1. They provide an emergency route into the server in case of failure of the directory service.
2. The user module.
3. Run an ad hoc Ansible command and use the password_hash filter to generate the hash, as in this example:

$ ansible localhost -i localhost, -m debug -a "msg={{ 'secure123' | password_hash('sha512') }}"

4. The realmd package.
5. Create a template to match the file on the group of servers, and then write a role/playbook with a task to deploy the template. Run the playbook in check mode and if changed status results occur, then the templated file differs from the configuration on the servers.
6. If you get a directive wrong in sudoers, the worst-case scenario is you will lock yourself out of becoming root on your server (hence preventing you from fixing the problem). Validating the file helps to prevent this.
7. A directory service can audit logins, manage password complexity, lock accounts centrally either on demand or as a result of too many failed login attempts.
8. This depends on your business requirements and existing architecture. A business with a Microsoft infrastructure will almost certainly already have Microsoft Active Directory, whilst a business running purely on Linux will not need to introduce Windows Server and so should consider FreeIPA.