Esri EAP 2201

What components does the minimum setup of an ArcGIS Enterprise base deployment consist of?

Portal for ArcGIS, ArcGIS Server, ArcGIS Data Store (Relational and Object Store (11.5)), and ArcGIS Web Adaptor.

At minimum, a base ArcGIS Enterprise deployment supports which capabilities?

Visualization, Analysis, Data Management, Data/Storage

What licensing role is required to deploy a hosting server in your base ArcGIS Enterprise deployment?

ArcGIS GIS Server role

What server licensing role supports OGC-compliant web services?

ArcGIS Image Server

What server licensing role supports geocoding?

Option 1

What ports need to be opened for Portal for ArcGIS?

7443

What ports need to be opened for ArcGIS Server

6443

What ports need to be open for ArcGIS Data Store

2443, 9876

How is access determined after federating ArcGIS Server with Portal for ArcGIS?

Access is now determined by Portal (portal members, roles and sharing permissions)

At the time of federation, items are automatically created in the portal for all existing ArcGIS Server web services. Who are these items owned by?

These items are now owned by the Portal’s Initial ADMINISTRATOR who performs federation

What are services published directly to Portal called and where are they stored?

Services published directly to Portal are HOSTED services and placed in an ArcGIS Server folder called Hosted

When a hosted feature layer is published using ArcGIS Pro, a copy of the data is placed in which location?

ArcGIS Data Store

For which two tasks should an administrator consider exporting the content of an ArcGIS Enterprise portal group as an export package item (EPK)?

Migrating content between portals & Backing up group content for archival or recovery

Which component of the base ArcGIS Enterprise deployment acts as a content management system for an organization's GIS information products?

Portal for ArcGIS

In ArcGIS Pro, an original feature layer is exposed for editing using which method?

copy it to ArcGIS Server

How does federation impact an ArcGIS Server site?

By federating a server site, the identity-based security model that Portal uses replaces the built-in role-based security model of the server site.

What is a core capability of federation?

The ability to host tile layers, imagery layers, feature layers and scene layers that are published by portal members

After federating, why might an administrator want to disable the ArcGIS Server primary site admin account (PSA)?

• If left enabled, the PSA account can be used to bypass Portal’s user/role controls by logging directly into Server Manager since it is a superuser

• disabling the PSA forces all admin and publishing to go through Portal-managed accounts

Why might an admin decide to keep the primary site admin (PSA) account enabled?

• If portal site goes down/is corrupted, the PSA is the only way to access Server Manager directly

• Disaster recovery/migration work if you need to detatch/re-federate the server

Which tasks are essential for securing and optimizing an ArcGIS Enterprise deployment? (Select three)

• A. Enforce HTTPS-only communication

• B. Integrate with an enterprise identity provider

• C. Deploy Portal and Server on the same machine for simplicity

• D. Tune OS file descriptor and TCP/IP settings

• E. Disable logging to improve performance

A, B, D

Which ArcGIS Enterprise tools or interfaces can administrators use to automate routine maintenance tasks? (Select two)

• A. ArcGIS Server Manager GUI

• B. ArcGIS REST API with Python scripting

• C. Notebook Server web notebooks

• D. WebGISDR command-line utility

B, D

When should you register a folder (rather than a database) as a data store?

• A. To serve shapefiles, raster files, or file geodatabases stored on disk

• B. To serve enterprise geodatabases requiring versioning

• C. To serve spatiotemporal big data ingestion

• D. To store tile cache packages only

A

To optimize a busy map service for start-up latency, which service pooling setting should you configure?

• A. Minimum number of instances

• B. Maximum Record Count

• C. Maximum number of cached scales

• D. Supported Layers

A

Which of the following are core tasks in the "Implement and Deploy" section of the EAEP2201 exam? (Select three)

• A. Authorize ArcGIS Enterprise software

• B. Develop custom geoprocessing tools in ArcGIS Pro

• C. Integrate an identity store or provider

• D. Apply basic OS-level security best practices

• E. Configure Portal website appearance

A, C, D

When generating an ArcGIS Server license file, which file extension do you upload into Server Manager?

