An administrator is using virtual machine encryption in their vSphere 6.5 environment. The Key Management
Server (KMS) has experienced a critical failure.
Which two statements are true about VM encryption when the KMS is not available? (Choose two.)
A.
VMs will shut down gracefully in the event of a KMS outage as a proactive measure to prevent data theft.
B.
VMs which were running at the time of the KMS failure will continue to run.
C.
If an ESXi host is rebooted, it will be unable to power on encrypted VMs until KMS connectivity is restored.
D.
vCenter Server will continue to distribute encryption keys as long as it is not rebooted while the KMS is
unreachable.
E.
ESXi hosts within the same cluster will share keys with one another while the KMS is unreachable.
B, C – OK
https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-security-guide.pdf
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-B3DA9865-A28F-4EFD-ACF4-CBC8813ED110.html
Key Lifecycle Management Best Practices
Agree B & C
BC
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.install.doc/GUID-980D9E38-633E-4557-9144-AC422FA239C5.html
B and C ok
If the KMS is not available, virtual machine operations that require that vCenter Server request the key from the KMS are not possible. That means running virtual machines continue to run, and you can power on, power off, and reconfigure those virtual machines. However, you cannot relocate the virtual machine to a host that does not have the key information.
Hi,
C is wrong answer. I can start VM on another host while key server isn’t available.
vCenter Server distribute KEK to ALL hosts in cluster. I tried encrypt VM, start it HA cluter, turn off key server, turn off host, after that vm have been started on another host successfully. So, C isn’t correct.
page 127 of securtity guide: “vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part of a cluster,
vCenter Server sends the KEK to each host in the cluster.” https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-security-guide.pdf
B,E – is correct!
C is correct
It says after reboot server will not be able to power on encrypted VMs which is True, What you have tested is to power-on VMs on another host which is not rebooted.
B,C OK
A,D,E wrong
vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts.
If an ESXi host is rebooted then the keys are unknown to that host anymore, however you can run the affected VMs in another host which is NOT rebooted since the KMS is unavailable.
If the KMS is not available, virtual machine operations that require that vCenter Server request the key from the KMS are not possible. That means running virtual machines continue to run, and you can power on, power off, and reconfigure those virtual machines. However, you cannot relocate the virtual machine to a host that does not have the key information.
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-B3DA9865-A28F-4EFD-ACF4-CBC8813ED110.html
Why is C correct? I can start VM on another host in a cluster.
Why is E wrong? “vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part of a cluster, vCenter Server sends the KEK to each host in the cluster.”
Answer C concerns only one ESXi and not the behaviour in case of a migration to another host. If your ESXi is rebooted after your kms failed this esxi won’t have the key anymore.
Concerning answer E, the ESXi will never share the key, it is the vcenter server role.
So, it’s B & C.
New 2V0-622D Exam Questions and Answers (1/Nov/2017 Updated):
NEW QUESTION 6
Which system traffic type cannot be configured with Network I/O Control (NIOC) bandwith allocation?
A. Virtual SAN traffic
B. ESXi host Management traffic
C. vSphere Replication traffic
D. Software FCoE Adapter traffic
Answer: D
NEW QUESTION 7
Which is the minimum number of hosts required for a VMware vSAN cluster to be able to apply a vSAN RAID5 storage policy?
A. six hosts
B. three hosts
C. four hosts
D. five hosts
Answer: C
NEW QUESTION 8
Which three TCP/IP stacks are built in at the VMkernel level in vSphere 6.x? (Choose three.)
A. Fault Tolerance
B. vMotion
C. Provisioning
D. Management
E. Default
Answer: ABC
NEW QUESTION 9
In vSphere 6.5, a virtual machine is thinly-provisioned on a VMFS6 datastore. The administrator deleted a large file within the guest OS. The freed blocks in the datastore are no longer needed by the VM. Which feature in vSphere 6.5 allows the backing storage to automatically reclaim the freed blocks?
A. ATS
B. Defrag
C. UNMAP
D. Auto Reclaim
Answer: C
Explanation:
VAAI UNMAP was introduced in vSphere 5.0 to allow the ESXi host to inform the backing storage that files or VMs had be moved or deleted from a Thin Provisioned VMFS datastore. This allowed the backing storage to reclaim the freed blocks. There was no way of doing this previously, resulting in many customers with a considerable amount of stranded space on their Thin Provisioned VMFS datastores.
NEW QUESTION 10
A new virtual machine cannot reach its default gateway.
– The vSphere administrator checks that the virtual machine’s vmnic is connected to the correct portgroup, and that the portgroup is on the correct virtual switch.
– This is the only virtual machine on this portgroup.
– Other virtual machines that are on the host and connected to the same Distributed switch are running as normal.
– The Distributed Switch has only one uplink.
Which could be the cause of this issue?
A. Block All Ports has been selected on the Distributed Switch.
B. The wrong VLAN ID has been added to the portgroup.
C. The VLAN has not been configured in virtual machine hardware settings.
D. The physical adapter is down.
Answer: D
NEW QUESTION 11
Which two requirements must be met before enabling vSphere HA Application Monitoring for a virtual machine? (Choose two.)
A. VMware Tools must be installed on the VM.
B. The vSphere Guest SDK must be installed on the VMs needing Application Monitoring.
C. Application Monitoring requires that vCenter Server is linked to a working instance of vRealize Operations Manager and the End Points Operations agent has been installed on the guest.
D. Application Monitoring is only supported on Linux operating systems.
E. Application Monitoring is only supported on Windows operating systems.
Answer: AE
NEW QUESTION 12
Which is true when assigning global permissions in a single vSphere Single Sign-On domain in a multi-site configuration?
A. Users assigned global permissions will be able to access objects and solutions across all Single Sign-On domains in an organization.
B. Users assigned global permissions will be able to access objects and solutions only in the same Single Sign-On site.
C. Users assigned global permissions will have administrator access across all objects and solutions in a Single Sign-On domain.
D. Users assigned global permissions will be able to access objects and solutions within that Single Sign-On domain.
Answer: A
NEW QUESTION 13
During Fibre Channel adapter setup of a ESXi host, which configuration guideline should be considered?
A. Do not mix Fibre Channel adapter models to access the same LUN from a single host unless the default queue depth has been changed.
B. Do not mix Fibre Channel adapters from different vendors in a single host.
C. Use Fibre Channel adapters from different vendors in a single host.
D. Set the queue depth to 16 if using a mix of different vendors’ Fibre Channel adapters in all hosts in the cluster.
Answer: B
NEW QUESTION 14
For Virtual Machine Compatibility upgrade, a VM needs to be in which power state?
A. Maintenance mode
B. Suspended
C. Powered Off
D. Powered On
Answer: C
NEW QUESTION 15
Which component must be deployed before using encrypted virtual machines in a vSphere 6.5 environment?
A. vCenter Server must use CA signed certificates
B. a host with supported Trusted Platform Module
C. supported password vault
D. External Key Management Server
Answer: D
NEW QUESTION 16
……
P.S. You Can Get The Newest 2V0-622D Dumps In PDF And VCE From — https://www.passleader.com/2v0-622d.html (140q VCE and PDF)
Good Luck!
By the way, some new 140Q VMWare 2V0-622D dumps are available here:
https://drive.google.com/open?id=0B-ob6L_QjGLpQUtYaUMtSmlBUHM
Best Regards!