Back to Contents Page

Using the DRAC 4 With Microsoft Active Directory

Dell™ Remote Access Controller 4 Firmware Version 1.30 User's Guide

A directory service is used to maintain a common database of all information needed for controlling users, computers, printers, etc. on a network.

If your company uses the Microsoft Active Directory service software, it can be configured to give you access to the DRAC 4, allowing you to add and control DRAC 4 user privileges to your existing users in your Active Directory software.

NOTE: Using Active Directory to recognize DRAC 4 users is supported on the Microsoft Windows 2000 and Windows Server 2003 operating systems.

Active Directory Schema Extensions

The Active Directory data, simply explained, can be conceptualized as a distributed database of Attributes and Classes. The rules for what data can be added or included in the database is the Active Directory schema. An example of a Class that is stored is the user class. Some example attributes of the user class might be the user's first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization.

Every Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service.

Dell extension is: dell

Dell base OID is: 1.2.840.113556.1.8000.1280

RAC LinkID range is: 12070 to 12079

The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension Dell.

Overview of the RAC Schema Extensions

To provide the greatest flexibility in the multitude of customer environments, Dell provides a group of objects that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege object. The Association object is used to link together the users or groups with a specific set of privileges to one or more RAC devices. This model provides an Administrator maximum flexibility over the different combinations of users, RAC privileges, and RAC devices on the network without adding too much complexity.

Active Directory Object Overview

For each of the physical RACs on the network that you want to integrate with Active Directory for Authentication and Authorization, you must create at least one Association Object and one RAC Device Object. You can create as many Association Objects as you want, and each Association Object can be linked to as many users, groups of users, or RAC Device Objects as desired. The users and RAC Device Objects can be members of any domain in the enterprise.

However, each Association Object may be linked (or, may link users, groups of users, or RAC Device Objects) to only one Privilege Object. This allows an Administrator to control which users have what kind of privileges on specific RACs.

The RAC Device object is the link to the RAC firmware for querying Active Directory for authentication and authorization. When a RAC is added to the network, the Administrator must configure the RAC and its device object with its Active Directory name so that users can perform authentication and authorization with Active Directory. The Administrator will also need to add the RAC to at least one Association Object in order for users to authenticate.

Figure 5-1 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.

Figure 5-1. Typical Setup for Active Directory Objects

You can create as many or as few association objects as you want or need. However, you must create at least one Association Object, and you must have one RAC Device Object for each RAC (DRAC 4) on the network that you want to integrate with Active Directory for Authentication and Authorization with the RAC (DRAC 4). The Association Object allows for as many or as few users and/or groups as well as RAC Device Objects. However, the Association Object only has one Privilege Object per Association Object. The Association Object connects the "Users" who have "Privileges" on the RACs (DRAC 4s).

In addition, you can set up Active Directory objects in a single domain or in multiple domains. For example, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an administrator privilege to both DRAC 4 cards and give user3 a login privilege to the RAC2 card. Figure 5-2 shows how you set up the Active Directory objects in this scenario.

Figure 5-2. Setting Up Active Directory Objects in a Single Domain

To set up the objects for the single domain scenario, perform the following tasks:

1. Create two Association Objects.
   
   
2. Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 4 cards.
   
   
3. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges.
   
   
4. Group user1 and user2 into Group1.
   
   
5. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.
   
   
6. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2.
   
   

See "Adding DRAC 4 Users and Privileges to Active Directory" for detailed instructions.

Figure 5-3 shows how you can set up the Active Directory objects in multiple domains. In this scenario, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, and user2 and user 3 are in Domain2. You want to give user1 and user 2 an administrator privilege to both DRAC 4 cards and give user3 a login privilege to the RAC2 card.

Figure 5-3. Setting Up Active Directory Objects in Multiple Domains

To set up the objects for the multiple domain scenario, perform the following tasks:

1. Ensure that the domain forest function is in Native or Windows 2003 mode.
   
   
2. Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain. The figure shows the objects in Domain2.
   
   
3. Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 4 cards.
   
   
4. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges.
   
   
5. Group user1 and user2 into Group1. The group scope of Group1 must be Universal.
   
   
6. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.
   
   
7. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2.
   
   

Configuring Active Directory to Access Your DRAC 4

Before you can use Active Directory to access your DRAC 4, you must configure the Active Directory software and the DRAC 4 by performing the following steps in their numbered order:

1. Extend the Active Directory schema (see "Extending the Active Directory Schema").
   
   
2. Extend the Active Directory Users and Computers Snap-in (see "Installing the Dell Extension to the Active Directory Users and Computers Snap-In").
   
