Manuals

Manuals
Using the DRAC 5 With Microsoft Active Directory: Dell Remote Access Controller 5 Firmware Version 1.30 User's Guide

Back to Contents Page

Using the DRAC 5 With Microsoft Active Directory

Dell Remote Access Controller 5 Firmware Version 1.30 User's Guide

  Advantages and Disadvantages of Extended Schema and Standard Schema

  Extended Schema Active Directory Overview

  Standard Schema Active Directory Overview

  Enabling SSL on a Domain Controller

  Using Active Directory to Log In To the DRAC 5

  Frequently Asked Questions


A directory service maintains a common database of all information needed for controlling users, computers, printers, etc. on a network. If your company uses the Microsoft® Active Directory® service software, you can configure the software to provide access to the DRAC 5, allowing you to add and control DRAC 5 user privileges to your existing users in your Active Directory software.

NOTE: Using Active Directory to recognize DRAC 5 users is supported on the Microsoft Windows® 2000 and Windows Server® 2003 operating systems.

You can use Active Directory to define user access on DRAC 5 through two methods: you can use the extended schema solution which uses Dell-defined Active Directory objects or a standard schema solution which uses Active Directory group objects only.

Advantages and Disadvantages of Extended Schema and Standard Schema

When using Active Directory to configure access to the DRAC 5, you must choose either the extended schema or the standard schema solution.

The advantages of using the extended schema solution are:

  • All of the access control objects are maintained in Active Directory.

  • Maximum flexibility in configuring user access on different DRAC 5 cards with different privilege levels.

The advantages of using the standard schema solution are:

  • No schema extension is required because standard schema uses Active Directory objects only.

  • Configuration on Active Directory side is simple.

Extended Schema Active Directory Overview

There are two ways to enable Extended Schema Active Directory:

Active Directory Schema Extensions

The Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user class attributes can include the user's first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization.

Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service.

Dell extension is: dell

Dell base OID is: 1.2.840.113556.1.8000.1280

RAC LinkID range is: 12070 to 12079

The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension Dell.

Overview of the RAC Schema Extensions

To provide the greatest flexibility in the multitude of customer environments, Dell provides a group of properties that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link together the users or groups with a specific set of privileges to one or more RAC devices. This model provides an Administrator maximum flexibility over the different combinations of users, RAC privileges, and RAC devices on the network without adding too much complexity.

Active Directory Object Overview

For each of the physical RACs on the network that you want to integrate with Active Directory for Authentication and Authorization, create at least one Association Object and one RAC Device Object. You can create multiple Association Objects, and each Association Object can be linked to as many users, groups of users, or RAC Device Objects as required. The users and RAC Device Objects can be members of any domain in the enterprise.

However, each Association Object can be linked (or, may link users, groups of users, or RAC Device Objects) to only one Privilege Object. This example allows an Administrator to control each user's privileges on specific RACs.

The RAC Device object is the link to the RAC firmware for querying Active Directory for authentication and authorization. When a RAC is added to the network, the Administrator must configure the RAC and its device object with its Active Directory name so users can perform authentication and authorization with Active Directory. Additionally, the Administrator must add the RAC to at least one Association Object in order for users to authenticate.

Figure 6-1 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.

Figure 6-1. Typical Setup for Active Directory Objects

NOTE: The RAC privilege object applies to both DRAC 4 and DRAC 5.

You can create as many or as few association objects as required. However, you must create at least one Association Object, and you must have one RAC Device Object for each RAC (DRAC 5) on the network that you want to integrate with Active Directory for Authentication and Authorization with the RAC (DRAC 5).

The Association Object allows for as many or as few users and/or groups as well as RAC Device Objects. However, the Association Object only includes one Privilege Object per Association Object. The Association Object connects the "Users" who have "Privileges" on the RACs (DRAC 5s).

Additionally, you can configure Active Directory objects in a single domain or in multiple domains. For example, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an administrator privilege to both DRAC 5 cards and give user3 a login privilege to the RAC2 card. Figure 6-2 shows how you set up the Active Directory objects in this scenario.

When adding Universal Groups from separate domains, create an Association Object with Universal Scope. The Default Association objects created by the Dell Schema Extender Utility are Domain Local Groups and will not work with Universal Groups from other domains.

Figure 6-2. Setting Up Active Directory Objects in a Single Domain

To configure the objects for the single domain scenario, perform the following tasks:

  1. Create two Association Objects.

  2. Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards.

