Try 90 free CompTIA Server+ SK0-006 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length CompTIA Server+ SK0-006 practice exam includes 90 original IT Mastery questions across the exam domains.
Use these questions for self-assessment, scope review, and deciding what to drill next.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Server+ SK0-006 on Web View full CompTIA Server+ SK0-006 practice page
| Domain | Weight |
|---|---|
| Planning and Deployment | 15% |
| Configuration and Administration | 24% |
| Security and Compliance | 24% |
| Data Center Operations | 15% |
| Performance Management and Troubleshooting | 22% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Security and Compliance
A systems administrator is decommissioning a physical file server after a storage migration. The asset record shows an expired hardware support contract, a per-core backup agent license, an operating system that reaches end of support next month, and SSDs that stored regulated customer data. Which action best addresses the disposal lifecycle issue?
Options:
A. Reclaim the per-core backup agent license
B. Sanitize or destroy the SSDs and retain disposal evidence
C. Renew the hardware support contract before removal
D. Upgrade the operating system before decommissioning
Best answer: B
Explanation: Asset management separates lifecycle issues by what must be controlled. Disposal lifecycle concerns focus on removing assets from service without exposing data or losing accountability. For storage media that held regulated customer data, the priority is approved sanitization or destruction plus evidence such as a disposal record or certificate. License lifecycle actions reclaim or reassign software entitlements. Maintenance lifecycle actions track support coverage and renewals. Software lifecycle actions address version support and end-of-life status. In this scenario, the SSDs and regulated data are the disposal-specific concern.
Topic: Configuration and Administration
A systems administrator is deploying a latency-sensitive database VM. The owner requires 8 vCPUs, 64 GB RAM, low-latency disk, and isolation from nightly backup traffic. The target host has the following unused capacity after existing reservations:
| Resource | Available |
|---|---|
| CPU | 10 physical cores |
| Memory | 80 GB unreserved |
| Storage | 3 TB SSD datastore |
| Network | One unused 10GbE uplink |
Which configuration best avoids resource contention and overcommit risk?
Options:
A. Allocate 8 vCPUs, leave RAM unreserved, use HDD storage, and share all traffic.
B. Allocate 4 vCPUs, 32 GB RAM, use SSD storage, and rely on ballooning.
C. Allocate 16 vCPUs, enable dynamic memory, use SSD storage, and share all traffic.
D. Allocate 8 vCPUs, reserve 64 GB RAM, use SSD storage, and isolate backup traffic.
Best answer: D
Explanation: Resource allocation for a latency-sensitive VM should be right-sized to the documented requirement and backed by available host capacity. The host has enough unused CPU and unreserved memory for 8 vCPUs and 64 GB RAM, so reserving the required memory reduces the risk of ballooning or swapping under pressure. Placing the workload on the SSD datastore supports the low-latency storage requirement. Using the unused 10GbE uplink or an equivalent isolated path for backup traffic prevents backup jobs from competing with production database traffic. Adding extra vCPUs or relying on dynamic memory can increase scheduler wait, memory pressure, and unpredictable performance.
Topic: Data Center Operations
A systems administrator is choosing the WAN link for a new colocation rack that will host replicated file services. The link must support low-latency replication, provide a provider SLA, and operate as the primary connection. The building survey shows:
| WAN option | Availability note |
|---|---|
| Fiber | Carrier handoff in meet-me room |
| Coaxial | Best-effort business service only |
| Cellular | Good signal, no bandwidth guarantee |
| Satellite | Available, high-latency path |
Which WAN option is the BEST professional decision?
Options:
A. Satellite terminal
B. Cellular router
C. Coaxial cable modem
D. Fiber circuit
Best answer: D
Explanation: For a primary WAN connection supporting replicated server services, the best fit is the option that provides predictable performance and an SLA. In a colocation facility, a carrier fiber handoff is designed for high-throughput, low-latency, business-grade connectivity. That aligns with replication and monitoring needs without relying on variable wireless conditions or consumer-style best-effort service. Coaxial, cellular, and satellite can be useful in the right scenario, especially as backup, temporary, or remote-site connectivity, but they do not satisfy all of the stated constraints here. The key distinction is availability plus operational suitability, not just whether the technology can connect to the internet.
Topic: Performance Management and Troubleshooting
A systems administrator reviews a file server dashboard after users report occasional sluggishness. The server runs a scheduled backup at 02:00 and is normally lightly used by 10:30.
Exhibit: Baseline vs. current metrics
| Period | Expected baseline | Current reading |
|---|---|---|
| Heavy load, 02:15 | CPU 75-90%, disk 70-95%, memory 55-65% | CPU 88%, disk 92%, memory 62% |
| Light load, 10:30 | CPU 10-25%, disk 5-15%, memory 40-55% | CPU 18%, disk 9%, memory 91% |
Which interpretation is best supported by the exhibit?
Options:
A. Treat the backup window as a disk bottleneck.
B. Increase CPU capacity for business hours.
C. Investigate abnormal memory use during light load.
D. Ignore the alert because all readings match baselines.
Best answer: C
Explanation: Heavy-load and light-load metrics must be interpreted against the correct baseline for the time and workload. The 02:15 backup readings are high, but they match the expected heavy-load range for CPU, disk, and memory. At 10:30, CPU and disk are normal for a light-load period, but memory is 91% when the baseline is 40-55%. That pattern points to abnormal memory consumption, such as a memory leak, orphaned process, or service failing to release resources. The key is not that a metric is high in isolation, but whether it is high for the expected workload state.
Topic: Performance Management and Troubleshooting
A payroll application server can no longer write export files to \\filesrv01\Payroll. The same service account can write to \\10.20.8.45\Payroll, the share and NTFS permissions were not changed, and the file server’s SMB service is running. A lookup from the application server shows filesrv01 resolving to 10.20.8.17, which was the file server’s old address. What is the best professional decision?
Options:
A. Recreate the Payroll share path
B. Grant the service account Modify permission
C. Restart the SMB service on the file server
D. Correct the DNS record for filesrv01
Best answer: D
Explanation: The evidence isolates the problem to name resolution. The workload can reach the share and write successfully when using the current IP address, so network connectivity, SMB availability, share permissions, and NTFS permissions are not the primary issue. The failing path uses the hostname, and the lookup returns the file server’s old IP address. The best operational fix is to correct the DNS record, then allow or force clients to refresh cached name-resolution data as appropriate. Changing permissions or recreating the share would introduce unnecessary risk and would not address the incorrect hostname-to-IP mapping.
Topic: Configuration and Administration
A branch office is replacing an aging departmental file server. The new chassis has four SATA SSD bays, but no hardware RAID controller on the vendor HCL is available for this model. The workload is moderate file sharing, CPU utilization is normally low, the volume must survive a single disk failure, and the storage team wants the disks to be recoverable on another standard server if the chassis fails. Which approach is the BEST professional decision?
Options:
A. Use motherboard firmware RAID 5
B. Install an unsupported hardware RAID controller
C. Configure OS-managed software RAID 10
D. Use four independent disks with backups
Best answer: C
Explanation: Software RAID is appropriate when controller dependency and hardware compatibility are major constraints and the workload can tolerate using host CPU resources. In this scenario, no supported hardware RAID controller is available, CPU headroom exists, and the team wants recovery options that are not tied to a proprietary controller. OS-managed RAID 10 across four SSDs provides redundancy for a single disk failure and good read/write performance for moderate file sharing. Hardware RAID can be better for high-write workloads needing controller cache, battery/flash protection, or pre-OS management, but those benefits do not outweigh the HCL and portability constraints here. The key is matching RAID implementation to operational risk, not just choosing the most specialized hardware.
Topic: Performance Management and Troubleshooting
A server engineer is investigating a rack server that briefly powered off during normal workload. Other servers in the same rack stayed online.
Exhibit: Troubleshooting ticket
Server: APP-04
Power design: Dual hot-swappable PSUs, redundant mode
PDU A: 121 VAC, 44% load, no alerts
PDU B: 120 VAC, 41% load, no alerts
Server event log:
09:14 Power redundancy lost
09:14 PSU 2 status: failed, amber LED
09:15 Unexpected system power loss
09:22 PSU 1 status: OK
Which issue is most likely indicated by the exhibit?
Options:
A. CPU overheating under load
B. Failed UPS feeding the rack
C. Faulty PSU 2 in the server
D. Overloaded rack PDU B
Best answer: C
Explanation: The exhibit points to a server-local power supply failure. Both rack PDUs show normal voltage and moderate load, so the incoming power paths are not the primary evidence. The server’s own event log reports power redundancy lost, PSU 2 failed, and an amber LED on PSU 2. In a redundant dual-PSU server, a failed PSU can remove redundancy and may cause instability or power loss if the remaining path cannot sustain the load or if the failure affects the power subsystem. The next operational step would typically be to replace the failed hot-swappable PSU according to procedure and verify redundancy is restored.
Topic: Security and Compliance
A security team must decide how to handle a new patch for a production web application cluster. Which patch-management action is best supported by the exhibit?
Exhibit: Emergency patch note
| Finding | Detail |
|---|---|
| Vulnerability | Critical remote code execution; active exploitation reported |
| SBOM result | app01 and app02 include affected library; db01 does not |
| Test status | Staging mirror is available; smoke test takes 20 minutes |
| Rollback | Verified image backup and previous package are available |
| Change window | Emergency window approved for affected web tier only |
Options:
A. Test in staging, patch app01 and app02, keep rollback ready, then validate services and scan results.
B. Defer the patch until the next regular maintenance window.
C. Patch all production servers immediately because the vulnerability is critical.
D. Patch staging only and wait for the next vulnerability scan cycle.
Best answer: A
Explanation: Emergency patching still needs controlled change management. The exhibit shows active exploitation, so deferring is too risky, but the SBOM narrows the affected systems to app01 and app02. Because a staging mirror and a fast smoke test are available, the team should test first, deploy only to the affected web tier during the approved emergency window, and keep the verified rollback path ready. Post-change validation should confirm both service health and remediation evidence, such as a clean vulnerability scan or package verification. The key balance is urgency with evidence-based scope, not uncontrolled patching.
Topic: Configuration and Administration
A server administrator is validating a new virtualization host build before purchase. The workload needs at least 40 physical CPU cores and 512GB RAM. Policy requires ECC memory. The platform HCL supports only matched CPUs in a two-socket configuration and DDR5 ECC RDIMMs. The hypervisor edition supports up to 1TB physical RAM. Which configuration is the best professional decision?
Options:
A. Two non-matched 24-core CPUs with 16 x 32GB ECC RDIMMs
B. Two identical 24-core CPUs with 16 x 32GB non-ECC UDIMMs
C. One 48-core CPU with 8 x 64GB ECC RDIMMs under one socket
D. Two identical 24-core CPUs with 16 x 32GB ECC RDIMMs balanced across both CPUs
Best answer: D
Explanation: CPU and memory validation must satisfy the workload, operating system or hypervisor limits, and platform compatibility at the same time. The host needs at least 40 physical cores, so two identical 24-core CPUs provide enough capacity and comply with the HCL requirement for matched CPUs in a two-socket configuration. Sixteen 32GB RDIMMs provide 512GB total RAM, meet the ECC policy, match the supported memory type, and remain below the 1TB hypervisor limit. Balancing DIMMs across both CPUs also supports better memory-channel and NUMA behavior than placing memory under one socket. The closest distractors meet only part of the requirement while violating compatibility or policy constraints.
Topic: Security and Compliance
A server administrator is investigating why a new backup job cannot read files from a protected file server share. The backup service account was created yesterday and should have the same permissions as other backup agents.
Exhibit: Access finding
Account: CORP\svc-backup03
Target: \\fs01\FinanceArchive
Expected group: Backup-Readers
Current groups: Domain Users
Audit event: Access denied
Requested right: Read
Share ACL: Backup-Readers = Read
NTFS ACL: Backup-Readers = Read & Execute
What issue is most directly supported by the exhibit?
Options:
A. Protocol mismatch
B. Orphaned service account
C. Expired service certificate
D. Unprovisioned access
Best answer: D
Explanation: Unprovisioned access occurs when a user or service account exists but has not been granted the expected authorization. In this case, the account is valid enough to appear in the audit event, but it only belongs to Domain Users. Both the share ACL and NTFS ACL grant access to Backup-Readers, and the exhibit states that membership in that group is expected. The most direct issue is missing authorization, not a connectivity or identity-lifecycle problem.
The next administrative step would typically be to verify the approved access request and add the service account to the correct group through the normal IAM process.
