A directory service is used to maintain a common database of all information needed for controlling users, computers, printers, etc. on a network.
If your company uses the Microsoft® Active Directory® service software, it can be configured to give you access to the DRAC 4, allowing you to add and control DRAC 4 user privileges to your existing users in your Active Directory software.
NOTE: Using Active Directory to recognize DRAC 4 users is supported on the Microsoft Windows® 2000 and Windows Server® 2003 operating systems.
You can use Active Directory to define user access on DRAC 4 through two methods: you can use the extended schema solution, which uses Dell-defined Active Directory objects, or a standard schema solution, which uses Active Directory group objects only.
Advantages and Disadvantages of Extended Schema and
Standard Schema
When using Active Directory to configure access to the DRAC 4, you must choose either the extended schema or the standard schema solution.
The advantages of using the extended schema solution are:
All of the access control objects are maintained in Active Directory.
Maximum flexibility in configuring user access on different DRAC 4 cards with different privilege levels.
The advantages of using the standard schema solution are:
No schema extension is required because standard schema uses Microsoft Active Directory objects only.
Configuration on the Active Directory side is simple.
Extended Schema Active Directory Overview
There are two ways to enable Extended Schema Active Directory:
The Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user attributes can include the user's first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization.
Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service.
Dell extension is: dell
Dell base OID is: 1.2.840.113556.1.8000.1280
RAC LinkID range is:12070 to 12079
The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension Dell.
Overview of the RAC Schema Extensions
To provide the greatest flexibility in the multitude of customer environments, Dell provides a group of properties that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link together the users or groups with a specific set of privileges to one or more RAC devices. This model provides an Administrator maximum flexibility over the different combinations of users, RAC privileges, and RAC devices on the network without adding too much complexity.
Active Directory Object Overview
For each of the physical RACs on the network that you want to integrate with Active Directory for Authentication and Authorization, you must create at least one Association Object and one RAC Device Object. You can create as many Association Objects as you want, and each Association Object can be linked to as many users, groups of users, or RAC Device Objects as desired. The users and RAC Device Objects can be members of any domain in the enterprise.
However, each Association Object can be linked (or, may link users, groups of users, or RAC Device Objects) to only one Privilege Object. This allows an Administrator to control which users have what kind of privileges on specific RACs.
The RAC Device object is the link to the RAC firmware for querying Active Directory for authentication and authorization. When a RAC is added to the network, the Administrator must configure the RAC and its device object with its Active Directory name so that users can perform authentication and authorization with Active Directory. The Administrator will also need to add the RAC to at least one Association Object in order for users to authenticate.
Figure 5-1 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.
Figure 5-1. Typical Setup for Active Directory Objects
You can create as many or as few association objects as required. However, you must create at least one Association Object, and you must have one RAC Device Object for each RAC (DRAC 4) on the network that you want to integrate with Active Directory for Authentication and Authorization with the RAC (DRAC 4).
The Association Object allows for as many or as few users and/or groups as well as RAC Device Objects. However, the Association Object only has one Privilege Object per Association Object. The Association Object connects the "Users" who have "Privileges" on the RACs (DRAC 4s).
Additionally, you can configure Active Directory objects in a single domain or in multiple domains. For example, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an administrator privilege to both DRAC 4 cards and give user3 a login privilege to the RAC2 card. Figure 5-2 shows how you set up the Active Directory objects in this scenario.
Figure 5-2. Setting Up Active Directory Objects in a Single Domain
To set up the objects for the single domain scenario, perform the following tasks:
Create two Association Objects.
Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 4 cards.
Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and
Priv2 has login privileges.
Group user1 and user2 into Group1.
Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1,
RAC2 as RAC Devices in AO1.
Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as
RAC Devices in AO2.
Figure 5-3 shows how you can set up the Active Directory objects in multiple domains. In this scenario, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, and user2 and user 3 are in Domain2. You want to give user1 and user 2 an administrator privilege to both DRAC 4 cards and give user3 a login privilege to the RAC2 card.
Figure 5-3. Setting Up Active Directory Objects in Multiple Domains
To set up the objects for the multiple domain scenario, perform the following tasks:
Ensure that the domain forest function is in Native or Windows 2003 mode.
Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain. The figure shows
the objects in Domain2.
Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 4 cards.
Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and
Priv2 has login privileges.
Group user1 and user2 into Group1. The group scope of Group1 must be Universal.
Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1,
RAC2 as RAC Devices in AO1.
Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as
RAC Devices in AO2.
Configuring Active Directory to Access Your DRAC 4
Before you can use Active Directory to access your DRAC 4, configure the Active Directory software and the DRAC 4 by performing the following steps in order:
Extending your Active Directory schema adds a Dell organizational unit, schema classes and attributes, and example privileges and association objects to the Active Directory schema. Before you extend the schema, you must have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest.
You can extend your schema using one of the following methods:
Dell Schema Extender utility
LDIF script file.
If you use the LDIF script file, the Dell organizational unit will not be added to the schema.
The LDIF files and Dell Schema Extender are located on your Dell Systems Management Consoles CD in the following respective directories:
CD drive:\support\OMActiveDirectory Tools\RAC4\LDIF Files
CD drive:\support\OMActiveDirectory Tools\RAC4\Schema Extender
To use the LDIF files, see the instructions in the readme that is in the LDIF files directory. To use the Dell Schema Extender to extend the Active Directory Schema, perform the steps in "Using the Dell Schema Extender."
You can copy and run the Schema Extender or LDIF files from any location.
Using the Dell Schema Extender
NOTICE: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the Dell Schema Extender utility functions properly, do not modify the name of this file.
In the Welcome screen, click Next.
Read and understand the warning and click Next again.
Select Use Current Log In Credentials or enter a user name and password with schema administrator
rights.
Click Next to run the Dell Schema Extender.
Click Finish.
The schema is extended. To verify the schema extension, use the Microsoft Management Console (MMC), the Active Directory Schema snap-in to verify that the following exist:
See your Microsoft documentation for more information on how to enable and use the Active Directory Schema snap-in the MMC.
Table 5-1. Class Definitions for Classes Added to the Active Directory Schema
Class Name
Assigned Object Identification Number (OID)
dellRacDevice
1.2.840.113556.1.8000.1280.1.1.1.1
dellAssociationObject
1.2.840.113556.1.8000.1280.1.1.1.2
dellRAC4Privileges
1.2.840.113556.1.8000.1280.1.1.1.3
dellPrivileges
1.2.840.113556.1.8000.1280.1.1.1.4
dellProduct
1.2.840.113556.1.8000.1280.1.1.1.5
Table 5-2. dellRacDevice Class
OID
1.2.840.113556.1.8000.1280.1.1.1.1
Description
This class represents the Dell RAC device. The RAC device must be configured as dellRacDevice in Active Directory. This configuration enables the DRAC 4 to send Lightweight Directory Access Protocol (LDAP) queries to Active Directory.
Class Type
Structural Class
SuperClasses
dellProduct
Attributes
dellSchemaVersion
dellRacType
Table 5-3. dellAssociationObject Class
OID
1.2.840.113556.1.8000.1280.1.1.1.2
Description
This class represents the Dell Association Object. The Association Object provides the connection between the users and the devices.
Class Type
Structural Class
SuperClasses
Group
Attributes
dellProductMembers
dellPrivilegeMember
Table 5-4. dellRAC4Privileges Class
OID
1.2.840.113556.1.8000.1280.1.1.1.3
Description
This class is used to define the privileges (Authorization Rights) for the DRAC 4 device.
Class Type
Auxiliary Class
SuperClasses
None
Attributes
dellIsLoginUser
dellIsCardConfigAdmin
dellIsUserConfigAdmin
dellIsLogClearAdmin
dellIsServerResetUser
dellIsConsoleRedirectUser
dellIsVirtualMediaUser
dellIsTestAlertUser
dellIsDebugCommandAdmin
Table 5-5. dellPrivileges Class
OID
1.2.840.113556.1.8000.1280.1.1.1.4
Description
This class is used as a container Class for the Dell Privileges (Authorization Rights).
Class Type
Structural Class
SuperClasses
User
Attributes
dellRAC4Privileges
Table 5-6. dellProduct Class
OID
1.2.840.113556.1.8000.1280.1.1.1.5
Description
This is the main class from which all Dell products are derived.
Class Type
Structural Class
SuperClasses
Computer
Attributes
dellAssociationMembers
Table 5-7. List of Attributes Added to the Active Directory Schema
Attribute Name/Description
Assigned OID/Syntax Object Identifier
Single Valued
dellPrivilegeMember
List of dellPrivilege Objects that belong to this Attribute.
