Reference
Reference

Domain 3: Autonomous Database Dedicated (11%)

Domain 3 of the 1Z0-931-25 Oracle AI Autonomous Database 2025 Professional exam covers Autonomous Database on Dedicated Exadata Infrastructure and the Cloud@Customer deployment model. This domain represents approximately 6 questions on the 50-question exam (90 minutes, 68% passing score). Despite its moderate weight, this domain tests architectural distinctions and operational procedures that differ significantly from the Serverless/Shared model covered in other domains.

The exam syllabus defines six objectives for this domain:

  1. Describe ADB Dedicated and ADB Cloud@Customer workflows and functionality
  2. Provision dedicated resources
  3. Create OCI policies for autonomous dedicated environments
  4. Monitor dedicated infrastructure
  5. Manage maintenance scheduling (patching)
  6. Manage encryption keys

1. ADB Dedicated Architecture and Deployment Models

Dedicated vs. Shared: The Core Distinction

On Shared (Serverless) infrastructure, your Autonomous Database runs on multi-tenant Exadata hardware shared with other Oracle customers. On Dedicated infrastructure, you get committed Exadata hardware exclusively for your organization -- dedicated compute, storage, network, and database service. No other customer shares your physical infrastructure. (ADB Dedicated Overview)

Aspect Shared (Serverless) Dedicated
Infrastructure Multi-tenant Exadata, Oracle-managed Single-tenant Exadata, customer-controlled
Isolation Logical isolation only Physical compute, storage, and network isolation
Maintenance control Oracle schedules everything Customer sets maintenance windows per resource
Encryption keys Oracle-managed or OCI Vault Oracle-managed, OCI Vault, Oracle Key Vault, OCI EKMS, or AWS KMS
Network Public endpoint or private endpoint in VCN Always private -- dedicated VCN with private subnets
Deployment locations OCI public cloud regions only OCI public cloud, Cloud@Customer, Dedicated Region C@C, Oracle Database@AWS
Provisioning hierarchy Flat (provision ADB directly) Layered (Exadata Infra > AVMC > ACD > ADB)
Database users Need OCI account to provision Database users need no OCI account (only DBA and Fleet Admin do)
Cost model Pay-per-use elastic Committed capacity

Exam trap: Dedicated does not mean "unmanaged." Autonomous Database on Dedicated infrastructure is still fully autonomous -- Oracle still handles self-driving, self-securing, and self-repairing operations. The difference is where those operations run (your dedicated hardware) and how much control you have over scheduling and configuration.

The Four-Layer Resource Hierarchy

Dedicated infrastructure uses a strict four-layer provisioning hierarchy. You must understand the parent-child relationships because the exam tests provisioning order and inheritance. (ADB Dedicated Components)

Exadata Infrastructure (EI)
  └── Autonomous Exadata VM Cluster (AVMC)
        └── Autonomous Container Database (ACD)
              └── Autonomous AI Database (ADB)
                    └── Autonomous Backup (auto-managed)
Layer What It Represents Key Facts
Exadata Infrastructure (EI) Physical Exadata hardware (compute nodes + storage cells) Managed by Fleet Administrator. One EI can host multiple AVMCs.
Autonomous Exadata VM Cluster (AVMC) Set of symmetrical VMs across all compute nodes, linked to EI Separate maintenance schedules per AVMC. Different license models per AVMC. Can coexist with traditional (non-Autonomous) Exadata DB VM Clusters on the same EI.
Autonomous Container Database (ACD) Container for Autonomous Databases, runs Oracle CDB Supports Oracle Database 19c or Oracle Database 26ai (26ai requires ECPU-based AVMC with DatabaseVersion tag set to 26ai). Multiple ACDs per AVMC.
Autonomous AI Database (ADB) User-facing pluggable database Inherits database version from parent ACD. Two workload types: Lakehouse (DW) or Transaction Processing (OLTP).