  3. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges.

  4. Group user1 and user2 into Group1.

  5. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.

  6. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2.

See "Adding DRAC 5 Users and Privileges to Active Directory" for detailed instructions.

Figure 6-3 provides an example of Active Directory objects in multiple domains. In this scenario, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, and user2 and user 3 are in Domain2. In this scenario, configure user1 and user 2 with administrator privileges to both DRAC 5 cards and configure user3 with login privileges to the RAC2 card.

Figure 6-3. Setting Up Active Directory Objects in Multiple Domains

To configure the objects for the multiple domain scenario, perform the following tasks:

  1. Ensure that the domain forest function is in Native or Windows 2003 mode.

  2. Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain.

Figure 6-3 shows the objects in Domain2.

  1. Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards.

  2. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges.

  3. Group user1 and user2 into Group1. The group scope of Group1 must be Universal.

  4. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.

  5. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2.

Configuring Extended Schema Active Directory to Access Your DRAC 5

Before using Active Directory to access your DRAC 5, configure the Active Directory software and the DRAC 5 by performing the following steps in order:

  1. Extend the Active Directory schema (see "Extending the Active Directory Schema").

  2. Extend the Active Directory Users and Computers Snap-in (see "Installing the Dell Extension to the Active Directory Users and Computers Snap-In" ).

  3. Add DRAC 5 users and their privileges to Active Directory (see "Adding DRAC 5 Users and Privileges to Active Directory").

  4. Enable SSL on each of your domain controllers (see "Enabling SSL on a Domain Controller").

  5. Configure the DRAC 5 Active Directory properties using either the DRAC 5 Web-based interface or the RACADM (see "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface" or "Configuring the DRAC 5 With Extended Schema Active Directory and RACADM").

Extending the Active Directory Schema

Extending your Active Directory schema adds a Dell organizational unit, schema classes and attributes, and example privileges and association objects to the Active Directory schema. Before you extend the schema, ensure that you have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest.

You can extend your schema using one of the following methods:

  • Dell Schema Extender utility

  • LDIF script file

If you use the LDIF script file, the Dell organizational unit will not be added to the schema.

The LDIF files and Dell Schema Extender are located on your Dell Systems Console and Agent CD in the following respective directories:

  • CD drive:\support\OMActiveDirectory Tools\RAC4-5\LDIF_Files

  • CD drive:\support\OMActiveDirectory Tools\RAC4-5\Schema_Extender

To use the LDIF files, see the instructions in the readme included in the LDIF_Files directory. To use the Dell Schema Extender to extend the Active Directory Schema, see "Using the Dell Schema Extender".

You can copy and run the Schema Extender or LDIF files from any location.

Using the Dell Schema Extender

NOTICE: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the Dell Schema Extender utility functions properly, do not modify the name of this file.
  1. In the Welcome screen, click Next.

  2. Read and understand the warning and click Next.

  3. Select Use Current Log In Credentials or enter a user name and password with schema administrator rights.

  4. Click Next to run the Dell Schema Extender.

  5. Click Finish.

The schema is extended. To verify the schema extension, use the Microsoft Management Console (MMC) and the Active Directory Schema snap-in to verify that the following exist:

See your Microsoft documentation for more information on how to enable and use the Active Directory Schema snap-in the MMC.

Table 6-1. Class Definitions for Classes Added to the Active Directory Schema

Class Name

Assigned Object Identification Number (OID)

dellRacDevice

1.2.840.113556.1.8000.1280.1.1.1.1

dellAssociationObject

1.2.840.113556.1.8000.1280.1.1.1.2

dellRACPrivileges

1.2.840.113556.1.8000.1280.1.1.1.3

dellPrivileges

1.2.840.113556.1.8000.1280.1.1.1.4

dellProduct

1.2.840.113556.1.8000.1280.1.1.1.5

Table 6-2. dellRacDevice Class

OID

1.2.840.113556.1.8000.1280.1.1.1.1

Description

Represents the Dell RAC device. The RAC device must be configured as dellRacDevice in Active Directory. This configuration enables the DRAC 5 to send Lightweight Directory Access Protocol (LDAP) queries to Active Directory.