• A. .prvc

• B. .ecp

• C. .rld

• D. .arc

B

Which tasks are best automated using Python scripts against the ArcGIS REST API? (Select two)

• A. Bulk user and group provisioning

• B. Manual CSV import via the Portal UI

• C. Scheduling regular WebGISDR backups

• D. Direct database schema changes

A, C

Which ArcGIS Server Manager page shows CPU, memory, and thread metrics for the site?

• A. Site → Health

• B. Site → Security

A

What are the main elements that compose ArcGIS Pro licensing? (Select all that apply)

• A. User identity (e.g., named user)

• B. License level (Basic, Standard, Advanced)

• C. Named user license manager server

• D. Authorization expiration date

A, B

What could cause an “Unable to perform licensing related tasks” error when working with ArcGIS on a system? (Select all that apply)

• A. The ArcGIS license has expired

• B. The licensing server is unavailable

• C. Environment variables were incorrectly set

• D. The workstation lacks sufficient disk space

A, B, C

Which ArcGIS Pro license level is required to create and manage enterprise geodatabases, including versioning and topologies?

• A. Basic

• B. Standard

• C. Advanced

• D. Any license with Data Reviewer extension

(B) Explanation: Creation and management of enterprise geodatabases, versioned data, and topologies require at least the Standard license level (or Advanced, which includes everything Standard offers)

After upgrading ArcGIS Enterprise components, you're unable to connect to the License Manager. Which configuration could be the root cause?

• A. Multiple ArcGIS products installed causing environment variable conflicts

• B. Running License Manager under limited user account

• C. Licensing files have been moved to a new directory

• D. Portal encryption keys expired

(A) Explanation: Installing multiple Esri products on the same system may leave residual environment variables pointing to outdated locations. These need to be reviewed and reset to ensure proper licensing functionality.

In a multi-machine ArcGIS Server site, services randomly disappear and then reappear; errors like “Failed to write heartbeat” and “Error synchronizing with config store” appear. What should you inspect first?

• A. Virtual machine resource allocation

• B. ArcGIS Server patches

• C. File share configuration for config-store

• D. DNS cache consistency

(C) Explanation: These symptoms typically indicate issues with the shared configuration store. Misconfigured or unreliable file shares can disrupt synchronization across server nodes

Your ArcGIS Enterprise installation fails at setup with a message: “This installation package is not supported by this processor type.” What’s the probable cause?

• A. Missing administrator privileges

• B. Attempting installation on a non-64-bit OS

• C. Insufficient disk space

• D. Port configuration error

(B) Explanation: The ArcGIS Enterprise Builder requires a 64-bit system. Trying to install on a 32-bit OS leads to this error

A map service is slow to display. Server Manager logs show high layer draw times. What optimization steps can you apply?

• A. Increase map resolution

• B. Add more layers to cache

• C. Simplify symbology and use scale-dependent rendering

• D. Disable map caching

(C) Explanation: To improve performance, remove unused layers, simplify symbolization, enforce scale dependencies, and consider cached maps where applicable.

You anticipate high traffic for certain services. According to Server statistics, what's the best practice to maintain performance?

• A. Set minimum instances to zero for unused services

• B. Always keep maximum instances at lower limit

• C. Increase minimum instances for frequently used services

• D. Disable idle timeouts

(C) Explanation: Setting higher minimum instances ensures readiness, reducing latency. Lowering or zeroing them for low-use services frees resources.

You design maintenance cycles for Enterprise. What operational practices help minimize production disruptions?

• A. Avoid maintenance windows

• B. Use banners to notify users

• C. Apply patches directly in production

• D. Skip staging environments

(B) Explanation: Communicating maintenance windows via notifications helps manage expectations. Testing changes in staging environments reduces risk to production

Your deployment uses IIS URL Rewrite and ARR. After rule activation, Experience Builder fails to load scripts. What’s a likely fix?