Topic: Security and Compliance
A company recently hardened directory authentication for a file-indexing server. Since the change, the application can no longer authenticate its service account. Security policy requires encrypted authentication and prohibits re-enabling legacy protocols. Monitoring shows the directory servers are reachable and healthy.
Exhibit: Access symptoms
Application log: LDAP bind failed: strongerAuthRequired
Directory audit: cleartext simple bind rejected
Network trace: app server -> directory server TCP/389
Vendor note: application supports LDAPS when a trusted CA chain is installed
Which action is the BEST professional decision?
Options:
A. Configure the application for LDAPS and install the trusted CA chain
B. Add the application server IP to the directory server hosts file
C. Grant the service account domain administrator privileges
D. Re-enable cleartext LDAP binds for the service account
Best answer: A
Explanation: The core issue is an authentication protocol mismatch, not a directory outage or permissions failure. The application is attempting a simple LDAP bind over TCP/389, while the directory policy now requires stronger, encrypted authentication. Because the vendor note confirms LDAPS support, the operationally sound fix is to configure the application to use LDAPS and trust the issuing CA chain. This restores access while preserving the hardening requirement and avoids creating an exception for a legacy protocol.
Re-enabling cleartext binds would violate the stated security policy and weaken Zero Trust controls. Privilege escalation or name-resolution changes do not address the visible protocol rejection.
Topic: Planning and Deployment
A systems administrator is planning a new internal API service. The application is stateless, packaged with its own runtime libraries, and must scale quickly during business hours. It runs on the same OS kernel family already used by the host servers. The team wants the lowest reasonable compute overhead while keeping the application isolated from other services. Which implementation is most appropriate?
Options:
A. Deploy the application in a full virtual machine
B. Install the application directly on bare metal
C. Deploy the application as a container
D. Run the application inside a nested hypervisor
Best answer: C
Explanation: Containers are most appropriate when an application can share the host OS kernel, needs lightweight isolation, and benefits from rapid deployment or scaling. In this scenario, the API is stateless, uses the same OS kernel family as the hosts, and includes its runtime dependencies, which are common indicators for containerization. A full VM provides stronger OS-level separation and supports different guest operating systems, but it adds more overhead and slower provisioning than needed here. Bare metal reduces virtualization layers but weakens service isolation and portability. The key decision is that containers isolate the application and dependencies without requiring a full guest OS.
Topic: Configuration and Administration
A systems administrator reviews a change plan for standardizing web application servers. Which interpretation best describes the server-management approach shown in the exhibit?
Exhibit: Change plan excerpt
Target: web01, web02, web03
Step 1: Remove one node from the load balancer
Step 2: Run configuration script to update packages and NTP settings
Step 3: Restart the web service and run health check
Step 4: Return node to load balancer
Step 5: Repeat for next node only after health check passes
Options:
A. Orchestration coordinating automated tasks across multiple systems
B. Automation limited to one local configuration task
C. Versioning used to track script revisions
D. Manual configuration performed independently on each server
Best answer: A
Explanation: Automation performs a repeatable task with minimal manual input, such as running a script to update packages or change NTP settings. Orchestration coordinates multiple automated tasks, systems, dependencies, and decision points into a managed workflow. In this exhibit, the key clue is not just that a script runs. The plan drains one server from the load balancer, applies configuration, validates health, returns it to service, and then moves to the next server. That sequencing across servers and services is orchestration.
The takeaway is that automation is a building block, while orchestration manages the broader workflow and order of operations.
Topic: Planning and Deployment
A systems administrator is preparing a new rack server for a clean operating system installation. The security baseline requires the server to verify the bootloader and early boot components during startup so that unauthorized or unsigned boot code cannot run. The selected operating system supports UEFI boot. Which configuration choice best meets this requirement?
Options:
A. Enable Secure Boot in firmware
B. Use an unattended installation file
C. Install the OS from PXE media
D. Partition the boot disk as GPT
Best answer: A
Explanation: Secure Boot is the boot integrity control in this scenario. When enabled in UEFI firmware, it checks the signatures of bootloaders and other early boot components before allowing them to run. This helps prevent unauthorized bootkits or tampered boot code from starting before the operating system and its security tools are active. The stem states that the OS supports UEFI boot, so enabling Secure Boot is the best configuration choice. GPT, PXE, and unattended installation can be useful during deployment, but they do not by themselves verify that boot code is trusted.
Topic: Data Center Operations
A company is upgrading access controls for a server room that contains regulated customer data. The requirement is to reduce the risk of shared or stolen access cards while still keeping an audit trail of each person who enters. Which implementation best meets the requirement?
Options:
A. Badge-only reader with monthly access review
B. Visitor sign-in sheet at the lobby desk
C. Mechanical key issued to each administrator
D. Badge plus biometric reader at the server room door
Best answer: D
Explanation: Physical access controls should match the access risk. A badge by itself proves possession of a credential, but it does not prove the authorized person is using it. Adding a biometric factor, such as fingerprint or palm verification, reduces the risk of card sharing or stolen badges and still allows the access system to record who entered. This is appropriate for a sensitive server room where accountability matters.
A visitor process is useful for temporary escorted access, and key control can protect low-risk spaces, but neither addresses the requirement as directly as multifactor physical access.
Topic: Data Center Operations
A server team receives repeated high-inlet-temperature alerts after installing several 1U servers in a rack. Which action best addresses the dominant environmental and efficiency risk shown in the exhibit?
Exhibit: Rack environmental snapshot
| Check | Reading/Finding |
|---|---|
| Cold aisle supply | 20°C (68°F) |
| Rack top inlet | 31°C (88°F) |
| Humidity | 45% RH |
| Dust filters | Clean |
| Rack layout | 18U of open spaces between servers |
| Cable routing | Rear airflow partially tidy |
Options:
A. Replace the clean intake filters immediately
B. Install blanking panels in the open rack spaces
C. Increase room humidity to reduce static discharge
D. Add a fire suppression inspection to the maintenance plan
Best answer: B
Explanation: The dominant risk is hot air recirculation caused by open rack units. The cold aisle supply temperature is normal, humidity is in a reasonable range, and dust filters are clean, but the rack top inlet is much warmer than the supplied air. Open spaces let hot exhaust air flow back to the front of the rack instead of forcing cool air through server intakes. Blanking panels close those gaps, improve cold-aisle/hot-aisle separation, reduce localized hot spots, and support better cooling efficiency without simply lowering the entire room temperature.
Topic: Configuration and Administration
A Linux web server in a DMZ became unreachable for routine OS administration after a hardening change. Administrators normally connect from the management jump subnet 10.50.10.0/24. Internet clients only require HTTPS.
Exhibit: Access finding
| Item | Current state |
|---|---|
| Web service | 443/tcp allowed from any source |
| OpenSSH server role | Removed |
Host firewall 22/tcp | Deny all inbound |
Host firewall 3389/tcp | Deny all inbound |
| Out-of-band console | Available for emergency use |
Which change best restores manageability without creating unnecessary exposure?
Options:
A. Install FTP and allow 21/tcp from 10.50.10.0/24.
B. Enable RDP and allow 3389/tcp from any Internet source.
C. Install OpenSSH and allow 22/tcp only from 10.50.10.0/24.
D. Allow 22/tcp from any source and leave OpenSSH removed.
Best answer: C
Explanation: The core concept is least-exposure administrative access. The exhibit shows that the Linux server’s normal management service, OpenSSH, was removed and its SSH port is blocked. Restoring manageability requires both the service role and a matching firewall rule. Because the approved administrative path is the management jump subnet, the inbound rule should be scoped to 10.50.10.0/24, not the entire Internet. The emergency out-of-band console can be used to make the fix, but it is not the routine OS administration method. Opening unrelated or public management ports would increase attack surface without meeting the stated need.
22/tcp does not help if OpenSSH is still removed.Topic: Data Center Operations
A data center uses alternating hot aisle and cold aisle rows. A new rack has front-to-back airflow servers, but several unused rack units were left open between installed servers. HVAC capacity is adequate, yet inlet temperature sensors at the top front of the rack are higher than the room set point. Which implementation choice best addresses the airflow problem?
Options:
A. Raise the HVAC set point for the room
B. Install blanking panels in the open rack units
C. Reverse the servers so fans face the cold aisle
D. Remove rear doors to increase exhaust mixing
Best answer: B
Explanation: Hot aisle/cold aisle design depends on separating cold intake air from hot exhaust air. With front-to-back airflow servers, the rack fronts should face the cold aisle and the rears should exhaust into the hot aisle. Open rack units create a shortcut that lets hot air recirculate from the rear of the rack to the front, especially near the top. Blanking panels fill those gaps and preserve the intended airflow path without changing HVAC capacity. The key is containment and separation, not simply making the room colder or increasing air mixing.
Topic: Performance Management and Troubleshooting
A web portal is reported as unavailable after a server reboot. Review the troubleshooting output and identify the issue most directly supported by the evidence.
Exhibit: Troubleshooting notes
Client DNS: portal.corp.local -> 10.40.8.21
Client test: TCP 10.40.8.21:443 succeeded
Server listener: 0.0.0.0:443 nginx
Host firewall: 443/tcp allowed
nginx error: connect() failed to upstream 127.0.0.1:9000
Service status: app-api inactive; dependency license-daemon inactive
Options:
A. The web server process is not listening
B. The DNS record points to the wrong server
C. The host firewall is blocking HTTPS
D. The backend application service is unavailable
Best answer: D
Explanation: The evidence separates network reachability from service availability. DNS resolves portal.corp.local to an IP address, the client can connect to TCP port 443, the server has nginx listening on 443, and the host firewall allows 443/tcp. That makes DNS, the HTTPS listener, and the firewall unlikely causes. The decisive clue is the nginx upstream failure to 127.0.0.1:9000 combined with app-api inactive and its inactive dependency. The front-end web service is reachable, but it cannot hand requests to the backend application service. The next troubleshooting focus should be the inactive application service and its dependency, not the external network path.
0.0.0.0:443.Topic: Security and Compliance
A team is preparing a production database server for a regulated network segment. The server must accept application traffic on TCP 5432, allow SSH only from the management VLAN, and will not use local printers, Bluetooth, or removable USB media after deployment. Which hardening action is the BEST professional decision before go-live?
Options:
A. Disable unused hardware and services, then allow only required ports
B. Install additional monitoring without changing hardware or services
C. Disable SSH and the database listener until after the next scan
D. Leave services enabled and rely only on the perimeter firewall
Best answer: A
Explanation: Attack surface reduction means removing or disabling functions the server does not need for its role. In this scenario, the database listener and restricted SSH access are required, but local printing, Bluetooth, and removable USB media are not. Disabling unused hardware controllers or firmware features, stopping unneeded services, and limiting allowed ports to the database and management access reduces exposure without disrupting the server’s intended workload. This is a practical hardening control because it addresses unnecessary entry points directly instead of depending only on detection or perimeter controls.
The key takeaway is to disable what is not needed, but keep required workload and administrative access available.
Topic: Security and Compliance
A server team receives a security testing request for a production database cluster. Based on the ticket, which testing approach best matches the stated purpose and operational risk?
Exhibit: Security testing ticket
Target: Production database cluster
Goal: Identify missing patches and insecure configurations
Frequency: Weekly
Restrictions: No exploitation, no credential attacks, no service disruption
Output needed: Prioritized remediation report for server owners
Options:
A. Red-team exploitation exercise
B. Live failover test
C. Authenticated vulnerability scanning
D. External penetration testing
Best answer: C
Explanation: Vulnerability scanning is used to identify known weaknesses, such as missing patches, insecure settings, and exposed services, usually with lower operational risk than penetration testing. In this ticket, the weekly schedule, remediation report, and explicit ban on exploitation point to a scan, preferably authenticated so the tool can inspect patch and configuration state accurately. Penetration testing is more goal-driven and attempts to validate exploitability, which can create more risk to production systems and normally requires tighter approval, scope, and timing. The key distinction is that scanning finds and reports likely vulnerabilities; penetration testing actively proves what an attacker could do with them.
Topic: Configuration and Administration
A server team receives a maintenance request for a reporting application. The requester has an application administrator role but no server-level privileges.
Exhibit: Access finding
| Item | Finding |
|---|---|
| Account role | ReportApp Administrator |
| Local server groups | Standard Users only |
| Approved app actions | Manage reports, templates, and app users |
| Requested maintenance | Restart the ReportAPI operating system service |
What is the best interpretation of this request?
