An architect needs to increase the number of VizQL processes on Node 2 from 2 to 4. Which specific sequence of TSM commands must be used to apply this change and ensure the cluster is updated? (Select two)
`tsm topology set-process -n node2 -p vizqlserver -c 4`
`tsm pending-changes apply`
`tsm restart`
`tsm configuration set -k vizqlserver.procs -v 4`
Explanation: The `tsm topology set-process` command is used to define the number of instances for a specific process on a specific node. Once the topology is changed, the changes are "pending." The `tsm pending-changes apply` command is required to commit and restart the necessary services.
When migrating Tableau Server from Linux to Windows, which of the following security-related configurations is most likely to require a complete redesign rather than a straightforward translation of settings?
SSL/TLS cipher suite configuration
Firewall rules for client-to-server communication
Process user impersonation for data source connections
Active Directory group integration for site membership
Explanation: Process user impersonation (Run As User) is a feature that allows Backgrounder or VizQL processes to run under the security context of the logged-in user, crucial for row-level security with Windows-integrated authentication (like Kerberos). On Linux, this is implemented via a Pluggable Authentication Module (PAM) and requires complex configuration. On Windows, it uses the Windows security subsystem and Active Directory. The underlying mechanism is completely different. While the conceptual setting "impersonate user" exists in both, the backend configuration and prerequisites (like Kerberos keytabs on Linux vs. SPNs in AD on Windows) constitute a redesign. Firewall rules, ciphers, and AD group integration are more directly translatable.
During sizing for a Tableau Server deployment supporting 2,500 Creators and 10,000 Viewers (with 10% concurrency), you calculate workload using Tableau's relative coefficients (Creator = 2.4, Explorer = 1,
Viewer = 0.75). Select two correct sizing considerations.
Use 16-core nodes for clusters exceeding 40 total cores to optimize performance
Plan for a minimum of 600-800 Explorers per 8-core node assuming 10% active users
The total workload is equivalent to approximately 8,000 Explorers, requiring at least 10 nodes with 8 cores each for production capacity
Allocate at least 8 GB of RAM per core across all nodes to support production workloads
Explanation: Tableau recommends at least 8 GB of RAM per core for production nodes. For sizing, a node can support 600-800 Explorers with 10% concurrency, so plan accordingly for the calculated workload.
In a blue-green deployment strategy for a major version upgrade (e.g., 2021.3 to 2022.3), which of the following actions represents the "switch" that makes the new environment live for end-users?
Changing the `server.gateway.public.host` configuration in the green environment's TSM settings.
Running `tsm apply-changes` on the green environment.
Updating the external load balancer or DNS configuration to point the canonical production URL to the green environment's gateway.
Running `tsm stop` on the blue environment to force traffic to the green one.
Explanation: The core of a blue-green switch is a routing change at the infrastructure layer, not within Tableau Server itself. The "switch" is performed by updating the configuration of the external load balancer (or DNS with a low TTL) so that the production hostname (e.g., `tableau.company.com`) resolves to the IP address or load balancer of the newly upgraded "green" environment. This redirects all user traffic instantly.
In a distributed Linux environment, you need to verify that the network latency between the VizQL Server nodes and the File Store nodes is within acceptable limits as per Tableau's architecture guidelines. Which Linux command-line tool provides the most relevant metric for this check?
`traceroute`
`netstat -i`
`ping`
`iperf3`
Explanation: While `ping` measures round-trip time for small ICMP packets, `iperf3` is a tool specifically designed to measure maximum TCP bandwidth and the quality of a network link. It can generate sustained traffic between nodes and report on bandwidth, jitter, and packet loss, which are more relevant for the
data-intensive communication (e.g., extract transfers) between VizQL and File Store nodes. This provides a better real-world performance test than simple latency checks.
Configure Activity Log for auditing in Tableau Server. Select two best practices.
Enable via tsm configuration set -k activity_log.enabled -v true
Set retention period with activity_log.retention_days
Integrate with SIEM via webhook
Export logs daily using REST API
Explanation: Enabling activity_log.enabled activates logging. Setting activity_log.retention_days controls storage.