• A. Keep configuration as is

• B. Disable URL Rewrite/ARR

• C. Move Monitor to isolated host

• D. Remove Web Adaptor

(C) Explanation: Installing Monitor with URL Rewrite on the same host as Enterprise components can cause instability. Best practice is to isolate Monitor on a dedicated machine

Scenario:
You publish a hosted feature layer to Portal. Publishing completes, but attempting to view the layer shows:

"The layer, <name>, cannot be added to the map."
Data Store status in Server Manager shows "unreachable."

Question:
What’s the most likely root cause?

• A. The managed database service has reached max connections

• B. The ArcGIS Data Store service is stopped on the hosting server

• C. The Portal is not licensed for hosting

• D. The ArcGIS Server logs are set to WARNING level

(B) Explanation: If the ArcGIS Data Store service is stopped or unresponsive, the hosting server cannot retrieve hosted data. Restarting the service and verifying it is healthy usually resolves this

Scenario:
After installing a new SSL certificate on your ArcGIS Server, users can access services internally via https://servername.domain.com:6443, but external users via the Web Adaptor (https://gis.company.com) receive a certificate error.

Question:
What is the likely issue?

• A. The Web Adaptor is not bound to port 443

• B. The certificate’s subject alternative names (SAN) do not include the Web Adaptor URL

• C. The server’s firewall is blocking traffic to port 443

• D. ArcGIS Server’s minimum SSL protocol version is set too high

(B) Explanation: A certificate must cover all hostnames clients will use. If the Web Adaptor FQDN isn’t in the SAN list, browsers will reject it as a mismatch.

Scenario:
You upgrade Portal for ArcGIS from 10.9.1 to 11.0 but leave the ArcGIS Server site at 10.9.1. Portal now shows:

"The hosting server is not reachable or not federated."

Question:
Which action will most likely resolve this?

• A. Clear the Portal content index

• B. Upgrade ArcGIS Server to match Portal’s version

• C. Restart Portal and ArcGIS Server services

• D. Disable the Primary Site Administrator account

(B) Explanation: Portal and ArcGIS Server must run the same major version for federation to work. Version mismatch can break the trust relationship.

Scenario:
Nightly backups of your relational data store fail with the error:

"Unable to write backup file to location."
The location is a network share.

Question:
What’s the most likely root cause?

• A. The network share is out of disk space

• B. The share uses SMB 1.0 protocol

• C. The Portal database index is locked

• D. The hosting server’s CPU is overloaded

(A) Explanation: Backups require available space on the target share. This is often overlooked until failures occur.

Scenario:
Users report that certain hosted feature services hang intermittently. Logs show "Waiting for available instance" messages.

Question:
What’s the likely fix?

• A. Reduce maximum record count in the service properties

• B. Enable feature caching in the map viewer

• C. Increase the service’s maximum number of instances

• D. Remove all indexes from the database

(C) Explanation: The service has reached its concurrent instance limit. Increasing the max instances allows more simultaneous requests to be served.

Portal login page loads, but authentication fails for all users (including admins).
What’s the likely cause?

• A. Identity provider (IdP) is unreachable

• B. Content index corruption

• C. HTTPS certificate mismatch

• D. Web Adaptor removed from IIS

(A) If SAML or enterprise logins are configured, an unreachable IdP will block all logins.

After a restore from backup, thumbnails and hosted feature layers are missing.
What is the likely oversight?

• A. Backup didn’t include the content directory

• B. Wrong Web Adaptor URL in DNS

• C. SSL binding missing

• D. Upgrade patch missing

(A) Explaination - Restores require both Portal configuration and content directory data.

ArcGIS Server Manager won’t load, but services are running.
What’s your first check?

• A. Log level

• B. Content store location

• C. Identity store

• D. Port 6443 firewall rule

(D) If port 6443 is blocked, Manager is inaccessible.

Relational Data Store works, but spatiotemporal store shows “unhealthy.”
Fix?

• A. Reinstall Data Store

• B. Verify all spatiotemporal nodes are online and reachable

• C. Change backup frequency

• D. Disable sync

(B) Spatiotemporal store health depends on all nodes being active.

Hosted feature layers show blank data after database migration.
Likely cause?