Options:
A. It should be handled by a report viewer role
B. It only requires database read access
C. It can be completed with app administrator access
D. It requires administrative server access
Best answer: D
Explanation: Application-user roles control actions inside the application, such as managing app users, reports, or templates. They do not automatically grant rights to manage the server operating system. Restarting ReportAPI is an operating system service action, so it should be performed by an account or process with appropriate administrative server privileges and change approval. The key distinction is the management boundary: app configuration inside the application versus service control on the host.
Topic: Planning and Deployment
A team is deploying storage for a write-heavy database server. The database needs 8 TB usable on day one, plus at least 50% growth headroom. The design must tolerate a drive failure and keep write latency predictable during normal operation. The budget supports up to eight 4 TB enterprise SSDs. Which storage implementation best meets these requirements?
Options:
A. Eight 4 TB SSDs in RAID 10
B. Four 4 TB SSDs in RAID 5
C. Four 4 TB SSDs as JBOD
D. Six 4 TB SSDs in RAID 6
Best answer: A
Explanation: Capacity planning must account for usable capacity, headroom, redundancy, and workload behavior. The server needs 8 TB plus 50% growth headroom, so the usable target is 12 TB. Eight 4 TB SSDs in RAID 10 provide about 16 TB usable capacity because mirrored pairs reduce usable space by half. RAID 10 also supports drive failure tolerance and typically gives more predictable write performance than parity RAID for write-heavy databases. RAID 6 can meet the usable capacity and redundancy requirement, but parity calculations and write amplification make it less ideal when predictable write latency is a primary constraint. The key takeaway is to size for future usable capacity, not just raw disk capacity.
Topic: Configuration and Administration
A server team is reviewing workloads for a consolidation project. The platform can run either VMs or containers on the same cluster. Which workload is the best candidate for a container rather than a VM?
| Workload | Lifecycle and isolation notes | Resource notes |
|---|---|---|
| Billing DB | Monthly patch cycle; strict OS isolation required | Large persistent database |
| Legacy ERP | Requires a custom kernel module and full OS tuning | Moderate CPU and RAM |
| Image API | Updated several times per day; stateless Linux service | Must scale quickly with low overhead |
| Patch test lab | Boots multiple OS versions for driver testing | Needs full guest OS instances |
Options:
A. Patch test lab
B. Legacy ERP
C. Image API
D. Billing DB
Best answer: C
Explanation: Containers are a strong fit when an application is packaged with its dependencies, updated frequently, scales horizontally, and does not require a separate guest OS or strong OS-level isolation. The Image API matches that pattern: it is stateless, Linux-based, updated several times per day, and needs quick scaling with low resource overhead. A VM is usually better when the workload needs a full operating system boundary, custom kernel behavior, or separate OS instances for testing. The key distinction is that containers share the host kernel, while VMs virtualize complete machines with their own guest OS.
Topic: Security and Compliance
A systems administrator is reviewing a newly built payroll database server before production release. The hardening goal is to reduce attack surface without breaking required access.
Exhibit: Build and exposure review
| Finding | Current state | Required for role |
|---|---|---|
| Database listener | TCP 5432 open to app VLAN | Yes |
| SSH management | TCP 22 open from jump host | Yes |
| FTP daemon | TCP 21 listening on all interfaces | No |
| USB mass storage | Disabled in firmware | No |
Which action is the best next hardening step?
Options:
A. Enable USB mass storage blocking in the OS only
B. Disable the database listener on TCP 5432
C. Move SSH management to a random high port
D. Disable the FTP daemon and close TCP 21
Best answer: D
Explanation: Attack-surface reduction focuses on removing unnecessary ways to interact with the server. The exhibit shows that the database listener and SSH access are required for the server role, while the FTP daemon is listening on all interfaces and is not required. An unused network service is a clear exposure because it may contain vulnerabilities, accept weak authentication, or be misconfigured. The appropriate hardening action is to stop and disable that service and close its port in the host firewall or service policy. Do not remove required services just because they are open; instead, restrict and monitor them according to the documented need.
Topic: Configuration and Administration
A virtualization host runs 18 production VMs. Monitoring shows CPU utilization averages 45%, but memory utilization stays above 92% and several VMs balloon or swap during business hours. A new database VM is requested and the template assigns 16 vCPUs and 64 GB RAM by default. Which implementation choice best protects workload stability and host capacity?
Options:
A. Increase vCPU counts on all existing VMs
B. Deploy the template unchanged for maximum performance
C. Enable thin provisioning for the new VM’s disks only
D. Rightsize the new VM from measured workload requirements
Best answer: D
Explanation: Rightsizing means assigning VM CPU, memory, and storage based on observed or expected workload demand rather than a generic maximum template. In this scenario, the host is already under memory pressure, shown by high memory use plus ballooning or swapping. Giving the new VM 64 GB of RAM without evidence that it needs it can reduce stability for other VMs and may cause more swapping. Large vCPU counts can also add scheduling overhead if the workload does not need them. Thin provisioning affects storage allocation efficiency, but it does not solve host memory pressure. The best implementation is to size the VM to its actual database workload and leave room for host and guest stability.
Topic: Configuration and Administration
A systems administrator is investigating intermittent application timeouts on a database server after a patch window. The team has 2,000 lines of sanitized system logs, database errors, and monitoring alerts, but no single error clearly identifies the cause. Company policy permits approved AI tools for troubleshooting if sensitive data is removed and all recommendations are validated by an administrator. Which implementation choice best fits this situation?
Options:
A. Use an approved AI tool to summarize evidence and identify likely causes
B. Reinstall the database service before reviewing the logs
C. Enable AI-based automatic remediation for all database alerts
D. Paste the full logs into a public chatbot and apply its fix
Best answer: A
Explanation: AI-assisted issue diagnosis is useful when a server problem involves large amounts of evidence that need summarization, pattern recognition, or research support. In this scenario, the logs are already sanitized, policy allows an approved AI tool, and the administrator remains responsible for validating the output. The AI tool should help organize symptoms, highlight likely correlations after the patch window, and suggest areas to investigate. It should not receive sensitive data, replace change control, or automatically make production changes without human review. The key operational setting is controlled assistance: approved tool, sanitized inputs, evidence triage, and administrator validation.
Topic: Configuration and Administration
A Windows Server system is being corrected before becoming a departmental file server. Users will access shares by FQDN, files can be larger than 4 GB, Windows ACLs and auditing are required, and the two 4 TB data drives must survive a single-drive failure. Current build notes are shown. Which correction best aligns the configuration with the role?
| Setting | Current value |
|---|---|
| Data volume | exFAT, MBR, simple volume |
| Network | DHCP-assigned address |
| Drives | Two separate 4 TB disks |
Options:
A. Use NTFS on a GPT striped volume with DHCP settings.
B. Use ext4 on an LVM mirrored volume with DHCP settings.
C. Use exFAT on an MBR striped volume with static IP settings.
D. Use NTFS on a GPT mirrored volume with static IP settings.
Best answer: D
Explanation: A departmental Windows file server should use a filesystem and volume layout that match Windows permissions, large-file support, predictable client access, and disk resilience. NTFS is the expected choice for Windows ACLs, auditing, and file-server features. GPT is appropriate for modern large disks and avoids MBR limitations. A mirrored volume uses the two disks to maintain availability if one drive fails, unlike striping. A static IP configuration, or an equivalent fixed addressing design, keeps DNS and client access stable for a server role.
Topic: Configuration and Administration
A team is moving a database to a private cloud subnet while leaving an on-premises reporting server in place. The application must use the site-to-site VPN and private endpoint only.
Exhibit:
Reporting server: reports01.corp.local
Connection string: sql-prod.apps.example.com:1433
On-prem DNS result: sql-prod.apps.example.com -> 203.0.113.25
Cloud private DNS: sql-prod.apps.example.com -> 10.50.12.25
VPN routes advertised to on-prem: 10.50.0.0/16
Firewall rule from reports subnet: allow 10.50.12.25:1433 only
Which interpretation best identifies the integration risk?
Options:
A. The database port conflicts with the firewall rule
B. The reporting server identity is not synchronized
C. The VPN lacks a route to the cloud subnet
D. On-prem DNS resolves the service to the wrong address
Best answer: D
Explanation: Hybrid integrations often depend on matching assumptions across DNS, routing, and access controls. In this case, routing and firewall policy are aligned to the private cloud address, 10.50.12.25, over the VPN. However, the on-premises DNS answer returns 203.0.113.25 for the same service name. The reporting server will use the address it resolves locally, so its connection will not match the intended private endpoint path or the firewall rule. A likely next action would be to correct split-horizon DNS, conditional forwarding, or private DNS zone resolution so on-premises clients receive the private address.
Topic: Security and Compliance
A server team identifies a vendor-rated critical security hotfix for the hypervisor hosts that run a customer portal. The portal has a 99.9% availability SLA, the cluster supports live migration, and a test host has successfully installed the hotfix. The change calendar is frozen this week except for approved security emergencies. Which action is the BEST professional decision?
Options:
A. Accept the risk and document it for the next audit
B. Submit an emergency change with rollback and rolling patching
C. Wait for the next standard maintenance window
D. Patch all hosts immediately without change approval
Best answer: B
Explanation: Change control does not mean delaying every change until a normal window. A critical, validated hotfix can justify an emergency change when the process allows it, but the team still needs approval, communication, implementation steps, and rollback planning. Because the cluster supports live migration and the hotfix was tested on a host, rolling patching reduces service impact while treating the security risk promptly. This balances risk mitigation with the portal’s availability SLA and avoids uncontrolled production changes.
Topic: Planning and Deployment
A systems administrator is preparing a new Windows Server host for Hyper-V. The OS will boot from a separate volume. A second locally attached storage pool will store VM configuration files, checkpoints, and large virtual disk files. The team wants integrity features and efficient operations for virtualization storage without using a VMware datastore. Which filesystem is the best professional choice for the second volume?
Options:
A. ext4
B. VMFS
C. ReFS
D. NTFS
Best answer: C
Explanation: ReFS is the best fit for a Windows Server data volume used for Hyper-V virtual machine storage, especially when the boot volume is separate. It supports resiliency features and is designed for large data sets and virtualization-oriented operations such as efficient handling of large virtual disk files. NTFS remains broadly compatible and common for Windows boot and general-purpose volumes, but the stem asks for the best filesystem for a dedicated Hyper-V storage volume with integrity and efficiency requirements. VMFS is a VMware datastore filesystem, not a general Windows Server volume choice. ext4 is common on Linux servers, not the native choice for this Windows Server workload.
Topic: Security and Compliance
A systems administrator is reviewing a production database server before approving a routine configuration change. The business owner requires administrative access to match the approved CMDB record.
Exhibit: Access and configuration review
Server: FIN-SQL-02
Data classification: Confidential finance data
Approved admin group: Finance-DBA
Approved service account: svc_backup
Local Administrators:
Finance-DBA
svc_backup
temp_migration
Note: temp_migration was used for a completed migration; no current owner.
Last logon for temp_migration: yesterday
Which server risk is most directly supported by the exhibit?
Options:
A. A missing rollback plan for the configuration change
B. A protocol mismatch between the database and backup service
C. Unprovisioned privileged access to confidential data
D. Insufficient database storage capacity for finance records
Best answer: C
Explanation: The exhibit shows a configuration and access-control risk: an account created for a completed migration still has local administrator rights, has no current owner, and was used recently. Because the server stores confidential finance data, the operational impact is unauthorized or unaccountable privileged access. In risk handling and configuration management, this should be recorded and remediated by removing or disabling the orphaned account, validating approved access, and updating evidence after the change. The key clue is the mismatch between the approved administrative access list and the actual local Administrators membership.
Topic: Security and Compliance
A company is retiring an on-premises file server that stored HR documents, temporary build files, and application logs. The HR documents are classified as confidential and must be retained for 7 years. The temporary build files have no retention requirement. The application logs must be retained for 90 days for audit review. Which implementation choice best supports the data lifecycle requirements before disposal?
Options:
A. Classify the data, preserve required records, then sanitize the drives
B. Encrypt the full disk and send the server to recycling
C. Move all data to long-term archive storage indefinitely
D. Delete all files after copying only the HR documents
Best answer: A
Explanation: Data lifecycle handling starts by identifying and classifying the data so the correct retention and disposal rules can be applied. In this scenario, the HR documents and application logs have different retention periods, while temporary build files have no retention requirement. Required records should be preserved in an appropriate location for their stated retention period. Data that does not need to be retained should be removed, and the server’s storage should be sanitized before disposal or recycling. Encryption alone does not prove that retention rules were met, and indefinite archiving can increase cost and risk by keeping data longer than required. The key is to retain what policy requires and securely dispose of what is no longer needed.