1.2.840.113556.1.8000.1280.1.1.2.1
Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)
FALSE
dellProductMembers
List of dellRacDevices Objects that belong to this role. This attribute is the forward link to the dellAssociationMembers backward link. Link ID: 12070
1.2.840.113556.1.8000.1280.1.1.2.2
Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)
The Current Schema Version is used to update the schema.
1.2.840.113556.1.8000.1280.1.1.2.12
Case Ignore String (LDAPTYPE_CASEIGNORESTRING 1.2.840.113556.1.4.905)
TRUE
dellRacType
This attribute is the Current Rac Type for the dellRacDevice object and the backward link to the dellAssociationObjectMembers forward link.
1.2.840.113556.1.8000.1280.1.1.2.13
Case Ignore String (LDAPTYPE_CASEIGNORESTRING 1.2.840.113556.1.4.905)
TRUE
dellAssociationMembers
List of dellAssociationObjectMembers that belong to this Product. This attribute is the backward link to the dellProductMembers Linked attribute. Link ID: 12071
1.2.840.113556.1.8000.1280.1.1.2.14
Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)
FALSE
Installing the Dell Extension to the Active Directory Users and Computers Snap-In
When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so that the administrator can manage RAC (DRAC 4) devices, Users and User Groups, RAC Associations, and RAC Privileges. When you install your systems management software using the Dell Systems Management Consoles CD, you can extend the snap-in by selecting the Dell Extension to the Active Directory User's and Computers Snap-In option during the installation procedure. See the Dell OpenManage Software Quick Installation Guide for additional instructions about installing systems management software.
For more information about the Active Directory Users and Computers snap-in, see your Microsoft documentation.
Installing the Administrator Pack
You must install the Administrator Pack on each system that is managing the Active Directory DRAC 4 Objects. If you do not install the Administrator Pack, then you cannot view the Dell RAC Object in the container.
Opening the Active Directory Users and Computers Snap-In
To open the Active Directory Users and Computers snap-in, perform the following steps:
If you are on the domain controller, click StartAdmin Tools® Active Directory Users and Computers.
If you are not on the domain controller, you must have the appropriate Microsoft Administrator Pack installed on your local system. To install this Administrator Pack, click Start®Run, type MMC and press Enter.
The Microsoft Management Console (MMC) appears.
In the Console 1 window, click File (or Console on systems running Windows 2000).
Click Add/Remove Snap-in.
Select the Active Directory Users and Computers snap-in and click Add.
Click Close and click OK.
Adding DRAC 4 Users and Privileges to Active Directory
Using the Dell-extended Active Directory Users and Computers snap-in, you can add DRAC 4 users and privileges by creating RAC, Association, and Privilege objects. To add each type of object, perform the following procedures:
Create a RAC Device Object
Crate a Privilege Object
Create an Association Object
Add Objects to an Association Object
Creating a RAC Device Object
In the MMC Console Root window, right-click a container.
Privilege Objects must be created in the same domain as the Association Object to which it is associated.
In the Console Root (MMC) window, right-click a container.
Select New® Dell RAC Object.
This opens the New Object window.
Type a name for the new object.
Select Privilege Object.
Click OK.
Right-click the privilege object that you created, and select Properties.
Click the RAC 4 Privileges tab and select the DRAC 4 privileges that you want the user to have (for
more information, see Table 4-2).
Creating an Association Object
The Association Object is derived from a Group and must contain a Group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, you must choose the Association Scope that applies to the type of objects you intend to add. Selecting Universal, for example, means that association objects are only available when the Active Directory Domain is functioning in Native Mode or above.
In the Console Root (MMC) window, right-click a container.
Select New® Dell RAC Object.
The New Object window appears
Type a name for the new object.
Select Association Object.
Select the scope for the Association Object.
Click OK.
Adding Objects to an Association Object
Using the Association Object Properties window, you can associate users or user groups, privilege objects, and RAC devices or RAC device groups. If your system is running Windows 2000 mode or higher, use Universal Groups to span domains with your user or RAC objects.
You can add groups of Users and RAC devices. The procedure for creating Dell-related groups and non-Dell-related groups is identical.
Adding Users or User Groups
Right-click the Association Object and select Properties.
Select the Users tab and click Add.
Type the user or User Group name and click OK.
Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to a RAC device. Only one privilege object can be added to an Association Object.
Adding Privileges
Select the Privileges Object tab and click Add.
Type the Privilege Object name and click OK.