Exam trap: You cannot provision an Autonomous Database without first having an ACD, and you cannot create an ACD without an AVMC, and you cannot create an AVMC without an EI. The exam tests this provisioning order. If a question asks "what must exist before creating an Autonomous Container Database," the answer is an Autonomous Exadata VM Cluster.

Deployment Models

Oracle offers four deployment locations for Dedicated infrastructure. (ADB Dedicated Overview)

Deployment Model Location Use Case
Dedicated Exadata Infrastructure (Public Cloud) OCI public cloud region Private database cloud within public cloud. Full isolation with all OCI services.
Exadata Cloud@Customer Customer data center Data sovereignty, regulatory compliance, low-latency access to on-premises systems. Self-service database delivery.
Dedicated Region Cloud@Customer (DRCC) Customer data center Entire OCI region deployed on-premises. Functionally identical to OCI public cloud. Highest isolation level.
Oracle Database@AWS AWS cloud region Run Autonomous Database in AWS for low-latency access to AWS-based applications. Some features unsupported.

Exam trap: Cloud@Customer is not the same as running Oracle Database on your own servers. Oracle owns, operates, and maintains the Exadata hardware in your data center. You control the data; Oracle manages the infrastructure. The Cloud@Customer service is still billed as an OCI service and managed through the OCI Console.

2. Provisioning Dedicated Resources

Compute Models: ECPU vs. OCPU

AVMCs can use ECPU-based or OCPU-based compute. Key constraints: (ADB on Dedicated Exadata Infrastructure)

  • Multiple AVMCs on a single EI require ECPU-based infrastructure
  • ACDs provisioned with Oracle Database 26ai require an ECPU-based AVMC with DatabaseVersion tag set to 26ai
  • The CPU type of the ACD is inherited from the parent AVMC
  • Legacy (pre-multiple-AVMC-feature) Exadata Infrastructure requires a My Oracle Support service request to add additional AVMCs

Default Resource Sizes

Resource Default Minimum
CPU count (ECPU) 2 ECPUs 2 ECPUs
CPU count (OCPU) 1 OCPU 1 OCPU
Storage (Lakehouse) 1024 GB (1 TB) 32 GB
Storage (Transaction Processing) 32 GB 32 GB
Auto-scaling Up to 3x base CPU --

Autonomous Database for Developers (Free Tier on Dedicated)

Available only on ECPU-based ACDs without Autonomous Data Guard: fixed at 4 ECPUs and 32 GB storage. No manual or auto-scaling. Designed for development and functional testing. (ADB on Dedicated Exadata Infrastructure)

3. OCI IAM Policies for Dedicated Environments

Three Logical Roles

Dedicated infrastructure separates duties into three roles. The exam expects you to know which role does what: (IAM Policies for ADB Dedicated)

Role Responsibilities OCI Account Required?
Fleet Administrator Manages EI, AVMCs, ACDs. Controls infrastructure and networking. Yes
Database Administrator Creates/manages Autonomous Databases. Manages ADMIN user and database access. Yes
Database User Connects to databases, writes applications, stores/accesses data. No

Resource Types and Policy Verbs

IAM uses the aggregate resource type autonomous-database-family to cover all dedicated resources. Individual types: (IAM Policies for ADB Dedicated)

Resource Type Platform
autonomous-databases All
autonomous-backups All
autonomous-container-databases All
cloud-autonomous-vmclusters Oracle Public Cloud only
autonomous-vmclusters Exadata Cloud@Customer only
autonomous-virtual-machine All

Exam trap: The resource type names differ between Public Cloud and Cloud@Customer. Public Cloud uses cloud-autonomous-vmclusters and cloud-exadata-infrastructures. Cloud@Customer uses autonomous-vmclusters and exadata-infrastructures (no cloud- prefix). A policy written for one platform will not work on the other.

IAM verbs are cumulative: inspect < read < use < manage. Each higher verb includes all permissions of lower verbs.