Topic: Security and Compliance
A server administrator must apply OS security updates and RAID controller firmware to a production database server during an approved maintenance window. Compliance requires evidence that the change was tested, and the business requires a practical way to return service if the update causes boot or storage issues. Which preparation is the best choice before patching production?
Options:
A. Patch production first and create a backup after the update succeeds
B. Rely on RAID redundancy and document the change after completion
C. Test on a matching non-production server and verify rollback media/backups
D. Apply only the OS updates and defer all validation until users report issues
Best answer: C
Explanation: Patch preparation should prove two things before production changes begin: the update behaves correctly in a representative test environment, and rollback is ready if it does not. For OS, driver, firmware, or application patches, that usually means testing on a comparable non-production system, validating the affected service, confirming backup or image restore points, and preparing any vendor-supported firmware rollback media or procedure. The rollback plan should be documented and usable during the maintenance window, not invented after a failure. RAID protects against some disk failures, but it does not roll back a bad firmware or OS update.
Topic: Performance Management and Troubleshooting
A systems administrator receives alerts that an internal order application is timing out during normal business hours. The monitoring dashboard compares current values with the established weekday baseline. What is the best next action supported by the dashboard?
Exhibit: Application dashboard
| Metric | Baseline | Current |
|---|---|---|
| Web CPU utilization | 35-55% | 48% |
| Web memory utilization | 60-75% | 68% |
| DB network throughput | 200-350 Mbps | 240 Mbps |
| DB storage latency | 5-8 ms | 42 ms |
| DB disk queue length | 1-3 | 18 |
| DB free space | 38% | 36% |
Options:
A. Add web server CPU capacity
B. Increase database network bandwidth
C. Begin emergency database disk cleanup
D. Investigate database storage I/O contention
Best answer: D
Explanation: A dashboard is most useful when current metrics are interpreted against a known baseline. In this exhibit, the web tier CPU and memory are within normal ranges, and database network throughput is also within baseline. The outliers are database storage latency and disk queue length, both much higher than expected. That pattern supports a storage I/O bottleneck or contention on the database server, which can cause application timeouts even when CPU, memory, network, and free space look acceptable.
The next action should focus on validating and isolating the storage path, volume, array, or workload causing high database I/O wait.
Topic: Security and Compliance
A company is updating the recovery plan for its revenue database service.
| BIA finding | Requirement |
|---|---|
| Maximum downtime | 1 hour |
| Maximum data loss | 5 minutes |
| Data residency | In-country only |
| Test constraint | Prove recovery without disrupting production |
Which implementation best aligns the recovery plan with these requirements?
Options:
A. Use an out-of-country warm site with 5-minute replication and simulated failover tests.
B. Use an in-country hot site with near-real-time replication and isolated simulated failover tests.
C. Use an in-country warm site with weekly full backups and live production failover tests.
D. Use a cold site with nightly backups and annual tabletop exercises.
Best answer: B
Explanation: A DR plan should trace directly to the business impact analysis and recovery objectives. A 1-hour RTO and 5-minute RPO require a highly available recovery site with frequent replication, not only spare space or infrequent backups. The in-country requirement controls the site choice because recovery data and operations must stay within the approved jurisdiction. The test constraint rules out unplanned production-impacting failovers; isolated simulated failover can validate runbooks, recovery timing, and data currency without taking the live service down. The key takeaway is that DR design must satisfy availability, data loss, compliance, and validation requirements together.
Topic: Configuration and Administration
A database-backed application VM was migrated from Host A to Host B during a maintenance window. Since the migration, users report intermittent timeouts from the web tier to the database, but the VM remains powered on and responsive locally.
Exhibit: Post-migration findings
| Check | Result |
|---|---|
| VM CPU ready / memory pressure | Normal |
| Datastore latency | Normal |
| Required application VLAN | VLAN 240 |
| Host B port group used by VM | App-Net, VLAN 24 |
| Host A port group used by VM | App-Net, VLAN 240 |
Which action is the BEST professional decision?
Options:
A. Move the VM back and disable migration permanently
B. Add a second vNIC on the database subnet
C. Correct Host B port group VLAN mapping and validate connectivity
D. Increase CPU and memory reservations for the VM
Best answer: C
Explanation: The strongest evidence links the behavior to virtual networking after migration. CPU, memory, and datastore metrics are normal, so resource contention and storage latency are unlikely. The VM kept the same port group name, but Host B maps that port group to VLAN 24 instead of the required VLAN 240. That mismatch can cause failed or intermittent communication with the database even though the guest OS and application appear healthy locally.
The operationally sound fix is to correct the virtual switch or port group VLAN configuration on Host B, then validate application connectivity. After validation, migration can remain available without carrying forward an unsafe host configuration.
Topic: Performance Management and Troubleshooting
A database server became slow after a scheduled maintenance window. Users report timeouts, but the database service stays online. Review the exhibit and choose the most likely issue supported by the evidence.
Exhibit: Post-maintenance observations
Patch window: OS security updates + storage controller driver update
CPU utilization: 22% average
Memory utilization: 48% average
Network utilization: 18% average
Disk queue length: 36 average, previously 3
Avg. disk read latency: 185 ms, previously 12 ms
Event log: storport reset issued to \Device\RaidPort0
RAID controller: optimal, no failed drives
Options:
A. Memory leak in the database service
B. CPU resource pressure
C. Storage controller driver issue
D. RAID drive failure
Best answer: C
Explanation: The evidence points to a driver-related storage performance problem. The server slowed immediately after a maintenance window that included a storage controller driver update. CPU, memory, and network utilization are all moderate, so general resource pressure is not supported. The disk queue length and read latency increased sharply, and the event log shows storport resets to the RAID port. Because the RAID controller reports optimal health and no failed drives, the more likely issue is not a physical disk failure but a driver or controller I/O path problem introduced during patching. The best next step would be to review the updated driver, check vendor compatibility, and consider rollback or replacement with a supported version.
Topic: Planning and Deployment
A server engineer is approving a new 2U server build for virtualization and GPU-accelerated analytics. The workload needs at least 32 CPU cores, 512GB of ECC memory, and the A-200 GPU. Which build should be approved?
Exhibit: HCL excerpt
| Area | Supported or required |
|---|---|
| Platform | 2U P2 chassis with UEFI enabled |
| CPU | Two identical HCL-listed server CPUs for GPU configs |
| HCL CPUs | S-16C, S-24C |
| Memory | DDR5 ECC RDIMM or LRDIMM only |
| GPU | A-200 requires x16 riser and dual 1,600W PSUs |
Options:
A. P2; two S-16C CPUs; 8x64GB ECC RDIMM; A-200 with x16 riser and dual 1,600W PSUs
B. P2; two S-16C CPUs; 8x64GB ECC RDIMM; A-200 with x8 riser and dual 1,100W PSUs
C. P2; one S-24C CPU; 8x64GB ECC RDIMM; A-200 with x16 riser and dual 1,600W PSUs
D. P2; two S-24C CPUs; 4x128GB ECC UDIMM; A-200 with x16 riser and dual 1,600W PSUs
Best answer: A
Explanation: Hardware selection must satisfy both the workload requirement and the hardware compatibility list. The approved build needs two identical HCL-listed CPUs for a GPU configuration, at least 32 total cores, 512GB of supported ECC memory, and the exact riser and PSU combination required for the A-200 GPU. Two S-16C CPUs provide 32 cores, and 8x64GB provides 512GB. RDIMM is explicitly supported, and the x16 riser with dual 1,600W PSUs matches the GPU requirement. A build with faster or larger individual parts is not acceptable if those parts violate the HCL.
Topic: Planning and Deployment
A systems administrator is reviewing cloud placement options for three server-related workloads. The team wants the model that matches each workload’s administration requirements.
Exhibit: Workload notes
| Workload | Required administration model |
|---|---|
| Expense system | Vendor-provided application, browser access only, no OS management |
| Custom API | Deploy code to a managed runtime, no guest OS patching |
| Legacy inventory DB | Full guest OS control for agents, patches, and configuration |
Which mapping is supported by the exhibit?
Options:
A. Expense system: PaaS; Custom API: IaaS; Legacy DB: SaaS
B. Expense system: SaaS; Custom API: PaaS; Legacy DB: IaaS
C. Expense system: SaaS; Custom API: IaaS; Legacy DB: PaaS
D. Expense system: IaaS; Custom API: SaaS; Legacy DB: PaaS
Best answer: B
Explanation: Cloud service models shift different layers of server administration to the provider. SaaS is appropriate when the organization consumes a complete application and does not manage the server OS or application stack. PaaS is appropriate when developers deploy code to a managed platform while the provider handles the OS and runtime infrastructure. IaaS is appropriate when server administrators still need control of the guest OS, installed agents, patching, and detailed configuration, but do not want to manage the physical data center hardware.
The key distinction is whether the workload needs application use, code deployment, or guest OS administration.
Topic: Performance Management and Troubleshooting
Users report slow file opens on a virtual file server. The workload and user count are unchanged from last week. Review the dashboard snapshot and choose the best operational conclusion or next action.
| Metric | Baseline | Current |
|---|---|---|
| CPU utilization | 45% | 48% |
| Memory utilization | 62% | 64% |
| Network utilization | 40% | 42% |
| Disk read latency | 8 ms | 92 ms |
| Storage queue depth | 1-2 | 19 |
Options:
A. Increase the server memory allocation
B. Add vCPUs to the file server
C. Upgrade the network uplink speed
D. Investigate storage I/O and RAID health
Best answer: D
Explanation: A dashboard should be interpreted against the baseline, not by looking at one metric in isolation. In this snapshot, CPU, memory, and network utilization remain close to normal, but disk read latency and storage queue depth have increased sharply. For a file server with unchanged demand, that points to a storage I/O bottleneck or storage subsystem issue, such as a degraded RAID set, failing drive, controller/cache problem, or saturated storage path. The next action should focus on storage health and I/O evidence before adding compute, memory, or network capacity.
Topic: Performance Management and Troubleshooting
A file server that normally allows SSH only from the admin subnet generated these alerts:
02:13 SSH accepted for svc-backup from 198.51.100.77
02:14 sudo: svc-backup -> root command=/bin/bash
02:16 FIM: /etc/sudoers hash changed
02:18 FIM: /var/share/payroll/report.xlsx hash changed
02:20 outbound connection to 203.0.113.40:443
Which operational setting is the best next choice to support investigation while limiting additional unauthorized activity?
Options:
A. Add CPU and memory to reduce alert volume
B. Disable file integrity monitoring until changes stop
C. Rebuild the server immediately from a gold image
D. Isolate the server to a restricted forensic network
Best answer: D
Explanation: The alerts show multiple security indicators on the same server: an SSH login from an unexpected public address, privilege escalation with sudo, a change to /etc/sudoers, a protected data file modification, and suspicious outbound traffic. The best operational setting is to isolate the host so the activity cannot continue or spread while evidence remains available for review. A restricted forensic network or quarantine VLAN can allow approved investigation access without leaving the server fully connected to production or the internet.
Immediate rebuilding may be necessary later, but doing it first can destroy volatile evidence and obscure the sequence of unauthorized access, file integrity changes, and privilege escalation.
Topic: Configuration and Administration
A systems administrator must migrate an aging physical server that runs a stateful inventory application with a local database. The vendor supports the application on full VMs but not in containers. Clients must continue reaching the workload by its current IP address on the production VLAN, and monitoring shows consistently high memory utilization. Which migration approach is the BEST professional decision?
Options:
A. Perform a P2V migration to a VM on a bridged production vSwitch with right-sized memory
B. Rebuild the application as a container using NAT networking and ephemeral storage
C. Perform a V2V conversion to a VM on a host-only vSwitch
D. Create a new VM with minimal memory and rely on memory overcommitment
Best answer: A
Explanation: The core decision is workload fit during virtualization migration. Because the source is a physical server and the vendor supports VMs but not containers, a P2V migration is the lowest-risk fit. The workload also needs to remain reachable on the same production VLAN, so a bridged or external virtual switch is appropriate instead of NAT or host-only networking. Consistently high memory utilization means the VM should be right-sized from monitoring data, and reservations may be justified if the platform supports them. Containers are better suited to portable, container-supported application lifecycles, not unsupported stateful server lift-and-shift migrations.
