1. What are the FSMO roles? Who has them by default? What happens when each one fails?

FSMO stands for the Flexible single Master Operation

It has 5 Roles: -
 Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the
Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To
update the schema of a forest, you must have access to the schema master. There can be only one
schema master in the whole forest.
 Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest.
This DC is the only one that can add or remove a domain from the directory. It can also add or remove
cross references to domains in external directories. There can be only one domain naming master in the
whole forest.
 Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference. At any one time, there can be only one domain
controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that it does not hold. This is
because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-
domain object references in that domain will not be updated and a warning to that effect will be logged on
that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain
controllers have the current data, and it is not important which domain controller holds the infrastructure
master role.
 Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular
domain. When a DC creates a security principal object such as a user or group, it attaches a unique
Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a
domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each
DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates.
When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the
domain's RID master. The domain RID master responds to the request by retrieving RIDs from the
domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there
can be only one domain controller acting as the RID master in the domain.
 PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the
W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All
Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time
service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority
and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured to gather the time from an external
source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time
partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
:: Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator.
 Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC
Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or
earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and
domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003.
The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

What if a FSMO server fails?

Schema Master No updates to the Active Directory schema will be possible. Since schema
updates are rare (usually done by certain applications and possibly an
Administrator adding an attribute to an object), then the malfunction of the
server holding the Schema Master role will not pose a critical problem.
Domain Naming Master The Domain Naming Master must be available when adding or removing a
domain from the forest (i.e. running DCPROMO). If it is not, then the domain
cannot be added or removed. It is also needed when promoting or demoting
a server to/from a Domain Controller. Like the Schema Master, this
functionality is only used on occasion and is not critical unless you are
modifying your domain or forest structure.
PDC Emulator The server holding the PDC emulator role will cause the most problems if it is
unavailable. This would be most noticeable in a mixed mode domain where
you are still running NT 4 BDCs and if you are using downlevel clients (NT
and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions
that depend on the PDC would be affected (User Manager for Domains,
Server Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical
because other domain controllers can assume most of the responsibilities of
the PDC emulator.
RID Master The RID Master provides RIDs for security principles (users, groups,
computer accounts). The failure of this FSMO server would have little impact
unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would
occur only if the DC you adding the users/groups on ran out of RIDs.
Infrastructure Master This FSMO server is only relevant in a multi-domain environment. If you only
have one domain, then the Infrastructure Master is irrelevant. Failure of this
server in a multi-domain environment would be a problem if you are trying to
add objects from one domain to another.

2. What FSMO placement considerations do you know of?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible
Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on
the same DC) as has been configured by the Active Directory installation process. However, there are scenarios
where an administrator would want to move one or more of the FSMO roles from the default holder DC to a
different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO
placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind
that most considerations are also true when planning Windows 2000 AD FSMO roles

3. I want to look at the RID allocation table for a DC. What do I do?
1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi)

2.In Command prompt type, dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our DC)

4. What's the difference between transferring a FSMO role and seizing one? Which one should you NOT
seize? Why?

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the
FSMO is no longer available.

5. How do you configure a "stand-by operation master" for any of the roles?

Open Active Directory Sites and Services.

Expand the site name in which the standby operations master is located to display the Servers folder.

Expand the Servers folder to see a list of the servers in that site.

Expand the name of the server that you want to be the standby operations master to display its NTDS
Settings.

Right-click NTDS Settings, click New, and then click Connection.

In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.

In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept
the default name, and click OK.

6. How do you backup AD?

Backup systemstate using ntbackup or other third party backup software will backup entire ad.

System state data on a domain controller includes the following components:

Active Directory system state data does not contain Active Directory unless the server, on which you are
backing up the system state data, is a domain controller. Active Directory is present only on domain
controllers.

The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL
shared folder is present only on domain controllers.

The Registry: This database repository contains information about the computer's configuration.

System startup files: Windows Server 2003 requires these files during its initial startup phase. They include
the boot and system files that are under windows file protection and used by windows to load, configure, and
run the operating system.

The COM+ Class Registration database: The Class registration is a database of information about Component
Services applications.

The Certificate Services database: This database contains certificates that a server running Windows server
2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as
a certificate server.