Essential Policy Patterns

Fleet Administrator -- manages infrastructure:

Allow group FleetAdmins to manage cloud-exadata-infrastructures in compartment InfraComp
Allow group FleetAdmins to manage cloud-autonomous-vmclusters in compartment InfraComp
Allow group FleetAdmins to manage autonomous-container-databases in compartment InfraComp
Allow group FleetAdmins to use vnics in compartment NetworkComp
Allow group FleetAdmins to use subnets in compartment NetworkComp

Database Administrator -- manages databases:

Allow group DBAAdmins to manage autonomous-databases in compartment DBComp
Allow group DBAAdmins to manage autonomous-backups in compartment DBComp
Allow group DBAAdmins to read autonomous-container-databases in compartment InfraComp

Workload-specific restriction using target.workloadType:

Allow group DWAdmins to manage autonomous-databases in tenancy
  where target.workloadType = 'DW'

Exam trap: Creating an ACD requires manage autonomous-container-databases PLUS use cloud-autonomous-vmclusters PLUS use cloud-exadata-infrastructures on Public Cloud. Many operations require permissions on multiple resource types simultaneously. The exam tests these compound permission requirements.

Compartment Best Practice

Oracle recommends at least two compartments for separation of duties:

  1. Infrastructure compartment -- Exadata Infrastructure, AVMCs, ACDs
  2. Database compartment -- Autonomous Databases

An additional dedicated compartment for Vaults and Keys is recommended when using customer-managed encryption. IAM policies granting ADB access to keys must be at a compartment level higher than the vault compartment. (Master Encryption Keys for ADB Dedicated)

4. Monitoring Dedicated Infrastructure

Fleet Management and Ops Insights

Ops Insights provides 360-degree visibility into the dedicated fleet: (ADB on Dedicated Exadata Infrastructure)

  • CPU and storage resource utilization analysis
  • Capacity forecasting based on historical trends
  • SQL performance comparison across databases in the fleet
  • Enterprise-wide performance trend identification
  • AWR statistics analysis for diagnostics

Ops Insights is disabled by default and must be enabled from the OCI Console.

ADB Metrics

Standard monitoring metrics include: CPU utilization, storage utilization, successful/failed logon attempts, connection attempts, database operations, SQL query and transaction counts. Accessible via the OCI Console and Monitoring APIs.

Oracle Data Safe

Available for Dedicated infrastructure (requires configuration): Security Assessment, User Assessment, Data Discovery and Masking, Activity Auditing, and high-risk user identification. (Access Control for ADB Dedicated)

5. Maintenance Scheduling and Patching

This is a heavily tested area. Dedicated infrastructure gives customers significant control over when and how patches are applied. (Service Maintenance for ADB Dedicated)

Three Types of Maintenance

Type Frequency Scope Key Details
Quarterly patches (RU/RUR) Each quarter EI, AVMC, ACD Main Release Update. Applied at all three resource levels with configurable windows.
Monthly security patches Monthly (only when CVSS >= 7 vulnerabilities exist) EI (all platforms), AVMC (GOV regions only) Zero impact on databases. DB servers patched via Ksplice (online). Storage servers patched in rolling fashion (~15 min/DB server, ~60 min/storage server).
One-off patches As needed (critical SRs only) ACD Generated for critical My Oracle Support service requests. Auto-applied within 72 hours if not rescheduled.

Patching Methods

Method Behavior Downtime
Rolling Updates ACD one node at a time No downtime for Autonomous Databases
Non-Rolling Shuts down all nodes, updates in parallel Full downtime for ACD and all databases in it

Exam trap: With Autonomous Data Guard, non-rolling maintenance causes downtime on BOTH the primary AND standby ACDs during their respective maintenance windows. And "Patch Now" is NOT available when Data Guard is configured -- you must reschedule to the nearest 4-hour window instead.