• A. Database moved without updating Data Store connection string

• B. Portal cache needs clearing

• C. DNS TTL expired

• D. Server log level too low

(A) Migrated databases require updated connection info.

Web Adaptor installed in IIS works internally but fails externally.
First check?

• A. Reduce min instances

• B. Restart Portal

• C. Disable proxy

• D. External DNS record and firewall rules for port 6443 (server) 7443 (portal)

(D) External access depends on DNS and firewall allowing HTTPS traffic.

After importing a new SSL cert, browsers still show old cert.
Likely cause?

• A. Cert not bound to HTTPS port in IIS

• B. SAN missing

• C. DNS cache delay

• D. Outdated OCSP response

(A) The cert must be bound to the correct HTTPS listener.

Internal users access services fine; external users get certificate mismatch error.
Cause?

• A. Web Adaptor not using HTTPS

• B. SAN does not include external FQDN

• C. Content store on internal path

• D. Config-store permissions

(B) External names must be in the certificate SAN.

Which setting enforces encrypted traffic for all Portal and ArcGIS Server requests?

• A. Enable TLS 1.3 only

• B. Configure the Web Adaptor for HTTPS

• C. Set the security configuration to HTTPS Only in Portal and Server admin settings

• D. Bind SSL certs to port 6443 only

(C) Explanation: The best practice is to configure HTTPS Only in both Portal (/portaladmin/security/config/update) and Server (/admin/security/config/update) to ensure all traffic is encrypted.

Why is it recommended to disable the ArcGIS Server Primary Site Administrator (PSA) account after federation?

• A. It consumes additional server resources

• B. It bypasses Portal’s user authentication and role management

• C. It is required for SSL termination

• D. It prevents upgrades

(B) Explanation: PSA access bypasses Portal’s security model. Disabling it enforces centralized authentication and reduces security risk. Keep credentials securely stored in case Portal access is lost.

Which practice aligns with the principle of least privilege?

• A. Give all publishers Administrator role to avoid permission issues

• B. Maintain a single shared admin account

• C. Allow anonymous access to all services for ease of use

• D. Assign users only the role and privileges they require to perform their duties

(D) Explanation: Granting minimal necessary privileges reduces risk if accounts are compromised and limits accidental configuration changes.

You replace the default self-signed cert on ArcGIS Server with a CA-signed cert, but browsers still warn of an untrusted connection when using the Web Adaptor URL.
Question:
What’s the likely cause?

• A. The certificate was not imported into the OS trust store

• B. The certificate’s Subject Alternative Name (SAN) does not include the Web Adaptor hostname

• C. The Web Adaptor is not configured for HTTPS

• D. The certificate is expired

(B) Explanation: All hostnames clients will use must be listed in the certificate SAN to avoid trust errors.

What’s the most effective way to detect suspicious activity in ArcGIS Enterprise?

• A. Monitor ArcGIS Server and Portal security logs for repeated failed logins or unusual IP addresses

• B. Enable DEBUG log level permanently

• C. Review backup logs only

• D. Disable logging to improve performance

(A) Explanation: Regularly reviewing security logs helps detect brute-force attacks, account misuse, or configuration tampering.

Which approach strengthens security and improves user lifecycle management in ArcGIS Enterprise?

• A. Use the built-in ArcGIS Enterprise accounts exclusively

• B. Integrate with an enterprise identity provider (LDAP, Active Directory, SAML)

• C. Disable all external identity providers

• D. Create one admin account for all staff

(B) Explanation: Integration with enterprise IdPs ensures consistent password policies, centralized deactivation of departed users, and better audit trails.

Your organization wants to share some services publicly but keep others internal.
Question:
Which is the best practice?

• A. Use separate ArcGIS Server sites for public and internal services

• B. Allow all services to be public and rely on obscurity

• C. Require VPN for all access

• D. Remove the Web Adaptor

(A) Explanation: Hosting public services on a separate site or instance reduces risk to sensitive data and isolates potential attacks.

When exposing REST endpoints, which practice reduces attack surface?

• A. Cache all directory requests

• B. Allow anonymous directory browsing for transparency

• C. Use only HTTP

• D. Disable the REST Services Directory in production environments

(D) Explanation: Disabling the Services Directory reduces the ability of anonymous users to discover available endpoints.