Class Type

Structural Class

SuperClasses

dellProduct

Attributes

dellSchemaVersion

dellRacType

Table 6-3. dellAssociationObject Class 

OID

1.2.840.113556.1.8000.1280.1.1.1.2

Description

Represents the Dell Association Object. The Association Object provides the connection between the users and the devices.

Class Type

Structural Class

SuperClasses

Group

Attributes

dellProductMembers

dellPrivilegeMember

Table 6-4. dellRAC4Privileges Class

OID

1.2.840.113556.1.8000.1280.1.1.1.3

Description

Used to define the privileges (Authorization Rights) for the DRAC 5 device.

Class Type

Auxiliary Class

SuperClasses

None

Attributes

dellIsLoginUser

dellIsCardConfigAdmin

dellIsUserConfigAdmin

dellIsLogClearAdmin

dellIsServerResetUser

dellIsConsoleRedirectUser

dellIsVirtualMediaUser

dellIsTestAlertUser

dellIsDebugCommandAdmin

Table 6-5. dellPrivileges Class

OID

1.2.840.113556.1.8000.1280.1.1.1.4

Description

Used as a container Class for the Dell Privileges (Authorization Rights).

Class Type

Structural Class

SuperClasses

User

Attributes

dellRAC4Privileges

Table 6-6. dellProduct Class

OID

1.2.840.113556.1.8000.1280.1.1.1.5

Description

The main class from which all Dell products are derived.

Class Type

Structural Class

SuperClasses

Computer

Attributes

dellAssociationMembers

Table 6-7. List of Attributes Added to the Active Directory Schema 

Attribute Name/Description

Assigned OID/Syntax Object Identifier

Single Valued

dellPrivilegeMember

List of dellPrivilege Objects that belong to this Attribute.

1.2.840.113556.1.8000.1280.1.1.2.1

Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)

FALSE

dellProductMembers

List of dellRacDevices Objects that belong to this role. This attribute is the forward link to the dellAssociationMembers backward link.

Link ID: 12070

1.2.840.113556.1.8000.1280.1.1.2.2

Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)

FALSE

dellIsLoginUser

TRUE if the user has Login rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.3

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsCardConfigAdmin

TRUE if the user has Card Configuration rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.4

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsUserConfigAdmin

TRUE if the user has User Configuration rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.5

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

delIsLogClearAdmin

TRUE if the user has Log Clearing rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.6

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsServerResetUser

TRUE if the user has Server Reset rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.7

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsConsoleRedirectUser

TRUE if the user has Console Redirection rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.8

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsVirtualMediaUser

TRUE if the user has Virtual Media rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.9

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsTestAlertUser

TRUE if the user has Test Alert User rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.10

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsDebugCommandAdmin

TRUE if the user has Debug Command Admin rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.11

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellSchemaVersion

The Current Schema Version is used to update the schema.

1.2.840.113556.1.8000.1280.1.1.2.12

Case Ignore String
(LDAPTYPE_CASEIGNORESTRING
1.2.840.113556.1.4.905)

TRUE

dellRacType

This attribute is the Current Rac Type for the dellRacDevice object and the backward link to the dellAssociationObjectMembers forward link.

1.2.840.113556.1.8000.1280.1.1.2.13

Case Ignore String
(LDAPTYPE_CASEIGNORESTRING
1.2.840.113556.1.4.905)

TRUE

dellAssociationMembers

List of dellAssociationObjectMembers that belong to this Product. This attribute is the backward link to the dellProductMembers Linked attribute.

Link ID: 12071

1.2.840.113556.1.8000.1280.1.1.2.14

Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)

FALSE

Installing the Dell Extension to the Active Directory Users and Computers Snap-In

When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so the administrator can manage RAC (DRAC 5) devices, Users and User Groups, RAC Associations, and RAC Privileges.

When you install your systems management software using the Dell Systems Console and Agent CD, you can extend the snap-in by selecting the Dell Extension to the Active Directory User's and Computers Snap-In option during the installation procedure. See the Dell OpenManage Software Quick Installation Guide for additional instructions about installing systems management software.

For more information about the Active Directory User's and Computers snap-in, see your Microsoft documentation.

Installing the Administrator Pack

You must install the Administrator Pack on each system that is managing the Active Directory DRAC 5 Objects. If you do not install the Administrator Pack, you cannot view the Dell RAC Object in the container.

See "Opening the Active Directory Users and Computers Snap-In" for more information.