Post-install verification reveals Cache Server unresponsive on node5 Ubuntu 24.04. proxy HAProxy marks backend down. /var/opt/tableau/tableau_server/data/tabsvc/cache 700 tableau:tableau. nginx logs "Connection refused". What permission on cache metadata resolves this?
setfacl -R -m u:tsmagent:rwx /var/opt/tableau/tableau_server/data/tabsvc/cache
systemctl set-property --runtime tableau-cache-server.service MemoryMax=16G
chmod 777 /var/opt/tableau/tableau_server/data/tabsvc/cache/.lock;chown -R tableau:tableau /cache
find /var/opt/tableau/tableau_server/data/tabsvc/cache -type f -exec chmod 666 {} ;
Explanation: setfacl granting tsmagent rwx on cache directory enables auxiliary service coordination for Cache Server inter-process locking, resolving Connection refused during proxy health checks.
A deployment requires isolation of resource-intensive extract refresh jobs from interactive viz workloads while maintaining H
A. Which node topology and service colocation strategy is appropriate? (Select two.)
A. Colocate Gateway and VizQL Server on initial node for load balancing
Dedicate worker nodes with only Backgrounder and Data Engine processes
Run Coordination Service ensemble only on initial three nodes
Add unlicensed nodes for Backgrounder scaling without consuming licenses
Explanation: Dedicated worker nodes with Backgrounder and Data Engine isolate extract jobs, improving performance stability for interactive usage. Unlicensed nodes allow scaling Backgrounder processes for job capacity without additional core-based licensing costs.
When designing a Tableau Server installation for a highly available environment, which network specification is non-negotiable for communication between nodes in the cluster?
A low-latency, high-bandwidth private network.
A multicast-enabled network for service discovery.
Public Internet with SSL encryption.
A dedicated VPN tunnel for each node pair.
Explanation: Tableau Server nodes in a cluster constantly communicate (heartbeats, cache invalidation, service status, file store access). This inter-node communication requires a low-latency (typically sub- millisecond), high-bandwidth private network to ensure cluster stability and performance. High latency or packet loss can cause service failures and instability. Tableau does not use multicast. While encryption is good, a private network segment is the foundational requirement; SSL can be used atop it. VPNs add unnecessary overhead for private data center networks.
In an air-gapped environment, you are configuring the Resource Monitoring Tool. Since the RMT Server cannot reach the internet to download updates, which two actions must be performed for its maintenance? (Select two)
Verify the RMT Server's internal PostgreSQL database health using local monitoring tools
Use the `rmtadmin` command-line utility to perform offline updates to the RMT database schema
Use `tsm maintenance metadata-services enable` to sync RMT data
Manually download the RMT Server and Agent installers and transfer them via secure media
Explanation: Maintenance in an air-gapped environment is entirely manual; updates to the RMT software must be downloaded externally and brought in. Furthermore, because external monitoring of the RMT Server itself is limited, the architect must rely on local database health checks and OS-level monitoring to ensure the RMT infrastructure remains operational.
A multinational corporation requires Tableau Server extracts to be encrypted at rest to comply with data sovereignty laws. The data must be inaccessible without the proper key, even if the underlying disk storage is compromised. The infrastructure team mandates the use of a centralized, audited key management system (KMS). Which encryption method must be implemented and configured?
Configure external keychain encryption via the `tsm security external-keys` command, integrating with the corporate KMS.
Use the Tableau Services Manager (TSM) configuration CLI to set the `extract.encryption.key` property with a KMS-provided key.
Enable SSL for all data source connections and set the `http.ssl.truststore.password` property.
Utilize the keychain on the initial node's operating system and replicate it manually to all other nodes.
Explanation: To meet the requirement of using a centralized, audited KMS for extract encryption at rest, you must configure external keychain encryption. This is done using the `tsm security external-keys` command set, which allows Tableau Server to integrate with an external key management service (like AWS KMS, Azure Key Vault, or a Thales CipherTrust manager). This method securely stores and manages the encryption keys outside of Tableau's internal keystore, ensuring extracts are protected even if the disk is compromised and providing the required audit trail from the KMS.
When verifying system groups and file system permissions on a new Linux node, you discover that the
`tableau` user cannot access the backup directory located at `/mnt/tableau_backups`. The directory is owned by `root:root` with permissions `770`. Which steps will correctly grant the necessary access? (Select two)
Use `setfacl -m u:tableau:rwx /mnt/tableau_backups` to provide granular access
Change the group ownership of `/mnt/tableau_backups` to `tsmadmin`
Set the directory permissions to `775` to allow the group to read and execute
Grant the `tableau` user `sudo` rights specifically for the `tar` and `cp` commands
Explanation: Assigning the directory to the `tsmadmin` group (which the `tableau` user is a member of)
allows the service to write backup files. Using POSIX Access Control Lists (ACLs) via `setfacl` is an even more precise method to grant the `tableau` service account full permissions without changing the primary ownership of the mount point.
