Last Updated On : 25-May-2026
An administrator is tasked with migrating a single virtual machine (VM) from an existing VMware vCenter to a secure environment where corporate security policy requires that all VMs be encrypted. The secure environment consists of a dedicated vCenter instance with a 4-node vSphere cluster and already contains a number of encrypted VMs. Which two steps must the administrator take to ensure the migration is a success? (Choose two.)
A. Ensure that the source and destination vCenter instances share the same Key Management Server (KMS).
B. Ensure that Encrypted vMotion Is turned off for the VM.
C. Ensure that the VM is encrypted before attempting the migration.
D. Ensure that the VM is powered off before attempting the migration.
E. Ensure that the source and destination vCenter Servers have a different Key Management Server (KMS).
Explanation:
A. Ensure that the source and destination vCenter instances share the same Key Management Server (KMS).
When migrating a virtual machine between vCenter instances that require encryption, both vCenter servers must use the same KMS or be part of a trusted KMS cluster. The destination vCenter needs access to the same encryption keys to decrypt and re-encrypt the VM during migration. If the KMS configurations differ, the migration fails because the destination cannot unlock the VM's encrypted disks.
C. Ensure that the VM is encrypted before attempting the migration.
The corporate security policy requires that all VMs be encrypted in the destination environment. To migrate successfully while maintaining encryption, the VM must already be encrypted before the migration begins. This allows the migration process to use Encrypted vMotion, which preserves the encryption state across vCenter instances. Migrating an unencrypted VM into a policy-requiring-encryption environment would violate security policy and would require post-migration encryption, which is not a supported migration workflow for cross-vCenter operations.
Why other options are incorrect
B. Ensure that Encrypted vMotion is turned off for the VM.
This is incorrect because Encrypted vMotion must be enabled, not turned off, when migrating encrypted VMs or when moving VMs between environments requiring encryption. Encrypted vMotion protects the VM's memory and disk data in transit over the network. Disabling it exposes sensitive data.
D. Ensure that the VM is powered off before attempting the migration.
While a powered-off migration is possible, it is not required for success. Cross-vCenter vMotion supports live migration of powered-on VMs, even encrypted ones. Powering off would cause unnecessary downtime and is not a prerequisite.
E. Ensure that the source and destination vCenter Servers have a different Key Management Server (KMS).
This directly contradicts step A. Different KMS servers cannot share encryption keys, making decryption at the destination impossible. The migration would fail with key access errors.
Reference
VMware vSphere 8.x Documentation: "Cross-vCenter vMotion with Encrypted VMs" – Requires same KMS or trusted KMS cluster on both source and destination vCenter Servers. VMware KB article 67371: "Migrating encrypted virtual machines between vCenter Server instances" – The VM must be encrypted before migration and Encrypted vMotion must be enabled.
An administrator is working with VMware Support and Is asked to provide log bundles for the ESXI hosts in an environment. Three options Joes the administrator have? (Choose three.)
A. Generate a combined log bundle for all ESXI hosts using the vCenter Management Interface.
B. Generate a separate log bundle for each ESXI host using the vSphere Host Client.
C. Generate a combined log bundle for all ESXI hosts using the vSphere Client.
D. Generate a separate log bundle for each ESXI host using the vSphere Client.
E. Generate a separate log bundle for each ESXI host using the vCenter Management Interface.
F. Generate a combined log bundle for all ESXi hosts using the vSphere Host Client.
Explanation:
B. Generate a separate log bundle for each ESXi host using the vSphere Host Client.
The vSphere Host Client (accessed directly via https://
C. Generate a combined log bundle for all ESXi hosts using the vSphere Client.
The vSphere Client (connected to vCenter) provides an option to generate a combined support bundle for multiple ESXi hosts simultaneously. Select the hosts in the inventory, right-click, and choose Export System Logs. This creates a single .zip file containing diagnostic data from all selected hosts.
D. Generate a separate log bundle for each ESXi host using the vSphere Client.
The same Export System Logs feature in the vSphere Client also allows generating separate bundles per host. In the Export System Logs wizard, the option "Collect supporting logs for each host individually" can be selected, producing distinct zip files for each chosen ESXi host.
Why other options are incorrect
A. Generate a combined log bundle for all ESXi hosts using the vCenter Management Interface.
The vCenter Management Interface (port 5480) is for managing the vCenter Server Appliance itself, not for gathering ESXi host logs. It provides support bundles for the vCenter appliance, not for managed ESXi hosts.
E. Generate a separate log bundle for each ESXi host using the vCenter Management Interface.
Same as option A, the vCenter Management Interface does not have functionality to generate ESXi host log bundles. It only manages the vCenter appliance.