Which setting enforces encryption for all Portal and ArcGIS Server traffic?

• A. Configure the Web Adaptor for HTTPS

• B. Enable “HTTPS Only” in both Portal and Server security settings

• C. Bind an SSL certificate to 6443 only

• D. Block HTTP via firewall

(B)

Your SSL certificate works for gis.company.com but fails for maps.company.com. What’s the most likely cause?

• A. SAN field missing maps.company.com

• B. Firewall misconfiguration

• C. Expired root CA

• D. Incorrect SSL binding

(A)

What’s the WebGIS DR tool’s role in security?

• A. Encrypts backups of the Enterprise deployment

• B. Creates public service indexes

• C. Deletes all data from Data Store

• D. Manages SSL certificates

(A)

Why should you track SAML signing certificate expiration?

• A. They enable HTTP access

• B. They slow down map rendering

• C. They reduce CPU usage

• D. They enable HTTP access Expired certs break single sign-on authentication

(D)

Scenario:
The /arcgis/admin endpoint returns “403 Forbidden” externally but works internally. What is the likely Cause and how to fix it?

Likely Cause:
Firewall or reverse proxy rules restricting admin API access to internal subnets only.

Fix:
Adjust firewall rules if external admin access is needed — otherwise, this is expected behavior.

Scenario:
A security scan shows your secured service URLs listed on the REST Services Directory page. What is the likely Cause and how to fix it?

Likely Cause:
REST Directory is enabled in production.

Fix:
Disable the Services Directory in ArcGIS Server Manager under Site > Security > Settings.

Scenario:
After adding a reverse proxy, federated services show “Unable to connect to service” errors. What is the likely Cause and how to fix it?

Likely Cause:
Federation URLs in Portal do not match the reverse proxy’s public FQDN.

Fix:
Update federation and Web Adaptor URLs in Portal to match the public entry point.

Scenario:
Security patching completed yesterday; now WebGISDR backups fail. What is the likely Cause and how to fix it?

Likely Cause:
Backup directory lost write permissions for the ArcGIS service account.

Fix:
Restore folder permissions or assign correct access rights to the ArcGIS service account.

Scenario:
Security monitoring flags a client forcing TLS 1.0 connections to your server. What is the likely Cause and how to fix it?

Likely Cause:
ArcGIS Server still allows outdated cipher suites and TLS versions.

Fix:
Restrict TLS to 1.2+ and disable weak cipher suites in OS and ArcGIS SSL settings.

Scenario:
ArcGIS Data Store reports “Unable to authenticate to Portal” after a password change. What is the likely Cause and how to fix it?

Likely Cause:
ArcGIS Data Store uses stored admin credentials that are now invalid.

Fix:
Update Data Store’s admin account credentials using configuredatastore with the new password.

What interface do you use to change the location of the portal content directory? What other directories can you NOT move to a network drive?

Use the Portal Admin Directory under System > Directories > Content > edit Directory

cannot move index, db, and temp directories off the local portal machine

How to disable external content for Portal?

Portal Admin Directory under System > Content > External Content > Update and ensure the FALSE option is selected

If you are configuring a disconnected environment, how do you address the pre-configured collection of basemaps from ArcGIS Online that comes with ArcGIS Enterprise?

First, disable external content through Portal Admin. Then create custom basemaps and configure the organization to offer these basemaps in the basemap gallery

What utility can be used to update the service account running Portal for ArcGIS service on Windows?

use the configureserviceaccount utility

Scenario:
Your organization recently configured SAML authentication with an enterprise identity provider. After the configuration, users report they cannot log in, receiving “Invalid Credentials” errors, while built-in Portal accounts work.

Question:
What is the most likely cause, and how should you resolve it?

Likely Cause: Portal does not trust the SAML identity provider due to misconfigured metadata, expired signing certificate, or incorrect Entity ID.

Built-in accounts work because SAML only affects federated authentication.

Scenario:
You integrated Portal with Active Directory. Users are automatically assigned the Viewer role based on their AD group, but some users require Publisher privileges. Assigning the Publisher role manually is cumbersome.