Opening the Active Directory Users and Computers Snap-In

To open the Active Directory Users and Computers snap-in, perform the following steps:

  1. If you are logged into the domain controller, click Start Admin Tools Active Directory Users and Computers.

If you are not logged into the domain controller, you must have the appropriate Microsoft Administrator Pack installed on your local system. To install this Administrator Pack, click StartRun, type MMC, and press Enter.

The Microsoft Management Console (MMC) appears.

  1. In the Console 1 window, click File (or Console on systems running Windows 2000).

  2. Click Add/Remove Snap-in.

  3. Select the Active Directory Users and Computers snap-in and click Add.

  4. Click Close and click OK.

Adding DRAC 5 Users and Privileges to Active Directory

Using the Dell-extended Active Directory Users and Computers snap-in, you can add DRAC 5 users and privileges by creating RAC, Association, and Privilege objects. To add each object type, perform the following procedures:

  • Create a RAC device Object

  • Create a Privilege Object

  • Create an Association Object

  • Add objects to an Association Object

Creating a RAC Device Object

  1. In the MMC Console Root window, right-click a container.

  2. Select NewDell RAC Object.

The New Object window appears.

  1. Type a name for the new object. The name must be identical to the DRAC 5 Name that you will type in step a of "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface".

  2. Select RAC Device Object.

  3. Click OK.

Creating a Privilege Object

NOTE: A Privilege Object must be created in the same domain as the related Association Object.
  1. In the Console Root (MMC) window, right-click a container.

  2. Select New Dell RAC Object.

The New Object window appears.

  1. Type a name for the new object.

  2. Select Privilege Object.

  3. Click OK.

  4. Right-click the privilege object that you created, and select Properties.

  5. Click the RAC Privileges tab and select the privileges that you want the user to have (for more information, see Table 4-9).

Creating an Association Object

The Association Object is derived from a Group and must contain a Group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, choose the Association Scope that applies to the type of objects you intend to add.

For example, if you select Universal, the association objects are only available when the Active Directory Domain is functioning in Native Mode or above.

  1. In the Console Root (MMC) window, right-click a container.

  2. Select New Dell RAC Object.

This opens the New Object window.

  1. Type a name for the new object.

  2. Select Association Object.

  3. Select the scope for the Association Object.

  4. Click OK.

Adding Objects to an Association Object

Using the Association Object Properties window, you can associate users or user groups, privilege objects, and RAC devices or RAC device groups. If your system is running Windows 2000 mode or higher, use Universal Groups to span domains with your user or RAC objects.

You can add groups of Users and RAC devices. The procedure for creating Dell-related groups and non-Dell-related groups is identical.

Adding Users or User Groups

  1. Right-click the Association Object and select Properties.

  2. Select the Users tab and click Add.

  3. Type the user or User Group name and click OK.

Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to a RAC device. Only one privilege object can be added to an Association Object.

Adding Privileges

  1. Select the Privileges Object tab and click Add.

  2. Type the Privilege Object name and click OK.

Click the Products tab to add one or more RAC devices to the association. The associated devices specify the RAC devices connected to the network that are available for the defined users or user groups. Multiple RAC devices can be added to an Association Object.

Adding RAC Devices or RAC Device Groups

To add RAC devices or RAC device groups:

  1. Select the Products tab and click Add.

  2. Type the RAC device or RAC device group name and click OK.

  3. In the Properties window, click Apply and click OK.

Configuring the DRAC 5 With Extended Schema Active Directory and
Web-Based Interface

  1. Open a supported Web browser window.

  2. Log in to the DRAC 5 Web-based interface.

  3. Expand the System tree and click Remote Access.

  4. Click the Configuration tab and select Active Directory.

  5. On the Active Directory Main Menu page, select Configure Active Directory and click Next.

  6. In the Common Settings section:

    1. Select the Enable Active Directory check box.

    2. Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest.

    3. Type the Timeout time in seconds.

  7. Click Use Extended Schema in the Active Directory Schema Selection section.

  8. In the Extended Schema Settings section:

    1. Type the DRAC Name. This name must be the same as the common name of the new RAC object you created in your Domain Controller (see step 3 of "Creating a RAC Device Object").

    1. Type the DRAC Domain Name (for example, drac5.com). Do not use the NetBIOS name. The DRAC Domain Name is the fully qualified domain name of the sub-domain where the RAC Device Object is located.