Click the Products tab to add one or more RAC devices to the association. The associated devices specify the RAC devices connected to the network that are available for the defined users or user groups. Multiple RAC devices can be added to an association object.
Adding RAC Devices or RAC Device Groups
Select the Products tab and click Add.
Type the RAC device or RAC device group name and click OK.
In the Properties window, click Apply and then OK.
Configuring the DRAC 4 with Extended Schema Active Directory and the Web-Based Interface
NOTE: If you are using Standard Schema with Active Directory, the DRAC 4 Name and DRAC 4 Domain Name fields are unavailable.
Log in to the Web-based interface using the default user, root, and password.
Click the Configuration tab and select Active Directory.
On the Active Directory Configuration page, select the Enable Active Directory check box.
Type the DRAC 4 Name.
This name must be the same as the common name of the RAC object you created in your Domain Controller (see step 3 of "Creating a RAC Device Object").
Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for
the forest.
Type the DRAC 4 Domain Name (for example, drac4.com). Do not use the NetBIOS name.
The DRAC 4 Domain Name is the fully qualified domain name of the sub-domain where the RAC Device Object is located.
Click Apply to save the Active Directory settings.
Click Upload Active Directory CA Certificate to upload your domain forest Root CA certificate into
the DRAC 4.
The domain controllers' SSL certificates should have been signed by the root CA. Have the root CA certificate available on your management station accessing the DRAC 4 (see "Exporting the Domain Controller Root CA Certificate").
Click the Configuration tab and select Network.
If DRAC 4 NIC DHCP is enabled, select Use DHCP to obtain DNS server address. If you want to
input a DNS server IP address manually, deselect Use DHCP to obtain DNS server address and type
your primary and alternate DNS Server IP addresses.
Click Apply.
The DRAC 4 Extended Schema Active Directory feature configuration is complete.
Configuring the DRAC 4 with Extended Schema Active Directory and the racadm CLI
Use the following commands to configure the DRAC 4 Active Directory Feature with Extended Schema using the racadm CLI instead of the Web-based interface.
Open a command prompt and type the following racadm commands:
racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>
racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>
Standard Schema Active Directory Overview
As shown in Figure 5-4, using standard schema for Active Directory integration requires configuration on both Active Directory and the DRAC 4. On the Active Directory side, a standard group object is used as a role group. A user with DRAC 4 access is a member of the role group. In order to give this user access to a specific DRAC 4 card, the role group name and its domain name need to be configured on the specific DRAC 4 card. Unlike the extended schema solution, the role and the privilege level is defined on each DRAC 4 card, not in the Active Directory. Up to five role groups can be configured and defined in each DRAC 4. Table B-3 shows the privileges level of the role groups and Table 5-8 shows the default role group settings.
racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>
racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>
Enabling SSL on a Domain Controller
If you are using the Microsoft Enterprise Root CA to automatically assign all your domain controllers to an SSL certificate, perform the following steps to enable SSL on each domain controller.
Install a Microsoft Enterprise Root CA on a Domain Controller.
Click Start and select Settings®Control Panel® Add or Remove Programs.
In the Add or Remove Programs window, click Add/Remove Windows Components.
In the Windows Components Wizard, select the Certificate Services check box.
Select Enterprise root CA as CA Type and click Next.
Select Common name for this CA, click Next, and click Finish.
Enable SSL on each of your domain controllers by installing the SSL certificate for each controller.
Click the Configuration tab and then click Active Directory.
In the Certificate Upload page, click Browse and select the certificate or type the path to the
certificate in the Value field.
Click Apply.
Click Finish and then click OK.
Importing the DRAC 4 Firmware SSL Certificate
Use the following procedure to import the DRAC 4 firmware SSL certificate to all domain controller trusted certificate lists.
NOTE: If the DRAC 4 firmware SSL certificate is signed by a well-known CA, you do not need to perform the steps described in this section.
NOTE: The following steps may vary slightly if you are using Windows 2000.
The DRAC 4 SSL certificate is the identical certificate used for the DRAC 4 Web server. All DRAC 4 controllers are shipped with a default self-signed certificate. To access the certificate using the DRAC 4 Web-based interface, click the Configuration Tab, click Active Directory, and then click Download DRAC 4 Server Certificate.
On the domain controller, open an MMC Console window and select Certificates® Trusted Root
Certification Authorities.
