VMware VMware Certifications 2V0-621 Questions & Answers

• Question 141:

  To reduce the attack vectors for a virtual machine, which two settings should an administrator set to false? (Choose two.)

  A. keyboard.present

  B. vmnicX:Y.present

  C. ideX:Y.present

  D. serial.present

  Correct Answer: CD

  Removing Unnecessary Hardware Devices Any enabled or connected device represents a potential attack channel. Users and processes without privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks. Use the following guidelines to increase virtual machine security.

  1.

  Ensure that unauthorized devices are not connected and remove any unneeded or unused hardware devices.

  2.

  Disable unnecessary virtual devices from within a virtual machine. An attacker with access to a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive, or disconnect a network adapter to isolate the virtual machine from its network, resulting in a denial of service.

  3.

  Ensure that no device is connected to a virtual machine if it is not required. Serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.

  4.

  For less commonly used devices that are not required, either the parameter should not be present or its value must be false. Ensure that the following parameters are either not present or set to false unless the device is required.

  

  Reference: https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID822B2ED3-D8D2-4F57-8335-CA46E915A729.html

• Question 142:

  An administrator wants to configure an ESXi 6.x host to use Active Directory (AD) to manage users and groups. The AD domain group ESX Admins was previously created.

  Which two conditions should be considered when planning this configuration? (Choose two.)

  A. If administrative access for ESX Admins is not desired, an alternate AD group must be used.

  B. The users in ESX Admins are granted administrative privileges in vCenter Server.

  C. The users in ESX Admins are not restricted by Lockdown Mode.

  D. An ESXi host provisioned with Auto Deploy cannot store AD credentials.

  Correct Answer: AD

  By default, an ESX/ESXi 4.1 and ESXi 5.x/6.x host joined to an AD domain queries the domain for the ESX Admins group and this behavior is not configurable. If the group exists in AD, it is granted the Administrator role on the host and any user accounts in that group gets full administrative privileges on the host and can log in to the host through SSH. Reference https://kb.vmware.com/s/article/1025569

• Question 143:

  An administrator has noticed that virtual machine VM2 in the vApp show in the Exhibit is demonstrating poor performance.

  

  Which three changes, if performed separately, would improve the performance of VM2? (Choose three.)

  A. Remove the CPU limit on the vApp.

  B. Remove the CPU limit on the resource pool

  C. Increase the CPU reservation on virtual machine VM1.

  D. Power off virtual machine VM1.

  E. Increase the CPU reservation on virtual machine VM2.

  Correct Answer: ADE

  To improve performance of a virtual machine, first thing that needs to be done is removing CPU limit on the vApp. And to get maximum resources, the best way is to shut down virtual machine VM1 that contest for the hardware resources. To give maximum CPU power to VM2, increase CPU reservation for the virtual machine.

• Question 144:

  An administrator is building a large virtual machine that will require as many vCPUs as the host can support. An ESXi 6.x host has these specifications:

  1.

  Four 24-core Intel Xeon Processors

  2.

  256 GB of Memory

  3.

  512 GB Local disk space using VMFS5

  What is the maximum number of virtual CPUs that the virtual machine can be allocated?

  A. 64

  B. 96

  C. 128

  D. 192

  Correct Answer: C

  Reference: https://www.vmware.com/pdf/vsphere6/r60/vsphere-60-configuration-maximums.pdf page 9

• Question 145:

  An administrator is configuring an identity source for Single Sign-On. The administrator will use the

  machine that Single Sign-on is running on, but does not want all users on the machine to be visible to

  SSO.

  Which identity Source meets this requirement?

  A. LocalOS

  B. Active Directory as an LDAP service

  C. OpenLDAP

  D. Active Directory (Integrated Windows Authentication)

  Correct Answer: D

  To restrict users on the machine visible to single sign-on, you need to employ Active directory and its authentication. If the user account is locked or disabled, authentications and group and group and user searches in the Active Directory domain will fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. This is the default Active Directory domain configuration for user permissions.

• Question 146:

  An administrator has a virtual machine (VM) that uses a shared USB device.

  Which option will allow the VM to utilize vMotion while retaining the maximum possible functionality?

  A. Disable the USB device from the VM.

  B. Remove the device from the VM

  C. Configure the VM to support vMotion while the device is connected

  D. Enable migration support for the individual USB device's

  Correct Answer: C

  Virtual machine utilizes vMotion in specific scenarios but the maximum capability is not great. So in order to get maximum capability, you need to configure VM to support vMotion when the device is connected.

• Question 147:

  An administrator needs to configure a storage solution for a vSphere 6.x implementation with these characteristics:

  1.

  Snapshot support

  2.

  vMotion Capability

  3.

  Clustering across multiple ESXi hosts

  4.

  Database application with high transaction count

  5.

  vFlash Read Cache

  Which solution meets all of the stated requirements?