  9. Click Apply to save the Active Directory settings.

  10. Click Go Back To Active Directory Main Menu.

  11. Upload your domain forest Root CA certificate into the DRAC 5.

    1. Select the Upload Active Directory CA Certificate check-box and then click Next.

    1. In the Certificate Upload page, type the file path of the certificate or browse to the certificate file.

NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension.

The domain controllers' SSL certificates should have been signed by the root CA. Have the root CA certificate available on your management station accessing the DRAC 5 (see "Exporting the Domain Controller Root CA Certificate").

    1. Click Apply.

The DRAC 5 Web server automatically restarts after you click Apply.

  1. Log out and then log in to the DRAC 5 to complete the DRAC 5 Active Directory feature configuration.

  2. In the System tree, click Remote Access.

  3. Click the Configuration tab and then click Network.

The Network Configuration page appears.

  1. If Use DHCP (for NIC IP Address) is selected under Network Settings, then select Use DHCP to obtain DNS server address.

To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS server IP addresses.

  1. Click Apply Changes.

The DRAC 5 Extended Schema Active Directory feature configuration is complete.

Configuring the DRAC 5 With Extended Schema Active Directory and
RACADM

Using the following commands to configure the DRAC 5 Active Directory Feature with Extended Schema using the RACADM CLI tool instead of the Web-based interface.

  1. Open a command prompt and type the following racadm commands:

racadm config -g cfgActiveDirectory -o cfgADEnable 1

racadm config -g cfgActiveDirectory -o cfgADType 1

racadm config -g cfgActiveDirectory -o cfgADRacDomain <fully qualified rac domain name>

racadm config -g cfgActiveDirectory -o cfgADRootDomain <fully qualified root domain name>

racadm config -g cfgActiveDirectory -o cfgADRacName <RAC common name>

racadm sslcertupload -t 0x2 -f <ADS root CA certificate>

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

  1. If you want to specify an LDAP or Global Catalog server instead of using the servers returned by the DNS server to search for a user name, type the following command to enable the Specify Server option:

racadm config -g cfgActive Directory -o cfgADSpecifyServer Enable 1

NOTE: If you use this option, the hostname in the CA certificate is not matched against the name of the specified server. This is particularly useful if you are a DRAC administrator because it enables you to enter a hostname as well as an IP address.

After the Specify Server option is enabled, you can specify an LDAP server with an IP address or a fully qualified domain name of the server (FQDN). The FQDN consists of the hostname and the domain name of the server.

To specify an LDAP server, type:

racadm config -g cfgActive Directory -o cfgADDomainController <fully qualified domain name or IP address>

To specify a Global Catalog server, type:

racadm config -g cfgActive Directory -o cfgGlobalCatalog <fully qualified domain name or IP address>

NOTE: If you specify the IP address as 0.0.0.0, DRAC 5 will not search for any server.
NOTE: You can specify a list of LDAP or Global Catalog servers separated by commas. DRAC 5 allows you to specify up to three IP addresses or hostnames.
NOTE: If LDAPS is not correctly configured for all domains and applications, enabling it may produce unexpected results during the functioning of the existing applications/domains.
  1. If DHCP is enabled on the DRAC 5 and you want to use the DNS provided by the DHCP server, type the following racadm command:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

  1. If DHCP is disabled on the DRAC 5 or you want manually to input your DNS IP address, type following racadm commands:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0

racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>

racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

  1. Press Enter to complete the DRAC 5 Active Directory feature configuration.

Standard Schema Active Directory Overview

As shown in Figure 6-4, using standard schema for Active Directory integration requires configuration on both Active Directory and the DRAC 5. On the Active Directory side, a standard group object is used as a role group. A user who has DRAC 5 access will be a member of the role group. In order to give this user access to a specific DRAC 5 card, the role group name and its domain name need to be configured on the specific DRAC 5 card. Unlike the extended schema solution, the role and the privilege level is defined on each DRAC 5 card, not in the Active Directory. Up to five role groups can be configured and defined in each DRAC 5. Table 4-16 shows the privileges level of the role groups and Table 6-8 shows the default role group settings.