F. Generate a combined log bundle for all ESXi hosts using the vSphere Host Client.
The vSphere Host Client operates on a single ESXi host and cannot generate a combined bundle for multiple hosts. Each Host ZClient instance only has access to logs from its own host.
Reference
VMware vSphere 8.x Documentation: "Collect Diagnostic Information for ESXi Hosts" – Use vSphere Client (Export System Logs) or vSphere Host Client (Generate Support Bundle). VMware Knowledge Base article 1010705: "Collecting diagnostic information for ESXi hosts" – Describes multiple methods including Host Client and vSphere Client.
An administrator has been notified that a number of hosts are not compliant with the company policy for time synchronization.The relevant portion of the policy states: All physical servers must synchronize time with an external time source that is accurate to the microsecond. Which step should the administrator take to ensure compliance with the policy?
A. Ensure that each vCenter Server Appliance is configured to use a Network Time Protocol (NTP) source.
B. Ensure that each ESXi host is configured to use a Precision Time Protocol (PTP) source.
C. Ensure that each ESXi host is configured to use a Network Time Protocol (NTP) source.
D. Ensure that each vCenter Server Appliance is configured to use a Precision Time Protocol (PTP) source.
Explanation:
The company policy requires microsecond accuracy for time synchronization on physical servers. NTP typically provides only millisecond accuracy (1-10 milliseconds), while PTP delivers microsecond to sub-microsecond precision using hardware timestamping. Since vSphere 7.0 Update 3, ESXi hosts natively support PTP, and the physical server in a vSphere environment is the ESXi host itself. Therefore, each ESXi host must be configured with a PTP source to achieve microsecond-level compliance. PTP on ESXi requires a network adapter that supports hardware timestamping (e.g., Intel I210, Mellanox ConnectX).
Why other options are incorrect
A. NTP on vCenter provides millisecond accuracy only, failing the microsecond requirement. Also, vCenter is a virtual appliance, not a physical server, so policy does not apply directly.
C. NTP on ESXi still provides only millisecond accuracy, which does not meet the microsecond policy requirement.
D. PTP on vCenter is not supported by VMware. The vCenter Server Appliance cannot be configured as a PTP client; PTP is an ESXi host-level feature only.
Reference
VMware vSphere 8.x Documentation:
"Configuring Precision Time Protocol on ESXi Hosts" – PTP provides microsecond accuracy and is supported on ESXi 7.0 Update 3 and later. VMware Knowledge Base article 86458: "Precision Time Protocol in ESXi" – PTP must be configured on the ESXi host, not on vCenter.
An administrator is tasked with configuring certificates for a VMware software-defined data center (SDDC) based on the following requirements:
• All certificates should use certificates trusted by the Enterprise Certificate Authority (CA).
• The solution should minimize the ongoing management overhead of replacing certificates.
Which three actions should the administrator take to ensure that the solution meets corporate policy? (Choose three.)
A. Replace the VMware Certificate Authority (VMCA) certificate with a self-signed certificate generated from the
B. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.
C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA).
D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA.
E. Replace the solution user certificates wife custom certificates generated from the Enterprise CA.
F. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA).
Explanation:
To meet the requirements of using an Enterprise CA while minimizing management overhead, the most efficient architecture is the VMware Certificate Authority (VMCA) in Intermediate CA mode. Here is the breakdown of why these three actions are required:
Action D (VMCA as Intermediate CA):
By replacing the VMCA root certificate with one signed by your Enterprise CA, you establish a chain of trust. This satisfies the "Enterprise CA" requirement. Because the VMCA is now a trusted subordinate, any certificate it issues is automatically trusted by the enterprise.
Action B (Machine SSL Certificates):
Corporate policies for SDDCs often require that the primary interface (the Machine SSL certificate) be explicitly issued by the Enterprise CA or a custom certificate to ensure browser trust and high-security compliance for the external-facing management layer.
Action F (Solution User Certificates via VMCA):
This is the key to minimizing management overhead. "Solution user" certificates are used for internal communication between vSphere services (like vCenter to ESXi). Manually replacing these every time they expire (Option E) creates massive overhead. By letting the VMCA (which is already trusted via Action D) handle these automatically, the administrator ensures security without the manual labor of individual certificate lifecycle management.
Why the other options are incorrect:
Option A involves self-signed certificates, which contradicts the requirement for Enterprise CA trust.
Option C is redundant if you are already using a custom Enterprise CA approach for SSL.
Option Ewould maximize management overhead, as you would have to manually manage and rotate certificates for every service across the SDDC.
Reference
VMware vSphere 8.0 Security Guide: Section on "Certificate Management Profiles."
Exam Objective: Section 5.1 – Manage vSphere Certificates.