Topic: Planning and Deployment
A systems administrator must install a server OS on a new rack server in a colocation facility. The server has out-of-band management with virtual media support, but no technician can access the rack until next week. The security policy also prohibits mailing removable media to the site. Which installation media choice is the best professional decision?
Options:
A. Mount the verified ISO through virtual media
B. Burn the installer to a DVD
C. Boot a live media environment from SD card
D. Create a bootable USB installer
Best answer: A
Explanation: Installation media should match the deployment context and operational constraints. In this scenario, the administrator cannot physically access the rack, and policy prohibits sending removable media. An ISO image can be checksum-validated and mounted through the server’s out-of-band management interface as virtual media, allowing a normal OS installation without USB, DVD, or SD card handling at the facility. This avoids unnecessary delay and reduces chain-of-custody risk for physical media. USB or DVD would be reasonable for local hands-on installation, but they do not satisfy the remote-access and removable-media constraints here.
Topic: Planning and Deployment
A systems administrator is preparing storage for a new Linux file server. The server boots in UEFI mode, presents a single 6 TB RAID virtual disk, and must allow future online expansion of /data without rebuilding the server. The workload stores mostly large backup image files, not millions of small files. Which storage preparation plan is the BEST professional decision?
Options:
A. Use MBR with fixed primary partitions
B. Use GPT with fixed partitions and smallest blocks
C. Use GPT with LVM and workload-appropriate block sizing
D. Use a dynamic disk with a spanned volume
Best answer: C
Explanation: GPT is the appropriate partitioning choice for a modern UEFI server with a disk larger than 2 TB. LVM is a good Linux storage layer when /data must grow later because physical storage can be added and logical volumes can be extended without redesigning the disk layout. Block size should be selected based on workload characteristics; a large-file backup repository does not benefit from choosing the smallest possible block size just to optimize for tiny files.
The key distinction is that GPT solves the partition-size and UEFI fit, while LVM solves operational flexibility after installation.
Topic: Performance Management and Troubleshooting
A new Windows application server in a restricted VLAN must join corp.example.com before deployment. The approved domain-join account was tested successfully from another server, and the security team does not allow temporary broad firewall exceptions. The join fails with “A domain controller could not be contacted.”
Evidence:
NIC DNS server: 8.8.8.8
nslookup -type=SRV _ldap._tcp.dc._msdcs.corp.example.com: NXDOMAIN
ping 10.20.5.12: replies
Test-NetConnection 10.20.5.12 -Port 389: TcpTestSucceeded True
Time offset from dc01: +0.7 seconds
Options:
A. Request a temporary any-port firewall rule
B. Reset the domain-join account password
C. Manually resynchronize the server clock
D. Change the NIC to use internal directory DNS servers
Best answer: D
Explanation: Directory joins depend on DNS SRV records to locate domain controllers for the target domain. The evidence shows the server is using 8.8.8.8, and the required _ldap._tcp.dc._msdcs lookup returns NXDOMAIN, so the server cannot discover a domain controller even though IP reachability and LDAP connectivity to one DC appear to work. The time offset is small, and the account has already been validated from another server. The best operational fix is to configure the server to use approved internal directory-integrated DNS servers, then retry the join. Avoid broad firewall changes until DNS discovery works and a specific blocked port is proven.
Topic: Performance Management and Troubleshooting
A Linux database server is reporting write failures. Before deleting data or expanding storage, the administrator needs evidence showing whether the mounted filesystem that contains /var/lib/db is out of space.
Exhibit: Troubleshooting ticket
Server: db-prod-03
OS: Linux
Symptom: application returns "No space left on device"
Path in error: /var/lib/db/wal/000819.log
Recent change: none reported
Need: confirm filesystem capacity and free space
Which command should the administrator run next?
Options:
A. cat /etc/fstab
B. df -h /var/lib/db
C. fdisk -l
D. ls -lh /var/lib/db
Best answer: B
Explanation: The needed evidence is filesystem free space for the mount that contains the failing database path. On Linux, df is the appropriate tool to show mounted filesystem usage, including total size, used space, available space, and utilization percentage. Supplying /var/lib/db scopes the output to the filesystem that matters, which avoids confusing the issue with unrelated mounts. This is different from listing files, reading static mount configuration, or viewing partition layout. The key operational step is to verify the active filesystem capacity before making storage changes or deleting data.
Topic: Planning and Deployment
A company is deploying 30 identical rack servers in a remote colocation facility. The servers have no operating system installed. Local staff can rack, cable, and power on the hardware, but the server team wants the OS, partitioning, and initial settings applied without interactive prompts. Which installation method best meets this requirement?
Options:
A. Graphical installation from virtual media
B. Zero-touch network installation
C. Core installation from local USB media
D. Command-line installation over SSH
Best answer: B
Explanation: Zero-touch installation is the best fit when many bare-metal servers need a consistent OS build without manual prompts. It typically combines network boot, automation files, and deployment services so a technician only needs to connect the server and start the process. PXE may be part of the boot mechanism, but the key requirement in the stem is unattended installation of the OS, partitions, and initial settings. A graphical or local-media install would require more hands-on work, and SSH is not available until an OS or installer environment is already reachable.
Topic: Planning and Deployment
A company is deploying a rack server in a remote colocation facility. Administrators must be able to view POST/UEFI screens, power-cycle the server, and recover it when the production OS or network stack is unavailable. Security requires management access to be isolated from application traffic. Which option is the BEST professional decision?
Options:
A. Configure the server BMC on a dedicated management network
B. Enable SSH on the production OS with key-based login
C. Deploy a remote desktop gateway for console access
D. Add a second production NIC with network teaming
Best answer: A
Explanation: Out-of-band management is the right fit when administrators need recovery access that does not depend on the installed OS, production NIC configuration, or application network. A server BMC or similar lights-out management interface can provide remote KVM-style console access, POST/UEFI visibility, virtual media, and power control even when the OS is hung or the normal network stack is down. Placing that interface on a dedicated management network also supports the isolation requirement. OS-level tools such as SSH or remote desktop are useful for normal administration, but they fail when the OS cannot boot or networking inside the OS is broken. Extra production NIC redundancy improves availability, but it does not provide firmware-level recovery access.
Topic: Configuration and Administration
A systems administrator is updating server roles for a branch-office rollout. New VPN appliances and wireless controllers will continue to terminate user sessions, but they must authenticate users against existing directory groups, apply centralized network access policies, and keep accounting logs for audits. Which server role is the BEST fit?
Options:
A. Directory services role
B. NPS role
C. Remote desktop services role
D. RAS role
Best answer: B
Explanation: Network Policy Server (NPS) is the appropriate role when network access devices, such as VPN appliances and wireless controllers, need centralized authentication, authorization, and accounting. In this scenario, the appliances still terminate the VPN or wireless sessions, so the server does not need to provide remote access connectivity itself. The key need is policy-backed validation against directory groups plus audit-friendly accounting, which maps to RADIUS/NPS functionality. Directory services remain the identity source, but they do not replace the network policy and accounting role. The best operational choice is the role that integrates identity with network access enforcement without moving session termination to the server.
Topic: Planning and Deployment
A server administrator is preparing to add NVMe storage to a rack server that hosts a production database. The upgrade must preserve vendor support, avoid unplanned downtime, and use existing PCIe expansion slots. The proposed adapter is available immediately, but it does not appear on the server vendor’s hardware compatibility list (HCL). What is the best professional decision?
Options:
A. Use the adapter only for non-boot database files
B. Install the adapter during the next maintenance window
C. Select a validated adapter from the server HCL
D. Install the adapter and update drivers afterward
Best answer: C
Explanation: A server HCL identifies components the platform vendor has tested for compatibility with the server model, firmware, backplane, expansion slots, drivers, and operating systems. In a production database server, an unvalidated PCIe storage adapter creates operational risk: it might not initialize correctly, could have unsupported firmware or driver behavior, and may complicate vendor support if a storage or stability issue occurs. The professional decision is to choose a component validated for that server platform, even if it changes procurement timing. A maintenance window reduces change risk, but it does not make unsupported hardware compatible or supportable.
Topic: Security and Compliance
A systems administrator is reviewing a physical security finding for servers in a shared data center room. Facilities staff and other IT teams must continue to enter the room, but only the server team should physically access the payroll servers.
Exhibit: Audit finding
| Finding | Detail |
|---|---|
| Room access | Shared by facilities and network teams |
| Rack state | Payroll rack has open front and rear access |
| Incident | One patch cable was removed after hours |
| Log | Chassis intrusion event on a payroll server |
Options:
A. Install a lock cage around the payroll rack
B. Restrict all server room access to the server team
C. Add cable locks only to patch connections
D. Enable full-disk encryption on the payroll servers
Best answer: A
Explanation: The decisive issue is unauthorized physical access to specific servers inside a shared room. A lock cage or similarly secured rack enclosure protects the front, rear, cables, and chassis from people who may legitimately be in the room but should not touch that equipment. This fits the constraint that facilities and other IT teams still need room access. Cable locks help with unplugging risk, but they do not address chassis intrusion. Restricting the whole room is broader than the requirement and may block required work by other teams. Encryption protects data if drives are stolen or removed, but it does not prevent someone from opening the chassis or disconnecting cables.
Topic: Security and Compliance
A storage team submitted a standard change for a clustered virtualization host that runs production VMs. Review the change note and select the interpretation best supported by the exhibit.
Exhibit: Change note
| Item | Current state | Proposed change / finding |
|---|---|---|
| Storage HBA firmware | 5.4 | Upgrade to 6.1 |
| Installed HBA driver | 4.8 | No driver change planned |
| Vendor HCL note | Firmware 6.1 requires driver 5.x for this OS | Not validated in staging |
| Rollback plan | Previous firmware image unavailable | Restore from backup only |
Options:
A. The change should be delayed for compatibility testing and rollback planning.
B. The change can proceed if backups completed successfully before the window.
C. The change can proceed because firmware updates do not affect OS compatibility.
D. The change should be approved because no security setting is being weakened.
Best answer: A
Explanation: This change creates avoidable compatibility and availability risk. The HCL explicitly states that firmware 6.1 requires a 5.x driver for this OS, but the plan keeps driver 4.8. That means the production host could lose stable access to storage or experience driver-level failures after the firmware update. The risk is increased because the change was not validated in staging and the rollback plan does not include the previous firmware image. Backups are important, but restoring VMs from backup is a recovery action, not a safe rollback for a failed host firmware change. A controlled change should align with vendor compatibility guidance, be tested where practical, and include a clear backout path.
Topic: Security and Compliance
A company’s customer scheduling application runs in one primary data center. A business impact analysis sets an RTO of 2 hours and an RPO of 30 minutes. The recovery location must be in a different geographic region, and the budget does not allow maintaining a fully duplicated physical site year-round. Which DR approach is the BEST professional decision?
Options:
A. Use cloud DR with replicated data and prebuilt recovery templates
B. Use a warm site in a nearby branch office
C. Contract a cold site and ship backup media when needed
D. Maintain a hot site with continuously running duplicate hardware
Best answer: A
Explanation: The key decision is matching recovery objectives to cost and geography. An RTO of 2 hours and RPO of 30 minutes require more than an empty facility and occasional backup shipment, but the company also cannot justify a fully duplicated physical hot site. Cloud DR with replicated data, predefined network and server templates, and on-demand compute in another region provides a practical balance: fast enough recovery, recent enough data, geographic separation, and lower standing infrastructure cost.
Topic: Security and Compliance
A production application server uses a service account to write nightly backup sets to a protected repository. After an IAM cleanup, the backup job authenticates successfully but fails before writing data. The backup RPO is 24 hours, and the security team requires least privilege with no shared administrator credentials.
Exhibit: Job and IAM notes
Account: svc-app-backup
Last sign-in: successful
Job error: 403 Forbidden - write permission denied
Expected role: BackupWriter
Current role assignments: none
Recent change: removed inactive role assignments
Which action is the BEST professional decision?
Options:
A. Disable repository access controls until the next maintenance window
B. Reset the service account password and rerun the backup job
C. Add the service account to the server administrators group
D. Provision the service account with the BackupWriter role and retest the job
Best answer: D
Explanation: This is an unprovisioned access issue: the account exists and can sign in, but it lacks the authorization needed to perform its expected task. The 403 error, successful sign-in, missing role assignment, and documented BackupWriter role all point to authorization rather than authentication, network reachability, or backup software failure. The best action is to restore the documented least-privilege role for the service account, then validate the backup job so the 24-hour RPO remains protected. Granting broader access would create unnecessary risk, while delaying or bypassing controls would weaken security and compliance.