Figure 6-4. Configuration of DRAC 5 with Microsoft Active Directory and Standard Schema

Table 6-8. Default Role Group Privileges

Role Groups

Default Privilege Level

Permissions Granted

Bit Mask

Role Group 1

Administrator

Login to DRAC, Configure DRAC, Configure Users, Clear Logs, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Test Alerts, Execute Diagnostic Commands

0x000001ff

Role Group 2

Power User

Login to DRAC, Clear Logs, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Test Alerts

0x000000f9

Role Group 3

Guest User

Login to DRAC

0x00000001

Role Group 4

None

No assigned permissions

0x00000000

Role Group 5

None

No assigned permissions

0x00000000

NOTE: The Bit Mask values are used only when setting Standard Schema with the RACADM.

There are two ways to enable Standard Schema Active Directory:

Configuring Standard Schema Active Directory to Access Your DRAC 5

You need to perform the following steps to configure the Active Directory before an Active Directory user can access the DRAC 5:

  1. On an Active Directory server (domain controller), open the Active Directory Users and Computers Snap-in.

  2. Create a group or select an existing group. The name of the group and the name of this domain will need to be configured on the DRAC 5 either with the web-based interface or RACADM (see "Configuring the DRAC 5 With Standard Schema Active Directory and Web-Based Interface" or "Configuring the DRAC 5 With Standard Schema Active Directory and RACADM").

  3. Add the Active Directory user as a member of the Active Directory group to access the DRAC 5.

Configuring the DRAC 5 With Standard Schema Active Directory and
Web-Based Interface

  1. Open a supported Web browser window.

  2. Log in to the DRAC 5 Web-based interface.

  3. Expand the System tree and click Remote Access.

  4. Click the Configuration tab and select Active Directory.

  5. On the Active Directory Main Menu page, select Configure Active Directory and click Next.

  6. In the Common Settings section:

    1. Select the Enable Active Directory check box.

    1. Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest.

    2. Type the Timeout time in seconds.

  7. Click Use Standard Schema in the Active Directory Schema Selection section.

  8. Click Apply to save the Active Directory settings.

  9. In the Role Groups column of the Standard Schema settings section, click a Role Group.

The Configure Role Group page appears, which includes a role group's Group Name, Group Domain, and Role Group Privileges.

  1. Type the Group Name. The group name identifies the role group in the Active Directory associated with the DRAC 5 card.

  2. Type the Group Domain. The Group Domain is the fully qualified root domain name for the forest.

  3. In the Role Group Privileges page, set the group privileges.

Table 4-16 describes the Role Group Privileges.

Table 4-17 describes the Role Group Permissions. If you modify any of the permissions, the existing Role Group Privilege (Administrator, Power User, or Guest User) will change to either the Custom group or the appropriate Role Group Privilege based on the permissions modified.

  1. Click Apply to save the Role Group settings.

  2. Click Go Back To Active Directory Configuration and Management.

  3. Click Go Back To Active Directory Main Menu.

  4. Upload your domain forest Root CA certificate into the DRAC 5.

    1. Select the Upload Active Directory CA Certificate check-box and then click Next.

    1. In the Certificate Upload page, type the file path of the certificate or browse to the certificate file.

NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension.

The domain controllers' SSL certificates should have been signed by the root CA. Have the root CA certificate available on your management station accessing the DRAC 5 (see "Exporting the Domain Controller Root CA Certificate").

    1. Click Apply.

The DRAC 5 Web server automatically restarts after you click Apply.

  1. Log out and then log in to the DRAC 5 to complete the DRAC 5 Active Directory feature configuration.

  2. In the System tree, click Remote Access.

  3. Click the Configuration tab and then click Network.

The Network Configuration page appears.

  1. If Use DHCP (for NIC IP Address) is selected under Network Settings, select Use DHCP to obtain DNS server address.

To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS server IP addresses.

  1. Click Apply Changes.

The DRAC 5 Standard Schema Active Directory feature configuration is complete.

Configuring the DRAC 5 With Standard Schema Active Directory and
RACADM

Using the following commands to configure the DRAC 5 Active Directory Feature with Standard Schema using the RACADM CLI instead of the Web-based interface.