After a recent unexplained peak in virtual machine (VM) CPU usage, an administrator is asked to monitor the VM performance for a recurrence of the issue. Which two tools can the administrator use? (Choose two.)
A. vCenter Management Interface
B. Direct Console User Interface (DCUI)
C. vSphere Performance Charts
D. vCenter Command Line Interface
E. ESXi Shell
Explanation:
The administrator needs to monitor VM CPU performance for recurrence of a spike issue. Two primary tools are available for this task.
C. vSphere Performance Charts.
The vSphere Client provides built-in performance charts accessible from the Performance tab for any VM, host, or cluster. These charts display historical and real-time CPU usage data, allowing the administrator to identify spikes, track trends over time, and compare resource consumption across VMs. This is the standard graphical interface for ongoing performance monitoring.
D. vCenter Command Line Interface (or esxtop/resxtop).
Command-line performance tools provide detailed, real-time resource metrics. The esxtop command (run directly on an ESXi host via SSH or ESXi Shell) and resxtop (run remotely against a vCenter or ESXi host) offer granular CPU statistics including %USED, %RDY (ready time), and %WAIT. These tools are ideal for live troubleshooting when a spike is actively occurring, as they refresh every few seconds and show per-VM and per-host CPU consumption.
Why other options are incorrect
A. vCenter Management Interface.
The VAMI (port 5480) monitors the vCenter Server Appliance's own CPU and memory usage, not the CPU performance of individual VMs. This tool helps track vCenter resource health but cannot diagnose per-VM CPU spike issues.
B. Direct Console User Interface (DCUI).
The DCUI is the physical server console for emergency management when vCenter or network is unavailable. It displays basic host-level system logs and service status but does not provide detailed, real-time VM-level CPU performance charts needed for spike analysis.
E. ESXi Shell.
This is the command-line environment on an ESXi host, but it is the access method, not a specific performance tool. While useful for running esxtop, ESXi Shell itself is not a monitoring tool; it enables access to tools like esxtop, which is already covered under command-line options.
Reference
VMware vSphere 8.x Monitoring and Performance Documentation – Performance Charts for CPU monitoring. VMware TechDocs on esxtop for real-time CPU performance analysis.
A vSphere cluster has the following configuration:
• Virtual machines (VMs) are running Production and Test workloads
• vSphere Distributed Resource Scheduler (DRS) is enabled
• There are no resource pools in the cluster
Performance monitoring data shows that the Production workload VMs are not receiving their fully allocated memory when the vSphere cluster is fully utilized.
A combination of which two steps could the administrator perform to ensure that the Production VMs are always guaranteed the full allocation of memory? (Choose two.)
A. Assign a custom memory share value to the resource pool containing the Production VMs.
B. Assign a memory reservation value to the resource pool containing the Production VMs.
C. Create a parent resource pool for the Production VMs.
D. Create a sibling resource pool for each of the Production and Test VMs.
E. Create a child resource pool for the Test VMs.
Explanation:
Memory Reservation (B):
Reservations guarantee physical resources (in this case, memory) to workloads. By assigning a reservation to the Production resource pool, the administrator ensures that Production VMs always receive their full allocated memory even under contention.
Parent Resource Pool (C):
Resource pools allow administrators to logically separate workloads and enforce resource allocation policies. Creating a parent resource pool for Production VMs ensures they are isolated from Test workloads and can be assigned guaranteed resources (via reservations and shares).
❌ Distractor Analysis:
A. Assign a custom memory share value
→ Shares only apply when resources are overcommitted. Without a resource pool, Production VMs cannot be grouped for share assignment. Shares alone do not guarantee full allocation.
D. Create sibling resource pools for Production and Test VMs
→ This would allow relative prioritization but does not guarantee full allocation unless reservations are set.
E. Create a child resource pool for Test VMs
→ This indirectly reduces Test workload priority but does not guarantee Production VMs their full allocation.
🔗 References:
VMware vSphere 8.x Documentation – Resource Management Guide (Resource Pools, Shares, Reservations, Limits)
An administrator is completing the configuration of a new vSphere cluster and has enabled vSphere High Availability (HA) and vSphere Distributed Resource Scheduler (DRS).
After adding the ESXi hosts to the cluster, which networking information will the administrator be prompted to provide when using the Cluster Quickstart workflow?
A. vMotion networking
B. Management networking
C. vSAN networking
D. Virtual machine networking
Explanation:
When configuring a new vSphere cluster using the Cluster Quickstart workflow, administrators are prompted to provide vMotion networking information. This is essential because both vSphere High Availability (HA) and Distributed Resource Scheduler (DRS) depend on vMotion to migrate workloads between ESXi hosts.
HA leverages vMotion to restart virtual machines on surviving hosts after a failure, ensuring service continuity.