A Tableau Architect needs to size an environment for a "heavy-extract" user base. Each extract is between 5GB and 10GB. Which sizing specification is most appropriate for the "Backgrounder" nodes? (Select
two)
A. 1 vCPU for every 2GB of RAM on the node
B. Use of 'External File Store' to avoid local disk space issues
Fast local SSD storage for the 'temp' directory used during extract generation
Minimum 128GB RAM per node
Explanation: Large extracts require significant RAM to process in-memory before being written to disk. Furthermore, during the creation of a .hyper file, Tableau uses a temporary directory for sorting and processing; if this disk is slow, extract refresh times will suffer regardless of CPU speed.
In a blue-green upgrade, select two correct licensing considerations.
Treat Green as non-production for licensing purposes
Use Advanced Management license for RMT monitoring during upgrade
Blue and Green can share the same license during transition
Green environment requires separate licensing during testing
Explanation: Green requires separate licensing. Treat it as non-production.
Automated deployment script for 8-node Tableau Server fails secondary node addition with "topology version mismatch." What Silent Installer planning resolves this?
Distribute tsm-security-esv3.key pre-install across nodes
Lock topology version using tsm configuration set -k topology.versionLock
Pre-execute tsm topology export -f baseline.json on coordinator
Generate consistent topology.json with sha256 checksum validation
Explanation: Implementing automated deployment mandates generating a baseline topology.json on the orchestration server, computing SHA256 checksums for integrity, and validating matching checksums on target nodes before silent execution of tsm topology apply -f topology.json.
A global bank's 2500 Viewer dashboard farm (7% concurrency) needs process sizing for extracts. Topology recommendation?
18 VizQL across 5 nodes
10 total
Backgrounder focus
High VizQL single node
Explanation: 18 VizQL across 5 nodes scales for Viewer-equivalent workloads (0.75 factor) at 7% concurrency, horizontally distributing for dashboard farm stability.
An architect needs to ensure that the Tableau Server Repository is backed up daily. They are using the
`tsm maintenance backup` command. Where is the backup file stored by default, and how can the path be changed? (Select two)
The default path is `C:\ProgramData\Tableau\Tableau Server\data\tabsvc\files\backups\`.
The default path is the same directory where the PostgreSQL binaries are located.
The path can be changed using the `tsm configuration set -k basefilepath.backuprestore -v "D:\TableauBackups"`.
The path is modified by changing the `TABSVC_BACKUP_PATH` environment variable.
Explanation: Tableau Server stores backups in a specific sub-folder of ProgramData by default. Architects can redirect this to a different drive (like a dedicated backup volume) using the
`basefilepath.backuprestore` configuration key followed by a pending changes apply.
OpenID Connect introspection fails rate limiting in Tableau Server with Keycloak during token validation bursts. 429 errors returned. Introspection cache TTL=300s. What caching strategy mitigates?
Implement tokenset JOSE header replay detection
Reduce max_age to 60s with aggressive refresh
Configure userinfo endpoint fallback with introspection_cache_size=10000
Enable JWT introspection with local validation
Explanation: Keycloak introspection endpoints throttle; local JWT validation using JWKS bypasses rmtp, with signature verification handling bursts while maintaining security.
An architect needs to migrate an existing Tableau Server with a local repository to an external Azure Database for PostgreSQL. What is the correct sequence of events? (Select two)
Disable the internal repository using `tsm topology set-process -n node1 -c pgsql -count 0`.
Create a backup of the current Tableau Server using `tsm maintenance backup`.
Use `pg_restore` to manually move data to Azure before running TSM commands.
Run `tsm topology external-services repository enable` with the connection JSON and the backup file.
Explanation: The migration process involves taking a standard Tableau backup first. Then, the `tsm topology external-services repository enable` command is executed, which takes the backup file as an
input to populate the new external repository with the existing metadata before switching the server over to use it.
Here are 30 high-difficulty, scenario-based multiple-choice questions focused on advanced Tableau Server infrastructure design, process topology, sizing, node configurations, service-to-node relationships, and external service integration (external file store, external repository, external gateway). All questions are "Select All that Apply" or specify the number of correct answers, with exactly four options each.