   
3. Add DRAC 4 users and their privileges to Active Directory (see "Adding DRAC 4 Users and Privileges to Active Directory").
   
   
4. Enable SSL on each of your domain controllers (see "Enabling SSL on a Domain Controller").
   
   
5. Configure the DRAC 4 Active Directory properties using either the DRAC 4 Web-based interface or the racadm CLI (see "Configuring the DRAC 4").
   
   

Extending the Active Directory Schema

Extending your Active Directory schema will add a Dell organizational unit, schema classes and attributes, and example privileges and association objects to the Active Directory schema.

NOTE: Before you extend the schema, you must have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest.

You can extend your schema using two different methods. You can use the Dell Schema Extender utility, or you can use the LDIF script file.

NOTE: The Dell organizational unit will not be added if you use the LDIF script file.

The LDIF files and Dell Schema Extender are located on your Dell Systems Management Consoles CD in the following respective directories:

• CD drive:\support\OMActiveDirectory Tools\RAC4\LDIF Files
  
  
• CD drive:\support\OMActiveDirectory Tools\RAC4\Schema Extender
  
  

To use the LDIF files, see the instructions in the readme that is in the LDIF files directory. To use the Dell Schema Extender to extend the Active Directory Schema, perform the steps in "Using the Dell Schema Extender."

You can copy and run the Schema Extender or LDIF files from any location.

Using the Dell Schema Extender

NOTICE: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the Dell Schema Extender utility functions properly, do not modify the name of this file.

1. Click Next on the Welcome screen.
   
   
2. Read the warning and click Next again.
   
   
3. Either select Use Current Log In Credentials or enter a user name and password with schema administrator rights.
   
   
4. Click Next to run the Dell Schema Extender.
   
   
5. Click Finish.
   
   

The schema is extended. To verify the schema extension, use the Microsoft Management Console (MMC), the Active Directory Schema snap-in to verify the existence of the following classes (listed in Table 5-1, Table 5-2, Table 5-3, Table 5-4, Table 5-5, and Table 5-6) and attributes (listed in Table 5-7). See your Microsoft documentation for more information on how to enable and use the Active Directory Schema snap-in the MMC.

Table 5-1. Class Definitions for Classes Added to the Active Directory Schema

Table 5-2. dellRacDevice Class

Table 5-3. dellAssociationObject Class

Table 5-4. dellRAC4Privileges Class

Table 5-5. dellPrivileges Class

Table 5-6. dellProduct Class

Table 5-7. List of Attributes Added to the Active Directory Schema 

Installing the Dell Extension to the Active Directory Users and Computers Snap-In

When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so that the administrator can manage RAC (DRAC 4) devices, Users and User Groups, RAC Associations, and RAC Privileges. The Dell Extension to the Active Directory User's and Computers Snap-In is an option that can be installed when you install your systems management software using the Dell Systems Management Consoles CD. See the Dell OpenManage Software Quick Installation Guide for further instructions on installing systems management software.

NOTE: You must install the Administrator Pack on each system that is managing the Active Directory DRAC 4 Objects. The installation is described in the following section, "Opening the Active Directory Users and Computers Snap-In." If you do not install the Administrator Pack, then you cannot view the Dell RAC Object in the container.

NOTE: For more information about the Active Directory Users and Computers snap-in, see your Microsoft documentation.

Opening the Active Directory Users and Computers Snap-In

To open the Active Directory Users and Computers snap-in, perform the following steps:

1. If you are on the domain controller, click Start Admin Tools → Active Directory Users and Computers. If you are not on the domain controller, you must have the appropriate Microsoft Administrator Pack installed on your local system. To install this Administrator Pack, click Start → Run, type MMC and press Enter.
   
   

This opens the Microsoft Management Console (MMC).

2. Click File (or Console on systems running Windows 2000) in the Console 1 window.
   
   
3. Click Add/Remove Snap-in.
   
   
4. Select the Active Directory Users and Computers snap-in and click Add.
   
   
5. Click Close and click OK.
   
   

Adding DRAC 4 Users and Privileges to Active Directory

The Dell-extended Active Directory Users and Computers snap-in allows you to add DRAC 4 users and privileges by creating RAC, Association, and Privilege objects. To add each type of object, perform the steps in each subsections.

Creating a RAC Device Object

1. In the MMC Console Root window, right-click a container.
   
   
2. Select New → Dell RAC Object.
   
   

This opens the New Object window.

3. Type a name for the new object. This name must match the DRAC 4 Name that you will type in step 4 of "Configuring the DRAC 4."
   
