Your network contains an Active Directory domain named contoso.com.
The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2.
Server1 has the IP Address Management (IPAM) Server feature installed.
Server2 has the DHCP Server server role installed.
A user named User1 is a member of the IPAM Users group on Server1.
You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2.
The solution must minimize the number of permissions assigned to User1.
To which group should you add User1?
A.
DHCP Administrators on Server2
B.
IPAM ASM Administrators on Server1
C.
IPAMUG in Active Directory
D.
IPAM MSM Administrators on Server1
Explanation:
The user need rights to change DHCP not IPAM
C)
Members of the DHCP Administrators group can view and modify any data at the DHCP server.
http://technet.microsoft.com/en-us/library/jj878348.aspx
http://technet.microsoft.com/en-us/library/cc737716(v=ws.10).aspx
I belive the right answer is D.
IPAM MSM Administrators IPAM MSM Administrators is a local security group on an IPAM server that is created when you install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group, and can perform server monitoring and management tasks in addition to IPAM common management tasks.
MSM Multi-server management (MSM) in IPAM provides periodic service monitoring and configuration of managed DHCP and DNS servers using the IPAM console.
https://technet.microsoft.com/en-us/library/jj878341(v=ws.11).aspx
The one thing that is confusing me is that in WS 2012 R2 there is a new role – IPAM DHCP Administrators, which completely manages DHCP servers.
https://technet.microsoft.com/en-us/library/dn268500(v=ws.11).aspx
Unless there is a typo in the test and A should read as “IPAM DHCP Administrators” I’m going with D even though that IPAM MSM Admin can manage not only DHCP but also DNS servers and the task is asking us to allow minimum permissions.
Any comments/suggestions/remarks?
1
0
About managing DHCP only:
– “IPAM ASM administrator” Is able to manage all IP addresses, address spaces, ranges, blocks, and subnets
– “IPAM DHCP scope administrator” Is able to manage DHCP scopes through IPAM
– “IPAM DHCP administrator” Is able to manage DHCP servers configured through IPAM
The best answer is “IPAM DHCP scope administrator” but we dont have it.
So if you keep in mind to not give DNS permissions, you should go with answer A) “DHCP Administrators on Server2”
0
0
Correct is A. DHCP Administrator on Server 2
0
0
There is no type, they left IPAM out for confusion purpose. The correct is A, It should therefore say: IPAM DHCP Administrators on server 2
0
0
I think the answer is D. DHCP Administrators is a group that is created on a server when DHCP is installed. Being a member of this group allows for the management of DHCP on that server through the DHCP console. By adding user1 to that group, they would be able to use the DHCP console to manage DHCP, but they would not be able to use IPAM to manage DHCP. For this, the only option given to us would be to choose D, MSM Administrator.
2
0
Why not ‘B’
IPAM ASM Administrators: IPAM address space management (ASM) administrators can manage IP address blocks, ranges, and addresses.
0
1
I would choose B in this case. The scenario identifies the User1 must be able to use IPAM to modify Scopes. Since the IPAM MSM Administrators group has only view permission to the addresses, the next IPAM related group with least privilege to manage addresses (in my mind roughly equivalent to scope) is IPAM ASM Administrators. Although the IP address Range in IPAM is not exactly the same thing as a DHCP scope, they are generally the same range. An IPAM ASM Administrator can create reservations and create a dynamic range just like a DHCP administrator would.
The real world Microsoft answer with Windows Server 2012 R2 might be something completely different:
https://technet.microsoft.com/en-us/library/dn741281(v=ws.11).aspx
0
0
another reason to read the question carefully when you sit the exam:
New in Windows Server 2012 R2 is IPAM Role Based Access Control.
https://technet.microsoft.com/en-us/library/hh831353(v=ws.11).aspx
0
0
Even A refers to IPAM DHCP Administrator it should be configured on Server 1, not 2, which is the IPAM server.
So the answer would be D here.
0
0
Answer: A
IPAM DHCP Administrators may or may not get created. If DHCP is running on a DC, the group does not appear to be created. In this case, you would need to use DHCP Administrator for minimum permissions. DHCP Administrator would always be a valid answer, even if IPAM DHCP Administrator is a better answer in some/most cases.
0
0