Topic: Performance Management and Troubleshooting
A production virtualization host in a cluster begins making an intermittent grinding noise near the rear fan/PSU area. A technician also notices a faint hot-electronics odor. The host has redundant power supplies, but monitoring shows no failed component alert yet. Cluster capacity can tolerate one host in maintenance mode. What is the best professional decision?
Options:
A. Disable fan-speed alerts until the next maintenance window
B. Reboot the host to clear possible sensor errors
C. Wait for a hardware alert before taking action
D. Drain workloads, remove the host from service, and inspect/replace the suspect component
Best answer: D
Explanation: Auditory and olfactory cues can indicate developing server hardware failures even before monitoring reports a hard fault. Grinding often points to a failing fan or bearing, while a hot-electronics odor can indicate overheating, a stressed PSU, or another electrical component issue. Because the cluster can tolerate one host in maintenance mode, the safest operational choice is to migrate or drain workloads first, then remove the server from service for inspection and component replacement. This protects availability while reducing the risk of thermal damage, power failure, or safety hazards. Waiting for an alert ignores direct evidence from the data center environment.
Topic: Data Center Operations
A server team must replace a leaking UPS battery module in a data center. The work area has a posted spill response kit, but the battery label shows an unfamiliar electrolyte type. Which operational choice should the team make before handling or disposing of the battery?
Options:
A. Place the battery in standard e-waste bins
B. Move the battery to the loading dock immediately
C. Review the battery safety data sheet
D. Ventilate the room and continue the swap
Best answer: C
Explanation: Safety data sheets (SDSs) are the correct reference when server room work involves chemicals, battery electrolytes, cleaning agents, or other hazardous materials. In this scenario, the battery is leaking and the electrolyte type is unfamiliar, so the team needs the SDS before touching, moving, cleaning, or disposing of it. The SDS identifies hazards, required PPE, safe handling, spill cleanup, first-aid measures, storage, and disposal requirements for that specific material.
General precautions like ventilation or moving the battery may be part of the response, but they should be guided by the SDS and local safety procedures.
Topic: Performance Management and Troubleshooting
A technician receives this rack-side report for a production virtualization host. Based on the exhibit, what is the most likely issue to investigate first?
Host: HV-03
Observation: high-pitched whine from rear PSU bay
Odor: burnt plastic near PSU area
Indicators: PSU 1 green; PSU 2 amber
Metrics: CPU temperature normal; fan speed normal
Storage: no RAID or SMART alerts
Options:
A. CPU cooling fan obstruction
B. Failing power supply module
C. CMOS battery failure
D. Predictive disk failure
Best answer: B
Explanation: Auditory and olfactory clues are important hardware troubleshooting signals. A high-pitched whine near the PSU bay can indicate a failing power supply component, and a burnt plastic smell suggests overheating or electrical failure. The amber PSU 2 indicator reinforces that the issue is localized to the redundant power supply path. Normal CPU temperature, normal fan speed, and no storage alerts make cooling or disk failure less likely. The safest server-management interpretation is to treat this as a power component fault and follow site procedures for isolating or replacing the affected PSU.
Topic: Performance Management and Troubleshooting
A systems administrator is configuring an observability dashboard after a file server patch. The requirement is to flag when disk latency and memory use are consistently higher than the server’s normal light-load pattern for the same time of day, even though no critical threshold has been crossed. Which observability signal best meets this requirement?
Options:
A. Capacity trend projection
B. Baseline drift comparison
C. Current resource utilization
D. Critical alert severity
Best answer: B
Explanation: Baseline drift is the best signal when the goal is to detect a sustained change from normal behavior. In this scenario, the server is not necessarily overloaded and has not crossed a critical alert threshold. The key clue is that disk latency and memory use are now consistently above the historical light-load pattern for the same time period. That requires comparing current metrics against a known baseline. Resource utilization shows pressure at a point in time, trend projection estimates future capacity risk, and alert severity prioritizes active notifications. The takeaway is to match the signal to the operational question being asked.
Topic: Data Center Operations
A company is upgrading physical security for a server room that hosts regulated workloads. Recent access reviews show valid badge holders have allowed others to follow them in after hours. The facility must reduce tailgating, record who enters, and keep emergency egress compliant. Which control is the BEST professional decision?
Options:
A. Install an access control vestibule with badge or biometric verification
B. Post security policy signs at the server room door
C. Install cameras that record the server room entrance
D. Add exterior bollards near the building entrance
Best answer: A
Explanation: Physical controls have different effects. Signs are mainly deterrent, bollards are preventive against vehicle impact, cameras are detective, and badge or biometric systems provide access management. The scenario needs more than awareness or after-the-fact evidence: it must reduce tailgating and create an entry record for regulated server workloads. An access control vestibule, often called a mantrap, allows one person through a controlled space after successful authentication and can integrate with logs while preserving emergency egress through proper life-safety design. Cameras can support investigations, but they do not reliably stop unauthorized following by themselves.
Topic: Security and Compliance
A server operations team must test the disaster recovery plan for a payment application. Management wants evidence that the standby site can run the workload, but the primary site must not be taken offline during the test.
Exhibit: DR test request
Application: payment processing
Primary site status: production traffic active
Standby site: current replicas and isolated test VLAN available
Goal: validate application startup, service dependencies, and runbook steps
Constraint: no customer-impacting cutover or DNS change allowed
Which DR testing approach best matches the request?
Options:
A. Simulated failover test
B. Unannounced production failover
C. Live failover test
D. Tabletop test
Best answer: A
Explanation: A simulated failover test is the best fit when the team needs more validation than a discussion but cannot disrupt production. In the exhibit, the standby site has current replicas and an isolated test VLAN, so the team can start services, verify dependencies, and rehearse the runbook without changing DNS or moving customer traffic. A tabletop test would be lower risk, but it mainly validates roles, communication, and decision flow rather than proving that services start correctly. A live failover provides the strongest end-to-end validation, but it intentionally moves production workload to the recovery site and can affect users if something fails. The key distinction is balancing validation depth against disruption risk.
Topic: Performance Management and Troubleshooting
A Windows Server file server shows intermittent slowdowns during the nightly backup window. The administrator must identify whether a specific backup process is causing sustained CPU, memory, or disk queue spikes, capture time-stamped evidence for later review, and avoid installing a new monitoring agent. Which tool is the best professional choice?
Options:
A. perfmon
B. Task Manager
C. Processview
D. top
Best answer: A
Explanation: PerfMon is the best fit when a Windows server needs resource behavior measured over time, especially when the evidence must be reviewed later. It can track counters such as processor utilization, memory usage, disk queue length, and process-specific activity, then record those values in a data collector set. That matches the need to observe intermittent behavior during the backup window without keeping an interactive session open. Task Manager is useful for a quick live check, but it is not the best tool for time-stamped counter collection. top is a Linux/Unix-style live process viewer, not the right Windows tool here. Processview-style tools are useful for inspecting process details interactively, but they do not best meet the logging requirement.
top is associated with Linux/Unix process inspection, not this Windows Server scenario.Topic: Configuration and Administration
A systems administrator manages a containerized order-status API behind a load balancer. A new container image fixes a critical library vulnerability and is backward compatible. The service must stay available during business hours, current requests should not be dropped, rollback must remain possible, and the vulnerable image must be retired after validation. Which action is the BEST professional decision?
Options:
A. Perform a rolling deployment, drain old containers, validate health, then retire the old image
B. Deploy the new containers but keep the old vulnerable image indefinitely
C. Stop all old containers, deploy the new image, and restart the service
D. Patch the running containers in place and keep the image unchanged
Best answer: A
Explanation: Container lifecycle management treats containers as replaceable instances created from versioned images. For an update that affects operations, the safer approach is to deploy the new image in a controlled way, use health checks to confirm it works, drain traffic from old containers so active requests complete, and keep rollback available until validation is complete. After the replacement is confirmed, the vulnerable image should be retired or removed according to policy. This balances availability with security and avoids treating a container as a long-lived server that should be patched in place.
Topic: Data Center Operations
A defense contractor is adding a small server room for systems that process classified design files. The room is next to a public hallway and an adjacent tenant space. Security testing found measurable RF emissions from server and KVM equipment outside the room, and wireless connectivity is not required inside. Which decision BEST reduces the electromagnetic exposure and signal leakage risk without changing the server workload?
Options:
A. Install Faraday shielding around the room
B. Enable full-disk encryption on all servers
C. Add biometric readers to the server room door
D. Move the servers to locked cabinets
Best answer: A
Explanation: A Faraday cage or shielded room is a physical architectural control used when electromagnetic exposure or RF signal leakage is a concern. In this scenario, testing already found emissions outside the room, the systems handle sensitive data, and wireless service is not needed inside. Shielding the room directly addresses the signal path by reducing electromagnetic radiation that can pass through walls, doors, seams, and cable penetrations. It does not replace access control, encryption, or secure administration, but it is the control aligned to the specific RF leakage finding.
The closest distractors improve physical or data security in other ways, but they do not materially reduce electromagnetic emissions outside the space.
Topic: Performance Management and Troubleshooting
A Linux backup server cannot mount an external disk that was rotated in from off-site storage. The administrator confirms the USB enclosure powers on and the device appears in the OS. Which issue is most likely indicated by the exhibit?
Exhibit: Troubleshooting ticket
Device: /dev/sdb
lsblk -f:
sdb
└─sdb1 crypto_LUKS backup_ext_04
mount /dev/sdb1 /mnt/restore:
unknown filesystem type 'crypto_LUKS'
dmesg:
sdb: attached SCSI disk; no I/O errors reported
Options:
A. The encrypted volume has not been unlocked
B. The mount point has insufficient permissions
C. The USB enclosure is not detected
D. The disk has reported I/O hardware failures
Best answer: A
Explanation: The key clue is crypto_LUKS in the filesystem column. That means /dev/sdb1 is not directly mountable as a normal filesystem; it is an encrypted container. The operating system can see the external disk, and the log reports that the disk attached without I/O errors, so the first action is to unlock the encrypted container using the approved key or passphrase. After that, the decrypted mapped device can be mounted if the underlying filesystem is healthy and supported.
A permission problem would typically occur after attempting a valid mount operation or accessing files, not when the partition type is still an encrypted container.
/dev/sdb and reports the disk attached.crypto_LUKS, not an access denial.Topic: Configuration and Administration
A systems administrator must place a new reporting VM on an existing virtualization cluster. No hardware purchase is approved this quarter, and the application owner requires stable performance during nightly batch jobs.
Exhibit: Current cluster summary
| Metric | Current observation |
|---|---|
| Allocated vCPU | 124 vCPU on 48 usable cores |
| Allocated memory | 460 GB on 384 GB usable RAM |
| CPU ready | 12% to 18% during batch jobs |
| Memory state | Ballooning during batch jobs |
| Storage latency | Within baseline |
Which decision is BEST?
Options:
A. Migrate the VM during a low-usage window
B. Rightsize existing VMs before placing the new VM
C. Increase the cluster overcommit ratio for all workloads
D. Assign high CPU and memory reservations to the new VM
Best answer: B
Explanation: Rightsizing is the best professional decision when monitoring shows that overprovisioning is already affecting stability. High CPU ready indicates too many vCPUs are competing for physical CPU scheduling time, and memory ballooning shows the host is under memory pressure. Since storage latency is normal, adding the new VM without correcting CPU and memory allocation would likely worsen contention during batch jobs. The administrator should review utilization trends, reduce oversized vCPU and memory allocations where safe, and place the new VM only after enough capacity exists. Reservations or higher overcommit would not fix the underlying contention and could make other workloads less stable.
Topic: Data Center Operations
A data center rack hosts storage controllers for a latency-sensitive virtualization cluster. The facility has a generator, but utility power often has brief sags and swells. The rack requires continuous power conditioning and no transfer delay when utility power fails. Which UPS implementation best meets these requirements?
Options:
A. Line-interactive UPS with AVR
B. Double-conversion online UPS
C. Metered PDU with generator support
D. Standby UPS with surge suppression
Best answer: B
Explanation: UPS selection depends on how the load is protected during normal utility power and during an outage. A double-conversion online UPS converts incoming AC to DC and then back to AC continuously, so the connected servers are always fed by the inverter. This provides strong voltage conditioning for sags and swells and avoids transfer time when utility power fails. A line-interactive UPS can correct some voltage variation with automatic voltage regulation, but it still transfers to battery during an outage. A standby UPS is the simplest design and normally passes utility power through until it switches to battery.
