The oncall system administrator has made a change on the ESXi host requiring a restart of the management network. Lockdown mode is enabled.
Which action should the administrator take to restart the management network?
A. Use the vSphere client to enable local authentication services, then logon directly to the ESXi Shell and run services mgmt-vmware restart.
B. Use an SSH client to logon to the command line and run services mgmt-vmware restart.
C. Use the vSphere client to enable the DCUI and then logon to the ESXi Shell and use the menu to restart the management network.
D. Logon directly to the DCUI and use the menu to restart the management network.
Correct Answer: D
Explanation/Reference:
The administrator can restart the management network by logging into the Direct Console User Interface (DCUI) while the host is in lockdown mode if the administrator has the required permissions to access DCUI.
To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, all operations must be performed through vCenter Server. Only the vpxuser user has authentication permissions, no other users can perform operations against the host directly.
Enabling or disabling lockdown mode affects which types of users are authorized to access host services, but it does not affect the availability of those services. In other words, if the ESXi Shell, SSH, or Direct Console User Interface (DCUI) services are enabled, they will continue to run whether or not the host is in lockdown mode.
Users can be assigned DCUI access privileges explicitly via the DCUI Access advanced configuration option. The option has DCUI.Access as the key, and a comma-separated list of ESXi users as the value. Users in the list can access the DCUI at any time, even if these users are not administrators (Admin role), and even when the host is in lockdown mode.
Incorrect Answers:
A: You cannot logon directly to the ESXi Shell when the host is in lockdown mode. Therefore, this answer is incorrect.
B: Although the SSH service is still running when the host is in lockdown mode, no user can log on to the server using SSH. Therefore, this answer is incorrect.
C: DCUI is not disabled in lockdown mode so it does not need to be re-enabled. However, in lockdown mode, no user can access the ESXi Shell through the vSphere client. Therefore, this answer is incorrect.
References:
https://pubs.vmware.com/vsphere-55/index.jsp#com.vmware.vsphere.security.doc/GUID-88B24613-E8F9-40D2-B838-225F5FF480FF.html
https://pubs.vmware.com/vsphere-55/index.jsp#com.vmware.vsphere.security.doc/GUID-F8F105F7-CF93-46DF-9319-F8991839D265.html