Yournetwork contains an Active Directory domain named contoso.com.
The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2.
Server1 has the IP Address Management (IPAM) Server feature installed.
Server2 has the DHCP Server server role installed.
A user named User1 is a member of the IPAM Users group on Server1.
You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2.
The solution must minimize the number of permissions assigned to User1.
To which group should you add User1?
A.
DHCP Administrators on Server2
B.
IPAM ASM Administrators on Server1
C.
IPAMUG in Active Directory
D.
IPAM MSM Administrators on Server1
Explanation:
The user need rights to change DHCP not IPAM
C)
Members of the DHCP Administrators group can view and modify any data at the DHCP server.
http://technet.microsoft.com/en-us/library/jj878348.aspx
http://technet.microsoft.com/en-us/library/cc737716(v=ws.10).aspx
This is a wierd question. The user needs to be able to change the DHCP Scope on Server2 using IPAM.
To administer DHCP and/or DNS in IPAM, you need to have the IPAM MSM role.
So that would be answer D:.
If the user needed to be abloe to administer DHCP on server2 (not using IPAM) the answer would be A: DHCP Administrator on Server2
2
0
B is the Correct ans as we need to minimize the permissions for User1
https://technet.microsoft.com/en-us/library/jj878348.aspx
0
0
Franc is right. IPAM ASM doesn’t give permissions to manage DHCP scopes. IPAM MSM does.
https://technet.microsoft.com/en-us/library/hh831353(v=ws.11).aspx#ASM
1
0
wrong
0
0
wrong or bad question^^ (sorry)
0
0
User 1 is a member of the IPAM users group, so he can use IPAM already. He only needs to modify DHCP. So the given answer is correct. He does not need additional permissions.
0
1
You need to manage DHCP scopes using IPAM, not using DHCP Admin tools.
Answer is B. IPAM ASM Administrator allows you to manage IP blocks, ranges and IP addresses, without giving you additional administrative permissions.
0
1
Correct, IPAM ASM Administrators allows to manage IP blocks, ranges and etc., BUT User1 needs to MODIFY DHCP scopes. With ASM membership you can only create reservation on DHCP, but to modify scope-level settings such as range settings, exclusion list, DNS update settings and etc. – User1 needs MSM permission. Just tested in lab.
1
0
Answer: D
Verified in test lab.
2
0
Side Note: If your testing with an ID that has administrator rights on the IPAM server, your test results will be inaccurate, as this appears to give the user rights for all IPAM roles. Test should be performed with a standard user from non IPAM server.
0
0
I say B for IPAM ASM Administrators
If you give D, IPAM MSM to user, then you also give access to administer the DNS servers:
IPAM MSM Administrators: Users who are in the IPAM Users IPAM security group and have the privileges to manage DHCP and DNS server instance-specific information. Such users are Multi Server Management (MSM) Administrators.
IPAM ASM Administrators will be able to modify DHCP scopes, as is in its “definition”:
IPAM ASM Administrators: Users who are in the IPAM Users IPAM security group and have the privileges to perform the add and modify address space management operations. Such users are Address Space Management (ASM) Administrators.
https://msdn.microsoft.com/en-us/library/hh878296.aspx
Correct me if I’m wrong but according to this link with glossary terms, ASN is the better option
0
0
meant to add this as well… the question states “minimize the number of permissions assigned to User1”. MSM would be too much as that would give DNS permissions as well as DHCP.
0
0
disregard. I just had some time to test this and I tried all four options above, after creating a standard AD user, and added it to the IPAM Users group on my DHCP server.
A, B and C failed to allow User1 to modify the DHCP scope via the IPAM console while logged into the IPAM server
D allowed User1 to modify the DHCP scope via IPAM console while logged into the IPAM server
So I recant my previous statement and will agree with answer D for IPAM MSM Administrators on Server1 (the IPAM server)
3
0
correction, added User1 to IPAM Users on the IPAM server
1
0
Last update, I promise. There is a similar question in an MCSA book I have. There is a group named “IPAM DHCP Administrators”. I wonder if that was supposed to be a choice in place of “DHCP Administrators”. If so, then the more likely answer would be “IPAM DHCP Administrators” as that would allow the user to manage DHCP and keep them from managing DNS as the question requires.
0
0
IPAM MSM Administrators: Users who are in the IPAM IPAM security group and have the privileges to manage information specific to the DHCP and DNS server instance. These users are Multi-Server Management (MSM) Administrators.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ipamm/39bcd84c-4d67-4711-85cc-6a03eaf1bb3d
“You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2.”
The user should use IPAM, so the answer is D. Definitely.
0
0