Question:
What approach should you take to manage roles efficiently?

Answer:

• Map specific AD groups to Portal roles during integration (group-based role assignment).

• Use automated provisioning tools or Python scripts to assign roles based on AD group membership.

Explanation:
EAEP expects administrators to leverage role mapping and avoid repetitive manual assignment, ensuring consistent access aligned with organizational groups.

Scenario:
You have a Portal group that should mirror an AD security group for access to restricted content. Users report missing content even though they are in the AD group.

Question:
What could be the cause and how can you fix it?

Likely Causes:

• Group sync between Portal and AD is not configured correctly.

• Users were added to AD after the last sync and Portal group has not been updated.

Resolution:

• Configure automatic AD group synchronization in Portal.

• Trigger a manual sync for immediate updates.

• Ensure group names and attributes match exactly between AD and Portal.

Scenario:
A long-time GIS analyst is leaving. They own hundreds of hosted feature layers and maps in Portal. Content must remain available without interruption.

Question:
How should you handle content ownership migration?

Answer:

• Use Portal administrative tools or Python scripts to reassign content ownership to a different user.

• Verify sharing permissions remain consistent after migration.

• Notify the new content owner.

Scenario:
Your Portal allows both built-in and enterprise (SAML/AD) accounts. An external contractor needs temporary access without creating a full AD account.

Question:
Which approach is recommended?

Answer:

• Create a built-in Portal account for the contractor with the minimum required privileges.

• Add the account to a specific group that limits content access.

• Disable the account when access is no longer required.

Scenario:
Due to a security audit, hundreds of hosted layers that were shared publicly must now be restricted to organization-only access. Manual updates are not feasible.

Question:
How can this be efficiently accomplished?

Answer:

• Use Python scripts with the ArcGIS API for Python to iterate through items and update sharing settings in bulk.

Scenario:
A project team requires temporary access to sensitive layers without creating permanent organizational roles.

Question:
How should this be configured?

Answer:

• Create a project-specific group with limited lifespan.

• Add only required users.

• Remove the group after project completion.

Scenario:
Your Portal environment must support internal AD users and external contractors with SAML accounts. Contractors require temporary access to limited content, while internal staff use AD authentication.

Question:
How do you configure authentication and access to meet security requirements?

Answer / Steps:

1. Configure SAML integration for the external IdP.

2. Maintain AD integration for internal users.

3. Create separate groups: One for contractors, one for internal users.

4. Assign content based on group membership: Contractors have limited access; internal users retain full access.

5. Enforce least privilege: Assign minimal roles to contractors (Viewer).

6. Implement expiration policies: Automatically remove contractor accounts after project completion using Python scripts.

Scenario: Your organization integrated Portal with Active Directory. Users in the “GIS_Publishers” AD group should have the Publisher role, while “GIS_Analysts” should be Viewer.

Question: How should you ensure roles are correctly assigned?

A. Assign roles manually for each user.
B. Map AD groups to Portal roles using the Enterprise Identity Store configuration.
C. Remove AD integration and create built-in accounts.
D. Use ArcGIS Pro to change roles for all users.

(B) Explanation: EAEP best practice is group-based role mapping for large teams, avoiding manual role assignment.

Scenario: After SAML integration, AD users cannot log in, receiving “Invalid Credentials,” while built-in accounts work.

Question: What is the most likely cause?

A. Portal is offline.
B. .Users entered wrong passwords.
C. Misconfigured SAML IdP metadata, signing certificate, or Entity ID mismatch.
D. ArcGIS Pro must be updated.

(C) Explanation: SAML login failures typically stem from trust, certificate, or metadata issues. Built-in accounts bypass SAML.

Scenario: Users log in via AD and SAML. Some SAML users report login errors.

Question: Likely cause?

A. ArcGIS Pro version mismatch.
B. AD accounts expired.
C. Portal downtime.
D. Misconfigured SAML IdP, certificate, or Entity ID.

(D) Explanation: Multi-identity store login issues often involve SAML configuration problems.