Which two advanced features should be disabled for virtual machines that are only hosted on a vSphere system? (Choose two.)
A. isolation.tools.unity.push.update.disable
B. isolation.tools.ghi.launchmenu.change
C. isolation.tools.bbs.disable
D. isolation.tools.hgfsServerSet.enable
Correct Answer: AB
Disable Unexposed Features VMware virtual machines are designed to work on both vSphere systems and hosted virtualization platforms such as Workstation and Fusion. Certain VMX parameters do not need to be enabled when you run a virtual machine on a vSphere system. Disable these parameters to reduce the potential for vulnerabilities. Prerequisites Turn off the virtual machine. Procedure
An administrator wants to configure an ESXi 6.x host to use Active Directory (AD) to manage users and groups. The AD domain group ESX Admins is planned for administrative access to the host.
Which two conditions should be considered when planning this configuration? (Choose two.)
A. If administrative access for ESX Admins is not required, this setting can be altered.
B. The users in ESX Admins are not restricted by Lockdown Mode.
C. An ESXi host provisioned with Auto Deploy cannot store AD credentials.
D. The users in ESX Admins are granted administrative privileges in vCenter Server.
Correct Answer: AC
Configure a Host to Use Active Directory You can configure a host to use a directory service such as Active Directory to manage users and groups. When you add an ESXi host to Active Directory the DOMAIN group ESX Admins is assigned full administrative access to the host if it exists. If you do not want to make full administrative access available, see VMware Knowledge Base article 1025569 for a workaround. If a host is provisioned with Auto Deploy, Active Directory credentials cannot be stored on the hosts. You can use the vSphere Authentication Proxy to join the host to an Active Directory domain. Because a trust chain exists between the vSphere Authentication Proxy and the host, the Authentication Proxy can join the host to the Active Directory domain. See Using vSphere Authentication Proxy. Reference: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID63D22519-38CC-4A9F-AE85-97A53CB0948A.html
Question 103:
A common root user account has been configured for a group of ESXi 6.x hosts.
Which two steps should be taken to mitigate security risks associated with this configuration? (Choose two.)
A. Remove the root user account from the ESXi host.
B. Set a complex password for the root account and limit its use.
C. Use ESXi Active Directory capabilities to assign users the administrator role.
D. Use Lockdown mode to restrict root account access.
Correct Answer: BC
root User Privileges By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server. This common root account can make it easier to break into an ESXi host and make it harder to match actions to a specific administrator. Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account. In vSphere 5.1 and later, only the root user and no other named user with the Administrator role is permitted to add a host to vCenter Server. Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account. Use ESXi Active Directory capabilities, which allow you to manage Active Directory credentials if possible.
Strict Lockdown Mode has been enabled on an ESXi host.
Which action should an administrator perform to allow ESXi Shell or SSH access for users with administrator privileges?
A. Grant the users the administrator role and enable the service.
B. Add the users to Exception Users and enable the service.
C. No action can be taken, Strict Lockdown Mode prevents direct access.
D. Add the users to vsphere.local and enable the service.
Correct Answer: B
Strict Lockdown mode:
In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
Lockdown Mode has been enabled on an ESXi 6.x host and users are restricted from logging into the Direct Console User Interface (DCUI).
Which two statements are true given this configuration? (Choose two.)
A. A user granted administrative privileges in the Exception User list can login.
B. A user defined in the DCUI.Access without administrative privileges can login.
C. A user defined in the ESXi Admins domain group can login.
D. A user set to the vCenter Administrator role can login.
Correct Answer: AB
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's Direct Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User Interface:
1.
Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
2.
Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
An administrator would like to use the VMware Certificate Authority (VMCA) as an Intermediate Certificate Authority (CA). The first two steps performed are:
1.
Replace the Root Certificate
2.
Replace Machine Certificates (Intermediate CA)
Which two steps would need to be performed next? (Choose two.)
A. Replace Solution User Certificates (Intermediate CA)
B. Replace the VMware Directory Service Certificate (Intermediate CA)
C. Replace the VMware Directory Service Certificate
D. Replace Solution User Certificates
Correct Answer: AC
Use VMCA as an Intermediate Certificate Authority You can replace the VMCA root certificate with a third-party CA-signed certificate that includes VMCA in the certificate chain. Going forward, all certificates that VMCA generates include the full chain. You can replace existing certificates with newly generated certificates. This approach combines the security of thirdparty CA-signed certificate with the convenience of automated certificate management.
Procedure 1 Replace the Root Certificate (Intermediate CA) The first step in replacing the VMCA certificates with custom certificates is generating a CSR and adding the certificate that is returned to VMCA as a root certificate. 2 Replace Machine SSL Certificates (Intermediate CA) After you have received the signed certificate from the CA and made it the VMCA root certificate, you can replace all machine SSL certificates. 3 Replace Solution User Certificates (Intermediate CA) After you replace the machine SSL certificates, you can replace the solution user certificates. 4 Replace the VMware Directory Service Certificate If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services. 5 Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.0, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
Which two methods are recommended for managing the VMware Directory Service? (Choose two.)
A. Utilize the vmdir command.
B. Manage through the vSphere Web Client.
C. Manage using the VMware Directory Service.
D. Utilize the dc rep command.
Correct Answer: AB
A) dir-cli Command Reference The dir-cli utility allows you to create and update solution users, create other user accounts, and manage certificates and passwords in vmdir. ( link: to see vmdir commands-- https://pubs.vmware.com/vsphere-60/ index.jsp?topic=% 2Fcom.vmware.vsphere.security.doc%2FGUID-4FBEA58E-9492-409B-B584C18477F041D8.html )
B) Directory service associated with the vsphere.local domain. This service is a multi-tenanted, multi-mastered directory service that makes an LDAP directory available on port 11711. In multisite mode, an update of VMware Directory Service content in one VMware Directory Service instance results in the automatic update of the VMware Directory Service instances associated with all other vCenter Single Sign-On nodes via Vsphere Web Client.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only VMware exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 2V0-621 exam preparations and VMware certification application, do not hesitate to visit our Vcedump.com to find your solutions here.