  A. A vmdk located on a Shared VMFS datastore

  B. A Virtual Mode Raw Device Mapped LUN

  C. A Physical Mode Raw Device Mapped LUN

  D. A virtual SAN-based vmdk

  Correct Answer: B

  The requirement for this specific storage solution has snapshot support, and vFlash Read cache. For this you need a virtual mode raw device mapped LUN. RDM, which permits the use of existing SAN commands, is generally used to improve performance in I/O-intensive applications. RDM can be configured in either virtual compatibility mode or physical compatibility mode. Virtual mode provides benefits found in VMFS, such as advanced file locking and snapshots. Physical mode provides access to most hardware functions of the storage system that is mapped

• Question 148:

  Which two statements are true regarding upgrading from a Distributed vCenter Server 5.x to vCenter Server 6.x? (Choose two.)

  A. vCenter Single Sign-On becomes part of the Platform Services Controller

  B. The vCenter Server service is not migrated during the upgrade process.

  C. The vSphere License Service is migrated to the new vCenter Server 6.x instance.

  D. vCenter inventory Service becomes part of the Platform Services Controller

  Correct Answer: AB

  vCenter Server and vCenter Single Sign-On are the only services that are not migrated. vCenter Single Sign-On instances are upgraded in place to become part of an external Platform Services Controller if they are deployed on a system other than the system where the vCenter Server resides. Reference: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.upgrade.doc%2FGUID4BFB12D8-9FCA-4AB1-A44F-2986966F0AD5.html

• Question 149:

  Refer to the Exhibit.

  

  An administrator has configured a firewall rule as shown in the Exhibit. Which statement best describes the ESXi 6.x firewall rule?

  A. Connections from the ESXi host to all devices on the 192.168.1.0 network and 192.168.2.220 on port 22 are allowed.

  B. Connections coming from IP addresses from the 192.168.1.0 network and 192.168.2.220 on port 22 are allowed.

  C. TCP Connections coming from IP addresses from the 192.168.1.0 network and 192.168.2.220 on port 22 are not allowed.

  D. TCP Connections from the ESXi host to all devices on the 192.168.1.0 network and 192.168.2.220 on port 22 are not allowed.

  Correct Answer: B

  PoRT 22 SSH on ESXi allowed : "Allow connections from any IP address," or, you can select "Only allow connections from the following networks" and enter an IP address or subnet. You can enter multiple IP addresses and subnets, separated with a comma. By default, there is a set of predefined firewall rules that can be enabled/disabled for the ESXi host from the vSphere Client. These firewall services can be enabled/disabled for the defined ports (UDP/TCP) from the vSphere Client. However, if you need to enable the service on a protocol that is not defined, you must create new firewall rules from the command line. For example, the DNS Client service can be enabled/disabled only on UDP port 53.

  To enable DNS for TCP:

  Open an SSH connection to the host. For more information, see Using ESXi Shell in ESXi 5.0 and 6.0

  (2004746).

  List the firewall rules by running the command:

  # esxcli network firewall ruleset list

  https://kb.vmware.com/selfservice/microsites/search.do?

  language=en_USandcmd=displayKCandexternalId=2008226

• Question 150:

  Refer to the Exhibit.

  

  An administrator manages a High Availability (HA)/Distributed Resource Scheduler (DRS)-enabled cluster and has configured the affinity rule shown in the Exhibit.

  Which two statements best describe the configuration shown in the exhibit? (Choose two.)

  A. HA will not failover Marketing to ESXi hosts that are not in the Host Group.

  B. HA will failover Marketing to ESXi hosts that are not in the Host group.

  C. DRS will attempt to keep Marketing on the ESXi host 10.21.38.106.

  D. DRS will not attempt to keep Marketing on the ESXi host 10.21.28.106.

  Correct Answer: BD

  Explanation: B and D As per exhibit Rule settings: VM-Host Affinity Rules A VM-Host affinity rule specifies whether or not the members of a selected virtual machine DRS group can run on the members of a specific host DRS group. Unlike a VM-VM affinity rule, which specifies affinity (or anti-affinity) between individual virtual machines, a VM-Host affinity rule specifies an affinity relationship between a group of virtual machines and a group of hosts. There are 'required' rules (designated by "must") and 'preferential' rules (designated by "should".) A VM-Host affinity rule includes the following components. One virtual machine DRS group. One host DRS group. A designation of whether the rule is a requirement ("must") or a preference ("should") and whether it is affinity ("run on") or anti-affinity ("not run on"). Because VM-Host affinity rules are cluster-based, the virtual machines and hosts that are included in a rule must all reside in the same cluster. If a virtual machine is removed from the cluster, it loses its DRS group affiliation, even if it is later returned to the cluster. https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.resmgmt.doc%2FGUID

  2FB90EF5-7733-4095-8B66-F10D6C57B820.html