Patching Execution Order

When maintenance is scheduled at multiple resource levels simultaneously, Oracle auto-serializes in this fixed order:

  1. Exadata Infrastructure (first)
  2. Autonomous Exadata VM Cluster (second)
  3. Autonomous Container Database (last)

Maintenance Scheduling Controls

Customers can customize at each resource level:

  • Permitted months: Minimum one month per quarter. Can skip a quarter (max 2 alternate quarters per year, never consecutive).
  • Week of month: Calendar-date-based (1st, 8th, 15th, 22nd).
  • Day of week: Optional.
  • 4-hour maintenance window: When maintenance can begin.
  • Lead time (EI and AVMC only): Minimum weeks of advance notification.
  • Data Guard buffer (ACD only): 1-7 days between standby and primary patching. Standby is always patched first.

One-Off Patch Lifecycle

  1. Oracle generates patch for critical service request
  2. Notification sent via OCI Events/Notifications
  3. Patch auto-scheduled within 72 hours
  4. Customer can reschedule within the current quarter (cannot skip entirely)
  5. One-off fixes are forward-merged into the next Release Update for fleet-wide availability
  6. If the next RU is chosen before the one-off is applied, Oracle cancels the one-off patch

Monitoring Maintenance

Query the DB_NOTIFICATIONS view inside any Autonomous Database:

SELECT * FROM DB_NOTIFICATIONS WHERE TYPE = 'MAINTENANCE';

Returns: status (SCHEDULED, IN_PROGRESS, COMPLETED, FAILED, SKIPPED), expected/actual start and end times, patch ID, maintenance method (RAC_ROLLING or NON_ROLLING), and database impact level.

OCI Events service generates four event types per resource: Maintenance Scheduled, Maintenance Reminder (1-4 weeks before), Maintenance Begin, and Maintenance End.

6. Encryption Key Management

All data in Autonomous Database is encrypted at rest using Transparent Data Encryption (TDE). The exam tests the different key management options and their tradeoffs. (Master Encryption Keys for ADB Dedicated)

Key Management Options

Option Where Keys Are Stored Platform Notes
Oracle-managed keys (default) PKCS#12 keystore on the Exadata system All No configuration required. Oracle handles full lifecycle.
OCI Vault OCI Key Management service Public Cloud AES 256-bit. HSM or Software protection mode. Supports BYOK (import your own key material).
Oracle Key Vault (OKV) On-premises OKV appliance Cloud@Customer Centralized enterprise key management. Requires endpoint registration.
OCI External KMS (EKMS) Third-party KMS outside OCI Public Cloud only Currently supports Thales only. Keys never leave the external system -- OCI holds key references.
AWS KMS AWS Key Management Service Oracle Database@AWS Configured at AVMC level. Selected during ACD creation.

Encryption Key Inheritance

Keys are configured at the ACD level, not at the individual database level. All Autonomous Databases within an ACD automatically inherit the ACD's encryption keys. This is a critical architectural point. (Master Encryption Keys for ADB Dedicated)

OCI Vault Configuration Requirements

  1. Create a Vault in a dedicated compartment
  2. Create a Master Encryption Key: Algorithm = AES, Length = 256 bits, Protection Mode = HSM or Software
  3. Configure Service Gateway with route rule to All <Region> Services in Oracle Services Network (TCP 443)
  4. Create a Dynamic Group matching the compartment containing the AVMC
  5. Create an IAM Policy granting the dynamic group manage keys on the vault compartment (with restrictions blocking KEY_MOVE and KEY_IMPORT)

Exam trap: HSM protection mode stores and processes the key on a hardware security module. Software protection mode stores the key in a software file system protected at rest by an HSM root key -- software keys are exportable to other regions and are free of cost. The exam may ask about the differences.