   
4. Select RAC Device Object.
   
   
5. Click OK.
   
   

Creating a Privilege Object

Privilege Objects must be created in the same domain as the Association Object to which it is associated.

1. In the Console Root (MMC) window, right-click a container.
   
   
2. Select New → Dell RAC Object.
   
   

This opens the New Object window.

3. Type a name for the new object.
   
   
4. Select Privilege Object.
   
   
5. Click OK.
   
   
6. Right-click the privilege object that you created, and select Properties.
   
   
7. Click the RAC 4 Privileges tab and select the DRAC 4 privileges that you want the user to have (for more information, see Table 4-2).
   
   

Creating an Association Object

The Association Object is derived from a Group and must contain a Group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, you must choose the Association Scope that applies to the type of objects you intend to add. Selecting Universal, for example, means that association objects are only available when the Active Directory Domain is functioning in Native Mode or above.

1. In the Console Root (MMC) window, right-click a container.
   
   
2. Select New → Dell RAC Object.
   
   

This opens the New Object window.

3. Type a name for the new object.
   
   
4. Select Association Object.
   
   
5. Select the scope for the Association Object.
   
   
6. Click OK.
   
   

Adding Objects to an Association Object

By using the Association Object Properties window, you can associate users or user groups, privilege objects, and RAC devices or RAC device groups.

NOTE: When using Windows 2000 mode or higher, you must use Universal Groups to span domains with your users or RAC objects.

You can add groups of Users and RAC devices. Creating Dell-related groups is done the same way you create other groups.

To add users or User Groups:

1. Right-click the Association Object and select Properties.
   
   
2. Select the Users tab and click Add.
   
   
3. Type the user or User Group name and click OK.
   
   

Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to a RAC device.

NOTE: You can add only one privilege object to an association object.

To add a privilege:

1. Select the Privileges Object tab and click Add.
   
   
2. Type the Privilege Object name and click OK.
   
   

Click the Products tab to add one or more RAC devices to the association. The associated devices specify the RAC devices connected to the network that are available for the defined users or user groups.

NOTE: You can add multiple RAC devices to an association object.

To add RAC devices or RAC device groups:

1. Select the Products tab and click Add.
   
   
2. Type the RAC device or RAC device group name and click OK.
   
   
3. In the Properties window, click Apply and then OK.
   
   

Enabling SSL on a Domain Controller

If you plan to use Microsoft Enterprise Root CA to automatically assign all your domain controllers SSL certificate, you must perform the following steps to enable SSL on each domain controller.

1. Install a Microsoft Enterprise Root CA on a Domain Controller.
   
   
   1. Select Start → Control Panel → Add or Remove Programs.
      
      
   2. Select Add/Remove Windows Components.
      
      
   3. In the Windows Components Wizard, select the Certificate Services check box.
      
      
   4. Select Enterprise root CA as CA Type and click Next.
      
      
   5. Enter Common name for this CA, click Next, and click Finish.
      
      
2. Enable SSL on each of your domain controllers by installing the SSL certificate for each controller.
   
   
   1. Click Start → Administrative Tools → Domain Security Policy.
      
      
   2. Expand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request.
      
      
   3. In the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller.
      
      
   4. Click Next and click Finish.
      
      

Exporting the Domain Controller Root CA Certificate

NOTE: The following steps may vary slightly if you are using Windows 2000.

1. Go to the domain controller on which you installed the Microsoft Enterprise CA service.
   
   
2. Click Start → Run.
   
   
3. Type mmc and click OK.
   
   
4. In the Console 1 (MMC) window, click File (or Console on Windows 2000 machines) and select Add/Remove Snap-in.
   
   
5. In the Add/Remove Snap-In window, click Add.
   
   
6. In the Standalone Snap-In window, select Certificates and click Add.
   
   
7. Select Computer account and click Next.
   
   
8. Select Local Computer and click Finish.
   
   
9. Click OK.
   
   
10. In the Console 1 window, expand the Certificates folder, expand the Personal folder, and click the Certificates folder.
    
    
11. Locate and right-click the root CA certificate, select All Tasks, and click Export... .
    
    
12. In the Certificate Export Wizard, click Next, and select No do not export the private key.
    
    
13. Click Next and select Base-64 encoded X.509 (.cer) as the format.
    
    
14. Click Next and save the certificate to a location of your choice. You will need to upload this certificate to the DRAC 4. To do this, go to the DRAC 4 Web-based interface → Configuration tab → Active Directory page. Alternately, you may use the racadm CLI commands (see "Configuring the DRAC 4 Active Directory Settings Using the racadm CLI").
    