  1. Open a command prompt and type the following racadm commands:

racadm config -g cfgActiveDirectory -o cfgADEnable 1

racadm config -g cfgActiveDirectory -o cfgADType 2

racadm config -g cfgActiveDirectory -o cfgADRootDomain <fully qualified root domain name>

racadm config -g cfgStandardSchema -i <index> -o cfgSSADRoleGroupName <common name of the role group>

racadm config -g cfgStandardSchema -i <index> -o cfgSSADRoleGroupDomain <fully qualified domain name>

racadm config -g cfgStandardSchema -i <index> -o cfgSSADRoleGroupPrivilege <Bit Mask Number for specific user permissions>

racadm sslcertupload -t 0x2 -f <ADS root CA certificate>

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

NOTE: For Bit Mask number values, see Table B-4.
  1. If DHCP is enabled on the DRAC 5 and you want to use the DNS provided by the DHCP server, type the following racadm commands:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

  1. If DHCP is disabled on the DRAC 5 or you want manually to input your DNS IP address, type the following racadm commands:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0

racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>

racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

Enabling SSL on a Domain Controller

If you are using Microsoft Enterprise Root CA to automatically assign all your domain controllers to an SSL certificate, perform the following steps to enable SSL on each domain controller.

  1. Install a Microsoft Enterprise Root CA on a Domain Controller.

    1. Select StartControl Panel Add or Remove Programs.

    1. Select Add/Remove Windows Components.

    2. In the Windows Components Wizard, select the Certificate Services check box.

    3. Select Enterprise root CA as CA Type and click Next.

    4. Enter Common name for this CA, click Next, and click Finish.

  2. Enable SSL on each of your domain controllers by installing the SSL certificate for each controller.

    1. Click Start Administrative Tools Domain Security Policy.

    1. Expand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request.

    2. In the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller.

    3. Click Next and click Finish.

Exporting the Domain Controller Root CA Certificate

NOTE: If your system is running Windows 2000, the following steps may vary.
  1. Locate the domain controller that is running the Microsoft Enterprise CA service.

  2. Click StartRun.

  3. In the Run field, type mmc and click OK.

  4. In the Console 1 (MMC) window, click File (or Console on Windows 2000 machines) and select Add/Remove Snap-in.

  5. In the Add/Remove Snap-In window, click Add.

  6. In the Standalone Snap-In window, select Certificates and click Add.

  7. Select Computer account and click Next.

  8. Select Local Computer and click Finish.

  9. Click OK.

  10. In the Console 1 window, expand the Certificates folder, expand the Personal folder, and click the Certificates folder.

  11. Locate and right-click the root CA certificate, select All Tasks, and click Export... .

  12. In the Certificate Export Wizard, click Next, and select No do not export the private key.

  13. Click Next and select Base-64 encoded X.509 (.cer) as the format.

  14. Click Next and save the certificate to a directory on your system.

  15. Upload the certificate you saved in step 14 to the DRAC 5.

To upload the certificate using RACADM, see "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface".

To upload the certificate using the Web-based interface, perform the following procedure:

    1. Open a supported Web browser window.

    1. Log in to the DRAC 5 Web-based interface.

    2. Expand the System tree and click Remote Access.

    3. Click the Configuration tab, and then click Security.

    4. In the Security Certificate Main Menu page, select Upload Server Certificate and click Apply.

    5. In the Certificate Upload screen, perform one of the following procedures:

      • Click Browse and select the certificate

      • In the Value field, type the path to the certificate.

    6. Click Apply.

Importing the DRAC 5 Firmware SSL Certificate

Use the following procedure to import the DRAC 5 firmware SSL certificate to all domain controller trusted certificate lists.

NOTE: If your system is running Windows 2000, the following steps may vary.
NOTE: If the DRAC 5 firmware SSL certificate is signed by a well-known CA, you are not required to perform the steps in this section.

The DRAC 5 SSL certificate is the identical certificate used for the DRAC 5 Web server. All DRAC 5 controllers are shipped with a default self-signed certificate.

To access the certificate using the DRAC 5 Web-based interface, select ConfigurationActive DirectoryDownload DRAC 5 Server Certificate.

  1. On the domain controller, open an MMC Console window and select Certificates Trusted Root Certification Authorities.

  2. Right-click Certificates, select All Tasks and click Import.

  3. Click Next and browse to the SSL certificate file.

  4. Install the RAC SSL Certificate in each domain controller's Trusted Root Certification Authority.

If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your Domain Controllers.

  1. Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice.

  2. Click Finish and click OK.

Using Active Directory to Log In To the DRAC 5

You can use Active Directory to log in to the DRAC 5 using one of the following methods:

  • Web-based interface

  • Remote RACADM

  • Serial or telnet console.

The login syntax is consistent for all three methods:

<username@domain>

or

<domain>\<username> or <domain>/<username>

where username is an ASCII string of 1–256 bytes.