Topic: Performance Management and Troubleshooting
A server in a rack powers on after a planned memory upgrade, but it does not display video or start the OS. The front panel shows a POST code and the fans remain at high speed.
Exhibit: Technician notes
| Item | Value |
|---|---|
| POST display | 55 |
| Recent work | Added two RDIMMs |
| Vendor POST table | 55 = memory not installed or not detected |
| Drive LEDs | Normal activity during power-on |
Options:
A. Replace the boot drive and rebuild the OS
B. Move the network cable to a known-good switch port
C. Verify DIMM seating and memory population order
D. Clear application logs from the operating system
Best answer: C
Explanation: POST codes help narrow failures that occur during hardware initialization before the operating system loads. In this case, the server powers on but stops before video and OS startup, and the exhibit defines POST code 55 as memory not installed or not detected. Because memory was just upgraded, the best interpretation is that the new or existing DIMMs may be unseated, incompatible, placed in the wrong slots, or otherwise not detected by the system firmware.
The key takeaway is to use the visible POST code and recent hardware change to focus on the failing initialization stage instead of troubleshooting later boot, network, or OS layers.
Topic: Configuration and Administration
A virtualization host runs several VMs. One new VM will perform GPU-accelerated video rendering and the application vendor requires direct access to a specific physical GPU with minimal hypervisor abstraction. Which hypervisor configuration should the administrator use for this VM?
Options:
A. Attach the VM to a bridged virtual switch
B. Increase the VM’s virtual CPU count
C. Enable dynamic memory for the VM
D. Configure device passthrough for the GPU
Best answer: D
Explanation: Device passthrough is used when a VM must directly use a physical device, such as a GPU, HBA, NIC, or other accelerator. In this scenario, the deciding requirement is direct access to a specific physical GPU with minimal hypervisor abstraction. Assigning that device through the hypervisor to the VM lets the guest OS and application use the hardware more directly than standard virtualized resources. This can improve compatibility or performance for workloads that depend on specialized hardware. Resource tuning, memory settings, or virtual networking changes do not meet the direct-device requirement.
Topic: Data Center Operations
A data center team is refreshing a 2U backup repository server. During migration, the same hot-swap bays must accept existing SAS SSDs and SATA HDDs, then support future NVMe SSDs without replacing the backplane. The chassis HCL lists a compatible tri-mode storage controller. Which connectivity implementation best meets this requirement?
Options:
A. Use a U.2 NVMe-only backplane
B. Use a U.3 tri-mode backplane and controller
C. Use a SAS expander backplane only
D. Cable each bay directly to SATA ports
Best answer: B
Explanation: U.3 is the best fit when a server must support mixed drive technologies in the same front drive bays. With a compatible tri-mode controller and backplane, the chassis can route NVMe, SAS, and SATA devices without a backplane replacement. This is useful during staged migrations where older SAS or SATA drives must remain in service while newer NVMe drives are introduced. U.2 is associated with NVMe connectivity and does not, by itself, solve the mixed SAS/SATA/NVMe requirement. SATA-only or SAS-only cabling would preserve compatibility with some existing drives but would block the intended NVMe migration path.
Topic: Configuration and Administration
A newly installed application server must provide a stable endpoint for other servers on an IPv4 subnet. After boot, its network settings show 169.254.18.77 with no default gateway. The site does not use DHCP reservations for servers. Which configuration choice best meets the requirement?
Options:
A. Configure a static IPv4 address outside the DHCP scope
B. Publish the server’s MAC address to clients
C. Leave the server on APIPA addressing
D. Use dynamic DHCP addressing without a reservation
Best answer: A
Explanation: APIPA uses the 169.254.0.0/16 range when an IPv4 host cannot obtain a DHCP lease. It is useful only for limited local-link communication and does not provide normal routed network access because no default gateway is assigned. A production server that other systems must reliably reach should use a stable address. If DHCP reservations are not available, configure a static IPv4 address, subnet mask, default gateway, and DNS settings according to the site plan. A MAC address identifies the network interface at Layer 2, but clients do not use it as a stable application endpoint across routed IP networks.
169.254.x.x indicates DHCP fallback and is not suitable for routed production access.Topic: Performance Management and Troubleshooting
A Linux application server suddenly cannot connect to db01.internal.example.com. The database service is healthy, the server can ping the database server’s IP address, and no maintenance window is available. The team suspects a name resolution problem. Which least disruptive tool should be used first to confirm the suspicion?
Options:
A. Run a full nmap scan against the database host
B. Use dig to query the database FQDN
C. Use traceroute to map the network path
D. Restart the local DNS resolver service
Best answer: B
Explanation: The visible facts point to name resolution rather than basic network reachability: the application cannot use the FQDN, but the server can reach the database by IP address. A DNS query tool such as dig or nslookup is the least disruptive way to confirm whether the FQDN resolves to the expected address. It does not restart services, change configuration, scan ports, or interrupt active connections.
The key is to choose a tool that validates the suspected layer directly. Connectivity and path tools can be useful later, but they do not confirm whether DNS is returning the right result.
Topic: Data Center Operations
A server room has two rack rows intended to use hot aisle/cold aisle cooling. Over the past week, top-of-rack inlet sensors have exceeded the warning threshold during peak load, but the HVAC unit has available capacity and normal return-air temperature. Several racks have unused U spaces, and some blanking panels were removed during recent hardware swaps. Which action is the BEST professional decision?
Options:
A. Reinstall blanking panels and verify cold-aisle intake orientation
B. Move perforated floor tiles into the hot aisle
C. Place portable fans behind the hottest racks
D. Lower the HVAC set point for the entire room
Best answer: A
Explanation: Hot aisle/cold aisle designs depend on separating cool supply air from hot exhaust air. Missing blanking panels allow hot exhaust to recirculate through open rack spaces and mix with server intake air, especially near the top of racks. Because the HVAC unit still has capacity and return-air temperature is normal, the likely issue is airflow management rather than insufficient cooling. Reinstalling blanking panels and confirming that server intakes face the cold aisle addresses the root airflow problem with minimal operational risk. Adding cooling or ad hoc fans can mask the symptom while wasting energy or disrupting designed airflow.
Topic: Security and Compliance
A systems administrator is reviewing a proposed patch for production virtualization hosts. Which interpretation best classifies the patch purpose and the sourcing/validation need supported by the note?
Exhibit: Patch note
Vendor advisory: VSA-2026-014
Purpose: Fixes unauthenticated remote code execution in host management service
Package: hypervisor-management-agent 8.1.4
Distribution: vendor-signed repository only; do not use repackaged mirrors
Compatibility note: supported on firmware 4.2 or later
Lab host firmware: 4.1
Options:
A. Bug fix; install only on hosts currently showing agent crashes
B. Feature enhancement; use any mirror and complete user acceptance testing
C. Routine update; deploy during the normal cycle without compatibility testing
D. Security hotfix; use the vendor-signed source and validate firmware compatibility
Best answer: D
Explanation: The patch note describes a vulnerability fix: unauthenticated remote code execution in a host management service. That makes it a security hotfix, not a general enhancement or ordinary maintenance update. The delivery source also matters because the advisory specifies the vendor-signed repository and warns against repackaged mirrors. Finally, validation must include compatibility checking because the package is supported only on firmware 4.2 or later, while the lab host is currently on firmware 4.1. The safe server-management interpretation is to treat the patch as security-driven, obtain it from the trusted vendor source, and validate or remediate the firmware dependency before production deployment.
Topic: Security and Compliance
A reimaged application server cannot authenticate to an internal identity provider to start a service. Other servers using the same service account are working.
Exhibit: Access evidence
| Check | Result |
|---|---|
| Identity | Service account enabled and not locked |
| Device trust | Server enrolled and marked compliant |
| Network | TCP 443 to identity provider succeeds |
| Protocol | Client and provider both allow TLS 1.2 |
| Current trusted time | 14:05 UTC |
| Server local time | 02:11 UTC |
| Error | Certificate is not yet valid until 14:00 UTC |
Which implementation choice should the administrator make?
Options:
A. Move the server to the previous VLAN
B. Reset the service account password
C. Disable TLS certificate validation for the service
D. Configure trusted time synchronization on the server
Best answer: D
Explanation: Zero Trust access failures should be mapped to the evidence: identity, device trust, protocol, segmentation, time, or certificate state. In this case, identity is healthy, the device is compliant, TCP 443 is reachable, and the TLS version is supported. The decisive clue is the mismatch between trusted time and the server local time. The certificate appears “not yet valid” only because the server clock is behind the certificate validity window. Restoring trusted time synchronization lets certificate validation and token authentication work without weakening security controls.
Do not bypass certificate validation to work around a clock problem.
Topic: Security and Compliance
A systems administrator is reviewing backup validation for a file server that stores regulated project data. The backup policy requires monthly recovery testing, an RPO of 24 hours, and proof that restores can be performed if the primary backup server fails. Backup jobs report successful completion, but no test restore has been performed in 5 months. Which action is the best professional decision?
Options:
A. Keep the successful job reports and extend recovery testing to quarterly
B. Replicate the backups to cloud storage and skip local restore testing
C. Increase backup frequency to every 12 hours without testing restores
D. Perform an integrity check, verify alternate restore equipment, and schedule monthly test restores
Best answer: D
Explanation: Backup validation is more than confirming that a job completed. A usable validation process should confirm backup integrity, prove that required restore equipment or alternate systems are available, and perform recovery tests at the interval required by policy. In this scenario, the policy already states monthly recovery testing and requires proof that restores can occur even if the primary backup server fails. The best operational response is to run integrity checks, verify alternate restore capability, and resume monthly test restores. Successful backup logs are useful evidence, but they do not prove that data can be restored within the recovery requirements.
Topic: Performance Management and Troubleshooting
A production file server in an active-passive cluster shows signs of unauthorized privilege escalation on the active node. The business requires the share to remain available. The incident handler must preserve evidence and avoid broad access changes that disrupt unrelated services. Which action best meets these requirements?
Options:
A. Power off the active node and remove its disks
B. Delete suspicious files and restart the file service
C. Reset all administrator and service account passwords
D. Fail over service, quarantine the node, and preserve evidence
Best answer: D
Explanation: Security containment should limit damage without unnecessarily destroying evidence or disrupting service. In this cluster scenario, the clean passive node can take over the file service, so availability is protected. The suspected node should then be quarantined from normal client traffic while logs, disk state, and other evidence are preserved for analysis. Least privilege also matters: corrective access changes should target the suspected account, credential, or role after validation rather than applying broad changes that may break unrelated services.
Powering off, deleting files, or making sweeping credential changes may feel decisive, but they can reduce forensic value or create avoidable outages. The best containment action separates the compromised system from production while keeping the workload running elsewhere.
Topic: Planning and Deployment
A systems administrator must install a server OS during a remote change window. Based on the build notes, which installation media is the best choice?
Exhibit: Deployment notes
| Item | Detail |
|---|---|
| Location | Colocation rack; no onsite technician |
| Remote access | Out-of-band console supports virtual media |
| Chassis | No optical drive; USB ports inside locked chassis |
| Network boot | PXE is unavailable |
| OS vendor package | Bootable ISO image provided |
Options:
A. Boot from live rescue media
B. Burn a DVD installation disc
C. Mount the bootable ISO as virtual media
D. Create a bootable USB installer
Best answer: C
Explanation: The decisive constraint is remote installation with no onsite technician. Because the out-of-band console supports virtual media and the vendor supplies a bootable ISO, mounting the ISO remotely is the most practical installation method. A USB installer would require physical access to locked internal ports, and a DVD is not usable because the chassis has no optical drive. Live rescue media is better suited for temporary diagnostics or recovery tasks, not as the preferred installation source for this remote OS deployment. Match the media type to the access method and hardware available during the change window.
Topic: Performance Management and Troubleshooting
A company added a new directory server at a branch office. Since then, users at that site report intermittent logon failures, and an application sometimes rejects valid service tickets. Replication status shows no link outage, but event logs on multiple servers show clock-skew and token-validation errors. Which implementation choice best addresses the likely synchronization issue?
Options:
A. Move the application database to faster storage
B. Recreate affected user and service accounts
C. Increase the directory replication interval
D. Configure servers to use an authoritative internal time source
Best answer: D
Explanation: Time synchronization is a core dependency for identity services and distributed server roles. Clock-skew and token-validation errors point to inconsistent server time, not a bandwidth or storage problem. Directory servers, member servers, and dependent applications should follow a controlled time hierarchy, typically using an authoritative internal source that itself uses a reliable upstream source. This keeps authentication tickets, replication metadata, logs, and scheduled services consistent across systems.
