
Kerberos authentication will fail if the difference between a requesting host’s clock and the clock of the authenticating domain controller exceeds _________
5 minutes
Processing. When computer and user passwords are changed or reset by a non-PDCE domain controller, the committed update is immediately replicated to the __________
domain’s PDCE
If an account attempts to authenticate against a domain controller that has not yet received a recent password change through scheduled replication, the request is passed through to the
domain PDCE
The ______ will attempt to process the authentication request and instruct the requesting domain controller to either accept or reject the authentication request.
PDCE
All Group Policy Object (“GPO”) updates are committed to the ______________
domain PDCE
Committing Group Group Policy Object (“GPO”) updates to the domain PDCE prevents what?
potential for versioning conflicts that could occur if a GPO was modified on two domain controllers at approximately the same time
Domain-level roles can only be transferred to domain controllers in the same domain True or False
True
Where can enterprise-level roles be transferred to?
any suitable domain controller in the forest.
When a domain controller is demoted you can control where the FSMO roles will be transferred. True or False
False While there are rules that govern how the domain controller being demoted will decide where to transfer its FSMO roles, there is no way to directly control where its FSMO roles will be transferred.
What are the 3 ideal methods of moving a FSMO role
- Management Console 2. PowerShell 3. ntdsutil.exe
In order to keep multiple objects from having the same SID, the _________ grants each DC the privilege of assigning certain SIDs.
RID Master
How many Schema masters can there be?
One per forest
How many Domain Naming Masters can there be.
One per forest
How many Relative ID (RID) Masters can there be?
One per domain
How many Primary Domain Controller (PDC) Emulators can there be
One per domain
How many Infrastructure Masters can there be?
One per domain
What role synchronizes the time across DCs in a domain
PDCE (Primary Domain Controller)
When a user enters a wrong password to login, it’s the DC with which role that is consulted to check if the password has really been changed without partner DC knowledge?
PDC Emulator role
In order to keep multiple objects from having the same SID, the __________ grants each DC the privilege of assigning certain SIDs.
RID Master
The DC with the ________________ role is the authoritative DC in the domain.
Primary Domain Controller Emulator
How many RIDs does a RID master give every DC at a time.
A pool of 500 RIDs
When a new domain account or group is created, the DC assigns the new account a ___ and a ____ that’s taken from its local allocated RID pool.
SID and a RID
_______________. is a blueprint which describes the rules about the type of objects that can be stored in the AD as well as the attributes related to these objects.
Active Directory (AD) Schema