White space and special characters (such as \, /, or @) cannot be used in the user name or the domain name.

NOTE: You cannot specify NetBIOS domain names, such as Americas, as these names cannot be resolved.

Frequently Asked Questions

Table 6-9 lists frequently asked questions and answers.

Table 6-9. Using DRAC 5 With Active Directory: Frequently Asked Questions 

Question

Answer

Can I log into the DRAC 5 using Active Directory across multiple trees?

Yes. The DRAC 5's Active Directory querying algorithm supports multiple trees in a single forest.

Does the log in to the DRAC 5 using Active Directory work in mixed mode (that is, the domain controllers in the forest run different operating systems, such as Microsoft Windows NT® 4.0, Windows 2000, or Windows Server 2003)?

Yes. In mixed mode, all objects used by the DRAC 5 querying process (among user, RAC Device Object, and Association Object) have to be in the same domain.

The Dell-extended Active Directory Users and Computers snap-in checks the mode and limits users in order to create objects across domains if in mixed mode.

Does using the DRAC 5 with Active Directory support multiple domain environments?

Yes. The domain forest function level must be in Native mode or Windows 2003 mode. In addition, the groups among Association Object, RAC user objects, and RAC Device Objects (including Association Object) must be universal groups.

Can these Dell-extended objects (Dell Association Object, Dell RAC Device, and Dell Privilege Object) be in different domains?

The Association Object and the Privilege Object must be in the same domain. The Dell-extended Active Directory Users and Computers snap-in forces you to create these two objects in the same domain. Other objects can be in different domains.

Are there any restrictions on Domain Controller SSL configuration?

Yes. All Active Directory servers' SSL certificates in the forest must be signed by the same root CA since DRAC 5 only allows uploading one trusted CA SSL certificate.

I created and uploaded a new RAC certificate and now the Web-based interface does not launch.

If you use Microsoft Certificate Services to generate the RAC certificate, one possible cause of this is you inadvertently chose User Certificate instead of Web Certificate when creating the certificate.

To recover, generate a CSR and then create a new web certificate from Microsoft Certificate Services and load it using the RACADM CLI from the managed system by using the following racadm commands:

racadm sslcsrgen [-g] [-u] [-f {filename}]

racadm sslcertupload -t 1 -f {web_sslcert}

What can I do if I cannot log into the DRAC 5 using Active Directory authentication? How do I troubleshoot the issue?

  1. Ensure that you use the correct user domain name during a login and not the NetBIOS name.
  2. If you have a local DRAC user account, log into the DRAC 5 using your local credentials.

After you are logged in, perform the following steps:

    1. Ensure that you have checked the Enable Active Directory box on the DRAC 5 Active Directory configuration page.
    1. Ensure that the DNS setting is correct on the DRAC 5 Networking configuration page.
    2. Ensure that you have uploaded the Active Directory certificate from your Active Directory root CA to the DRAC 5.
    3. Check the Domain Controller SSL certificates to ensure that they have not expired.
    4. Ensure that your DRAC Name, Root Domain Name, and DRAC Domain Name match your Active Directory environment configuration.
    5. Ensure that the DRAC 5 password has a maximum of 127 characters. While the DRAC 5 can support passwords of up to 256 characters, Active Directory only supports passwords that have a maximum length of 127 characters.

Back to Contents Page

 

Shop
Solutions
Services
Systems
Software & Peripherals
Support
Drivers and Downloads
Product Support
Support by Topic
Warranty Information
Order Support
Community
Join the Discussion
Share Your Ideas
Read our Blog
Ratings & Reviews
Community Home
About Dell
Investor Relations
News
Company Information
Corporate Responsibility
All About Dell
My Account
Sign-in / Register
Order Status

Laptops | Desktops | Business Laptops | Business Desktops | Workstations | Servers | Storage | Monitors | Printers | LCD TVs | Electronics
© 2009 Dell | About Dell | Terms of Sale | Unresolved Issues | Privacy | About Our Ads | Dell Recycling | Contact | Site Map | Feedback
AT | AU | BE | BR | CA | CH | CL | CN | CO | DE | DK | ES | FR | HK | IE | IN | IT | JP | KR | ME | MX | MY | NL | NO | PA | PR | RU | SE | SG | UK | VE | ALL

Large Text
snWEB4