Right-click Certificates, select All Tasks and click Import.
Click Next and browse to the SSL certificate file.
Install the RAC SSL Certificate in each domain controller's Trusted Root Certification Authority.
If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your Domain Controllers.
Click Next and select whether you would like Windows to automatically select the certificate store
based on the type of certificate, or browse to a store of your choice.
Click Finish and click OK.
Using Active Directory to Log In to the DRAC 4
You can use Active Directory to log in to the DRAC 4 through the Web-based interface, remote racadm, or the serial or telnet console.
The login syntax is consistent for all three methods:
<username@domain> or <domain>\<username> or <domain>/<username>
where <username> is an ASCII string of 1–256 bytes. No white space and no special characters (such as \, /, or @) are allowed in either the user name or the domain name.
NOTE: You cannot specify NetBIOS domain names, such as Americas, since those names cannot be resolved.
4096-Bit Key Encryption
DRAC 4 firmware version 1.40 and later support 4096-bit key encryption between the managed system and the Active Directory server—a practice that is recommended by Microsoft.
In the standard Active Directory environment, the user name and password is authenticated by exchanging user information between Active Directory systems in a corporate network. In firmware 1.40 and later, user authentication is achieved by exchanging user information and the CA certificate directly between the DRAC 4 card and the Active Directory system using 4096-bit key encryption. The Active Directory server transmits a trusted CA certificate to the DRAC card for validation. The DRAC card validates the CA certificate and extracts the private key from the certificate, which is used to decrypt transmissions between the DRAC card and the Active Directory server.
NOTE: Depending on your network configuration, authentication may require up to 90 seconds to complete.
Frequently Asked Questions
Table 5-9 lists frequently asked questions and answers.
Table 5-9. Using the DRAC 4 With Active Directory: Frequently Asked Questions
Question
Answer
Can I log into the DRAC 4 using Active Directory across multiple trees?
Yes. The DRAC 4's Active Directory querying algorithm supports multiple trees in a single forest.
Does the log in to the DRAC 4 using Active Directory work in mixed mode (that is, the domain controllers in the forest run different operating systems, such as Microsoft Windows NT® 4.0, Windows 2000, or Windows Server 2003)?
Yes. In mixed mode, all objects used by the DRAC 4 querying process (among user, RAC Device Object, and Association Object) have to be in the same domain.
The Dell-extended Active Directory Users and Computers snap-in checks the mode and limits users in order to create objects across domains if in mixed mode.
Does using the DRAC 4 with Active Directory support multiple domain environments?
Yes. The domain forest function level must be in Native mode or Windows 2003 mode. In addition, the groups among Association Object, RAC user objects, and RAC Device Objects (including Association Object) must be universal groups.
Can these Dell-extended objects (Dell Association Object, Dell RAC Device, and Dell Privilege Object) be in different domains?
The Association Object and the Privilege Object must be in the same domain. The Dell-extended Active Directory Users and Computers snap-in forces you to create these two objects in the same domain. Other objects can be in different domains.
Are there any restrictions on Domain Controller SSL configuration?
Yes. All Active Directory servers' SSL certificates in the forest must be signed by the same root CA since DRAC 4 only allows uploading one trusted CA SSL certificate.
I created and uploaded a new RAC certificate and now the Web-based interface does not launch.
If you use Microsoft Certificate Services to generate the RAC certificate, one possible cause of this issue is that you inadvertently chose User Certificate instead of Web Certificate when creating the certificate. To recover, generate a CSR and create a new Web certificate from Microsoft Certificate Services and load it using the racadm CLI from the managed system by typing:
racadm sslcsrgen [-g] [-u] [-f {filename}]
racadm sslcertupload -t 0x1 -f <web_sslcert>
What can I do if I cannot log into the DRAC 4 using Active Directory authentication? How do I troubleshoot the issue?
Troubleshoot as follows:
Ensure that you have checked the Enable Active Directory box on the DRAC 4 Active Directory configuration page.
Ensure that the DNS setting is correct on the DRAC 4 Networking configuration page.
Ensure that you have uploaded the Active Directory certificate from your Active Directory root CA to the DRAC 4.
Check the Domain Controller SSL certificates to ensure that they have not expired.
Ensure that your "DRAC 4 Name", "Root Domain Name", and "DRAC 4 Domain Name" match your Active Directory environment configuration.
Ensure that you use the correct user domain name during a login and not the NetBIOS name.