DRS uses vMotion to dynamically balance workloads across hosts, optimizing performance and resource utilization.
Without vMotion networking configured, neither HA nor DRS can function properly, as they rely on the ability to move VMs seamlessly between ESXi hosts. Therefore, vMotion networking is a mandatory configuration step during Quickstart setup.
❌ Distractor Analysis:
B. Management networking → Already configured when ESXi hosts are added to vCenter; Quickstart does not prompt for this again.
C. vSAN networking → Only required if vSAN is explicitly enabled in the cluster. Since the scenario mentions only HA and DRS, vSAN networking is not prompted.
D. Virtual machine networking → VM networks are configured at the port group level and are unrelated to HA/DRS functionality. Not part of Quickstart cluster setup.
🔗 References:
VMware Docs – Cluster Quickstart Workflow in vSphere 8.x
VMware vSphere Resource Management Guide – vMotion Requirements for HA and DRS
An administrator remotely deploys VMware ESXi using an out of band management connection and now needs to complete the configuration of the management network so that the host is accessible through the vSphere Host Client.
The following information has been provided to complete the configuration:
•Host FQDN esxi01corp.local
•Management VLAN ID: 10 DHCP: No
•Management IP Address: 172.16.10.101/24
•Management IP Gateway: 172.16.10.1
•Corporate DNS Servers: 172 16.10.5, 172.16.10..6
•DNS Domain: corp.local
In addition, all host configurations must also meet the following requirements:
•The management network must use only IPv4 network protocols.
•The management network must be fault tolerant
Which four high level tasks should the administrator complete in the Direct Console User Interface (DCUI) in order to meet the requirements and successfully log into the vSphere Host Client? (Choose four.)
A. Set the value of the VMware ESXi Management Network VLAN ID to 10
B. Configure at least two network adapters for the VMware ESXi Management Network
C. Update the VMware ESXi Management Network IPv4 configuration to use a static IPv4 address
D. Create a DNS A Record for the VMware ESXi host on the corporate DNS servers
E. Disable IPv6 for the VMware ESXi Management Network
F. Restore the original Management vSphere Standard Switch.
G. Update the VMware ESXi Management Network DNS configuration to use the corporate DNS servers for ' names resolution
Explanation:
The administrator must complete these four tasks in the Direct Console User Interface (DCUI) to meet the requirements and successfully access the vSphere Host Client via FQDN.
A. Set the value of the VMware ESXi Management Network VLAN ID to 10.
The provided configuration specifies Management VLAN ID 10. Configuring this in the DCUI ensures the management network traffic is correctly tagged, allowing the host to communicate on the correct VLAN and reach its gateway .
B. Configure at least two network adapters for the VMware ESXi Management Network.
The requirement states the management network must be fault tolerant. This is achieved by assigning at least two physical network adapters (vmnics) to the management vmkernel port in the DCUI. If one NIC or link fails, traffic fails over to the other, ensuring continuous management access .
C. Update the VMware ESXi Management Network IPv4 configuration to use a static IPv4 address.
The provided information states DHCP is not used. A static IPv4 address (172.16.10.101/24), subnet mask, and default gateway (172.16.10.1) must be manually entered in the DCUI to ensure the host receives a predictable, persistent IP address .
G. Update the VMware ESXi Management Network DNS configuration to use the corporate DNS servers for names resolution.
The host FQDN (esxi01.corp.local) and DNS servers (172.16.10.5, 172.16.10.6) are provided. Configuring these in the DCUI enables the host to resolve DNS names, which is required for accessing the host by FQDN through the vSphere Host Client .
Why other options are incorrect
D. Create a DNS A Record for the VMware ESXi host on the corporate DNS servers.
This is a critical step for FQDN resolution, but it must be performed on the external corporate DNS servers, not within the ESXi host's DCUI. The question specifically asks for tasks completed in the DCUI .
E. Disable IPv6 for the VMware ESXi Management Network.
While the requirement specifies using "only IPv4 network protocols," disabling IPv6 is not necessary. Configuring a static IPv4 address and leaving IPv6 unconfigured satisfies the requirement. The DCUI does not require explicit IPv6 disablement for the host to function correctly with IPv4 only .
F. Restore the original Management vSphere Standard Switch. This task is irrelevant for initial deployment configuration. Restoring the original switch is a recovery operation, not a standard configuration step when deploying a new host with provided parameters .
Reference
Broadcom TechDocs: "Configure the Network on VMware Cloud Foundation or vSphere Foundation Hosts" – DCUI configuration steps for VLAN, static IPv4, and DNS settings . ExamTopics 2V0-21.23 discussion confirms ABCG as the correct answer .
| Page 4 out of 13 Pages |
| 2345 |
| 2V0-21.23 Practice Test Home |