Key Rotation

Supported for both Oracle-managed and customer-managed keys. Rotation is performed from the ACD or ADB Details page. For OCI Vault keys, rotation generates a new TDE master key that re-encrypts tablespace encryption keys. This operation does not require database downtime. (Master Encryption Keys for ADB Dedicated)

Cross-Region Data Guard and Key Replication

When using OCI Vault with cross-region Autonomous Data Guard, you must replicate the vault to the target region first. Virtual vaults created before the cross-region replication feature cannot be replicated -- you must create a new vault and new keys. All private vaults support cross-region replication. (Master Encryption Keys for ADB Dedicated)

7. Network Isolation and Security

Dedicated infrastructure provides stronger network isolation than Shared by design. (Access Control for ADB Dedicated)

Network Architecture

  • All Autonomous Databases on Dedicated run in private subnets within a VCN
  • Oracle recommends at least two subnets: one for AVMC/ACD resources, one for client/application access
  • Access from on-premises uses IPSec VPN or FastConnect -- not public internet
  • A Service Gateway is required for OCI service access (key management, Object Storage)

Security Controls

Control Description
Access Control Lists (ACLs) Restrict connections to specific IP addresses or CIDR blocks (IPv4 and IPv6). Service Console, APEX, and ORDS are NOT subject to ACLs.
Network Security Groups (NSGs) Define ingress/egress rules at the NIC level within the VCN.
Zero Trust Packet Routing (ZPR) Public Cloud only. Intent-based security policies using security attributes. Packets must pass NSG, SCL, AND ZPR rules.
Web Application Firewall (WAF) Protect against XSS, SQL injection, and OWASP vulnerabilities.
TLS 1.2/1.3 All client connections use TLS. Supports self-signed or CA-signed certificates (BYOC). TLS 1.3 requires Oracle Database 23ai or later.

Privileged Access Management

Oracle's own operators cannot access customer data by default:

  • Database Vault is pre-configured with Operations Control to block common users from accessing data
  • Operator Access Control requires customer approval; all operator access uses FIPS 140-2 Level 3 hardware MFA (YubiKey)
  • All operator actions are logged at the command level to OCI logging service or customer SIEM in near-real-time

Verify Operations Control is active:

SELECT * FROM DBA_DV_STATUS;
-- APPLICATION CONTROL status indicates Operations Control is active

8. When to Choose Dedicated over Shared

The exam may present scenario-based questions asking which deployment model fits. Use this decision matrix:

Requirement Recommended Model
Data sovereignty / regulatory compliance (data cannot leave premises) Dedicated with Cloud@Customer or DRCC
Custom maintenance windows aligned to business cycles Dedicated
Complete physical isolation from other customers Dedicated
Maximum control over encryption keys (OKV, EKMS, BYOK) Dedicated
Predictable committed capacity pricing Dedicated
Multiple database workloads on shared Exadata hardware within one organization Dedicated (multiple AVMCs on one EI)
Quick provisioning with minimal setup, pay-per-use Shared (Serverless)
Small workloads, development/testing, no compliance constraints Shared (Serverless)
Low-latency access to AWS applications Dedicated (Oracle Database@AWS)

Key Exam Takeaways

  1. Provisioning order is strict: EI > AVMC > ACD > ADB. Every layer requires its parent.
  2. Resource types differ by platform: cloud-autonomous-vmclusters (Public Cloud) vs. autonomous-vmclusters (Cloud@Customer).
  3. Encryption keys are set at the ACD level and inherited by all databases within.
  4. Rolling = no downtime; Non-rolling = full downtime. Monthly security patches always use rolling.
  5. One-off patches auto-apply within 72 hours unless rescheduled. Cannot skip, only reschedule within the quarter.
  6. Standby is always patched first when Data Guard is configured (1-7 day configurable buffer).
  7. Database users do not need OCI accounts -- only Fleet Admins and DBAs do.
  8. Ops Insights is disabled by default -- must be explicitly enabled.
  9. Cloud@Customer means Oracle hardware in your data center, managed by Oracle, billed as OCI.
  10. AES 256-bit is the required algorithm for customer-managed keys in OCI Vault.

References