    
15. Click Finish and click OK.
    
    

Importing the DRAC 4 Firmware SSL Certificate to All Domain Controllers Trusted Certificate Lists

NOTE: If the DRAC 4 firmware SSL certificate is signed by a well-known CA, you do not need to perform the steps described in this section.

NOTE: The following steps may vary slightly if you are using Windows 2000.

1. The DRAC 4 SSL certificate is the same certificate that is used for the DRAC 4 Web server. All DRAC 4 controllers are shipped with a default self-signed certificate. You can get this certificate from the DRAC 4 by selecting the DRAC 4 Web-based interface Configuration tab → Active Directory subtab → Download DRAC 4 Server Certificate.
   
   
2. On the domain controller, open an MMC Console window and select Certificates → Trusted Root Certification Authorities.
   
   
3. Right-click Certificates, select All Tasks and click Import.
   
   
4. Click Next and browse to the SSL certificate file.
   
   
5. Install the RAC SSL Certificate in each domain controller's Trusted Root Certification Authority.
   
   

If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your Domain Controllers.

6. Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice.
   
   
7. Click Finish and click OK.
   
   

Configuring the DRAC 4

1. Log in to the Web-based interface using the default user, root, and its password.
   
   
2. Click the Configuration tab and select the Active Directory.
   
   
3. Select the Enable Active Directory check box.
   
   
4. Type the DRAC 4 Name. This name must be the same as the common name of the RAC object you created in your Domain Controller (see step 3 of "Creating a RAC Device Object").
   
   
5. Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest.
   
   
6. Type the DRAC 4 Domain Name (for example, drac4.com). Do not use the NetBIOS name. The DRAC 4 Domain Name is the fully qualified domain name of the sub-domain where the RAC Device Object is located.
   
   
7. Click Apply to save the Active Directory settings.
   
   
8. Click Upload Active Directory CA Certificate to upload your domain forest Root CA certificate into the DRAC 4. Your domain forest domain controllers' SSL certificates need to have signed this root CA certificate. Have the root CA certificate available on your local system (see "Exporting the Domain Controller Root CA Certificate"). Specify the full path and filename of the root CA certificate and click Upload to upload the root CA certificate to the DRAC 4 firmware. The DRAC 4 Web server automatically restarts after you click Upload. You must log in again to complete the DRAC 4 Active Directory feature configuration.
   
   
9. Click the Configuration tab and select Network.
   
   
10. If DRAC 4 NIC DHCP is enabled, select Use DHCP to obtain DNS server address. If you want to input a DNS server IP address manually, deselect Use DHCP to obtain DNS server address and type your primary and alternate DNS Server IP addresses.
    
    
11. Click Apply.
    
    

This completes the DRAC 4 Active Directory feature configuration.

Configuring the DRAC 4 Active Directory Settings Using the racadm CLI

Using the following commands to configure the DRAC 4 Active Directory Feature using the racadm CLI instead of the Web-based interface.

1. Open a command prompt and type the following racadm commands:
   
   

racadm config -g cfgActiveDirectory -o cfgADEnable 1

racadm config -g cfgActiveDirectory -o cfgADRacDomain <fully qualified rac domain name>

racadm config -g cfgActiveDirectory -o cfgADRootDomain <fully qualified root domain name>

racadm config -g cfgActiveDirectory -o cfgADRacName <RAC common name>

racadm sslcertupload -t 0x2 -f <ADS root CA certificate>

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

2. If DHCP is enabled on the DRAC 4 and you want to use the DNS provided by the DHCP server, type following:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

3. If DHCP is disabled on the DRAC 4 or you want manually to input your DNS IP address, type the following commands:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0

racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>

racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

4. Press Enter to complete the DRAC 4 Active Directory feature configuration.
   
   

Using Active Directory to Log In To the DRAC 4

You can use Active Directory to log in to the DRAC 4 through the Web-based interface, with remote racadm, or through the serial or telnet console.

The login syntax is consistent for all three methods:

<username@domain> or <domain>\<username> or <domain>/<username> (where username is an ASCII string of 1–256 bytes). No white space and no special characters (such as \, /, or @) are allowed in either the user name or the domain name.

NOTE: You cannot specify NetBIOS domain names, such as Americas, since those names cannot be resolved.

Frequently Asked Questions

Table 5-8 lists frequently asked questions and answers.

Table 5-8. Using the DRAC 4 With Active Directory: Frequently Asked Questions 

Back to Contents Page