Replication tuning may help with delayed directory changes, but it will not correct invalid tickets caused by time drift. The key takeaway is to treat visible clock-skew symptoms as a synchronization issue before changing accounts or application storage.
Topic: Configuration and Administration
A systems administrator must automate a maintenance task for several servers. Based on the ticket, which scripting language or shell context is the best fit?
Exhibit: Automation ticket
| Requirement | Detail |
|---|---|
| Targets | 30 Windows Server Core hosts |
| Access allowed | WinRM from the admin subnet |
| Access blocked | SSH and interactive desktop sessions |
| Actions | Query Event Log, restart a service, export CSV |
| Constraint | No new agents or runtimes on targets |
Options:
A. Python script with packages installed on each host
B. SQL shell script from the database server
C. Bash script executed over SSH
D. PowerShell remoting from an admin workstation
Best answer: D
Explanation: The exhibit points to a native Windows administration task on Server Core systems with WinRM allowed and SSH blocked. PowerShell remoting is designed for this context: it can run commands remotely over WinRM, query Windows Event Logs, manage services, and export structured data such as CSV files. It also satisfies the constraint to avoid installing new agents or runtimes on the target servers.
The key selection factor is not just the language syntax, but the management context allowed by the servers and network controls. When Windows-native tasks and WinRM access are visible, PowerShell is usually the appropriate administrative shell.
Topic: Security and Compliance
A company is deploying a payroll application on an on-premises server. The security plan must include layered protection: prevent unauthorized people from reaching the rack, restrict server traffic to approved subnets and ports, and limit administrative actions to authorized server administrators. Which implementation set best matches one physical, one network, and one logical control?
Options:
A. Firewall ACLs, RBAC, locked rack
B. Locked rack, firewall ACLs, RBAC
C. RBAC, locked rack, VLAN segmentation
D. Badge reader, file permissions, camera monitoring
Best answer: B
Explanation: Layered protection uses different control categories so one failure does not expose the entire server environment. Physical controls protect facilities and hardware, such as locked racks, cages, badges, guards, and cameras. Network controls restrict or monitor traffic paths, such as firewall rules, ACLs, VLAN segmentation, and network inspection. Logical controls enforce access inside systems and applications, such as RBAC, file permissions, MFA, and account policies. In this scenario, the rack access requirement is physical, the approved subnet and port requirement is network-based, and the authorized administrator requirement is logical.
Topic: Data Center Operations
A team is adding a top-of-rack switch and must run temporary fiber between two racks during a maintenance window. Safety requirements are to keep hot and cold aisles clear, preserve emergency egress, and use existing overhead ladder racks when possible. The access-control system is already set to fail open during fire alarm or power loss. Which implementation choice best supports safe operations?
Options:
A. Change the door controller to fail secure during the window
B. Run the fiber across the aisle under a rubber mat
C. Route the temporary fiber through the overhead ladder rack
D. Stage spare servers in the exit aisle for quick access
Best answer: C
Explanation: Safe data center work depends on controlling trip hazards, maintaining clear aisles, and preserving emergency exit paths. Overhead ladder racks are intended to support and organize cabling above the work area, so using them for temporary fiber avoids floor-level cable runs that can catch feet, carts, or equipment. Equipment should not be staged in aisles or exits, even briefly, because it can block movement during normal work or an emergency. Fail-open behavior is also a life-safety setting for access-controlled egress during fire alarm or power loss. The key takeaway is to keep people’s paths clear while using the data center’s designed cable-management infrastructure.
Topic: Performance Management and Troubleshooting
A production file server supports a customer portal and cannot be taken offline without violating the service availability target. Centralized logs show a new outbound connection from an unknown process running as a service account that also has broad share permissions. Legal has requested preservation of evidence for investigation. Which action is the BEST professional decision?
Options:
A. Power off the server and remove the drives for imaging
B. Delete the process and clear related event logs
C. Add the service account to a privileged admin group
D. Apply controlled network containment and rotate the service account
Best answer: D
Explanation: The best response balances containment, evidence preservation, availability, and least privilege. Controlled network containment can restrict suspicious outbound or lateral traffic while leaving required production paths available. Preserving logs and volatile evidence before disruptive changes supports investigation. Rotating or disabling the suspected service credential, then replacing it with a least-privilege account or scoped permissions, reduces the chance of continued misuse without unnecessarily expanding access.
Immediate shutdown may be appropriate for some severe incidents, but here it would break availability and can destroy volatile evidence. Destructive cleanup actions also weaken the investigation. The key takeaway is to contain the threat in a controlled way before making broad or evidence-destroying changes.
Topic: Security and Compliance
A company wants to validate recovery capability for a customer-facing order database after changing its backup process. The service has a strict SLA, and management will not approve any customer-visible outage or risk to production data. The test must still prove that the application can start and read recovered data. Which implementation choice best meets these requirements?
Options:
A. Review the recovery runbook in a tabletop meeting
B. Perform a live production failover during peak hours
C. Restore the backup to an isolated non-production environment
D. Overwrite the production database with the latest backup
Best answer: C
Explanation: Production recovery testing provides the strongest real-world validation, but it can affect users, transactions, and live data if the test fails or is not tightly controlled. In this scenario, the key constraints are no customer-visible outage and no risk to production data. Restoring the backup into an isolated non-production environment allows the team to test whether the recovered database mounts, whether the application can start, and whether sample queries work without touching the live system. This is more meaningful than a tabletop review because it validates actual restore capability, but it avoids the operational risk of a live production failover.
Topic: Configuration and Administration
A Linux database server was deployed with a minimal image in a locked data center. After the build, administrators can only manage it from a crash cart because the SSH service is disabled. The security baseline requires no Internet-exposed management ports and access only from the management VLAN. Which change is the BEST professional decision?
Options:
A. Enable SSH from all internal VLANs
B. Install a full graphical desktop and enable remote GUI access
C. Enable SSH and restrict it to the management VLAN
D. Disable the host firewall during maintenance windows
Best answer: C
Explanation: Administrative access should be restored with the smallest practical exposure. For a minimal Linux server, SSH is the normal remote administration service, but it should be limited by firewall rules, network segmentation, and authorized accounts. Allowing SSH only from the management VLAN satisfies the operational need without opening management access broadly. A GUI or firewall disablement adds unnecessary attack surface and operational risk.
The key takeaway is to restore manageability through the appropriate admin service and scope it to the approved management path.
Topic: Configuration and Administration
A systems administrator wants to use an AI assistant to troubleshoot failed directory synchronization on a production server. Company policy allows AI-assisted research only when sensitive data is protected and all operational changes remain human-approved.
Exhibit: Ticket note
Planned AI prompt: Paste full sync logs into public AI tool
Log contents: user emails, group names, access tokens, server FQDNs
Planned action: Run returned PowerShell fix as Domain Admin
Validation: "AI said it should work"
Documentation: Update runbook with AI response only
Which action best defines the appropriate workflow boundary?
Options:
A. Run the AI-generated fix as Domain Admin during a maintenance window
B. Accept the AI response as documentation because it records the decision
C. Sanitize data, use approved access, and validate changes before production
D. Paste the full logs because troubleshooting data is not customer content
Best answer: C
Explanation: AI-assisted server workflows can support research, summarization, script drafting, and troubleshooting, but they do not remove data-handling, permission, accountability, or validation requirements. The exhibit shows multiple boundary violations: sensitive log content would be sent to a public tool, the proposed change would run with excessive privileges, and the only validation is the AI response itself. A safer workflow sanitizes or redacts sensitive fields, uses an approved tool and authorized account, tests or reviews generated changes, and requires a qualified administrator to approve production action. The key takeaway is that AI can assist the workflow, but it should not become the control owner or the source of unchecked production change.
Topic: Data Center Operations
A server team is installing a rack with eight dual-PSU servers. The rack has two independent 208V, 30A branch circuits, and each circuit ends in a NEMA L6-30R receptacle. Each server power cord has an IEC C14 plug on the PDU end. The design must preserve A/B power redundancy. Which rack PDU choice best fits?
Options:
A. Two 120V PDUs with 5-15P inputs and C13 outlets
B. Two 208V PDUs with L6-30P inputs and C19 outlets
C. Two 208V PDUs with L6-30P inputs and C13 outlets
D. One 208V PDU with L6-30P input and C13 outlets
Best answer: C
Explanation: Rack PDU selection must match both the facility-side connector and the equipment-side power cords. In NEMA naming, the P plug on the PDU input must fit the matching R receptacle in the rack, so an L6-30R receptacle calls for an L6-30P input. On the server side, IEC C13 PDU outlets accept IEC C14 plugs. Because the servers have dual power supplies and the rack has two independent branch circuits, using two PDUs, one per feed, preserves A/B power distribution. A single PDU would create a rack-level dependency even if the individual servers have redundant PSUs.
Topic: Planning and Deployment
A systems administrator is preparing a new rack server for a clean hypervisor installation. The build sheet requires booting from a 4 TB RAID 1 virtual disk and enabling Secure Boot for the host OS. The server firmware supports both UEFI and legacy BIOS modes. Which configuration is the best professional decision before installing the OS?
Options:
A. Use legacy BIOS mode with MBR and enable Secure Boot
B. Use legacy BIOS mode and split the boot disk into two partitions
C. Use UEFI mode with GPT and enable Secure Boot
D. Use UEFI mode but disable Secure Boot until after deployment
Best answer: C
Explanation: UEFI is the appropriate firmware mode when Secure Boot and large GPT-based boot disks are required. Legacy BIOS typically boots from MBR disks, which creates practical limitations for a 4 TB boot volume and does not provide Secure Boot. Because the installation is clean, the administrator should select the correct firmware mode before installing the hypervisor so the OS, bootloader, and partition layout are created consistently. Changing boot mode after installation can make the system unbootable or require reinstalling the OS.
The key takeaway is to match firmware mode to boot security and disk layout requirements before deployment.
Topic: Data Center Operations
A server administrator is populating a new rack with six 1U servers. Each server has dual hot-swappable power supplies with IEC C14 inlets. The rack has two independent UPS feeds, and each UPS presents a 208/240V NEMA L6-30R receptacle. The expected load is within the safe capacity of each feed. Which choice is the BEST rack-level power distribution decision?
Options:
A. Use two 208/240V PDUs with L5-30P inputs and plug adapters
B. Use two 208/240V PDUs with L6-30P inputs and IEC C13 outlets
C. Use one 208/240V PDU with an L6-30P input and IEC C13 outlets
D. Use two 120V PDUs with NEMA 5-15P inputs and IEC C13 outlets
Best answer: B
Explanation: Rack-level power distribution must match the facility receptacle, voltage, plug type, and server power-cord requirements. In this scenario, the UPS outlets are 208/240V NEMA L6-30R, so the PDU input plug should be L6-30P. The servers use IEC C14 power inlets, so the rack PDU should provide IEC C13 outlets for typical C13-to-C14 server power cords. Because the servers have dual power supplies and the rack has two independent UPS feeds, using two matching PDUs supports A/B power distribution: one PSU from each server connects to each PDU. That maintains availability without adding unnecessary electrical work or adapters. The key takeaway is to match voltage and connector types first, then preserve redundancy.
Topic: Configuration and Administration
A virtualization host runs several server VMs. One application VM is mostly idle during business hours but needs much more RAM during a nightly processing window. The guest OS supports hypervisor memory integration features, and the administrator wants the VM to receive additional RAM during demand spikes and release unused RAM afterward. Which memory configuration best meets this requirement?
Options:
A. Enable dynamic memory with defined minimum and maximum values
B. Reserve all host memory for the VM at startup
C. Assign a fixed amount of static memory to the VM
D. Increase the VM’s virtual CPU allocation
Best answer: A
Explanation: Dynamic memory is designed for VMs whose memory demand changes over time. With supported guest integration, the hypervisor can increase the VM’s available RAM during a spike and reclaim unused memory later, usually within configured minimum, startup, and maximum values. Static memory gives the VM a fixed allocation until an administrator changes it, so it does not automatically adapt to nightly peaks and daytime idle periods. Full reservation can protect capacity for one VM, but it reduces host flexibility and still does not describe demand-based adjustment. The key distinction is automatic memory resizing versus a fixed assignment.
Use the CompTIA Server+ SK0-006 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Server+ SK0-006 on Web View CompTIA Server+ SK0-006 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.