Back to Contents Page

Using Microsoft® Active Directory®

Dell™ OpenManage™ Version 5.2 Installation and Security User's Guide

  Controlling Access to Your Network

  Extending the Active Directory Schema

Controlling Access to Your Network

If you use Active Directory service software, you can configure it to control access to your network. Dell has modified the Active Directory database to support remote management authentication and authorization. Dell OpenManage™ IT Assistant and Dell OpenManage Server Administrator, as well as Dell™ remote access controllers, can now interface with Active Directory. With this tool, you can add and control users and privileges from one central database.

NOTE: Using Active Directory to recognize Dell Remote Access Controller (DRAC), IT Assistant, or Server Administrator users is supported on the Microsoft Windows® 2000 and Windows Server® 2003 operating systems.

Active Directory Schema Extensions

The Active Directory data exists in a distributed database of Attributes and Classes. An example of a Active Directory Class is the User class. Some example Attributes of the user class might be the user's first name, last name, phone number, and so on. Every Attribute or Class that is added to an existing Active Directory schema must be defined with a unique ID. To maintain unique IDs throughout the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs).

The Active Directory schema defines the rules for what data can be included in the database. To extend the schema in Active Directory, Dell received unique OIDs, unique name extensions, and unique linked attribute IDs for the new attributes and classes in the directory service.

Dell extension is: dell

Dell base OID is: 1.2.840.113556.1.8000.1280

Dell LinkID range is: 12070 to 12079

The Active Directory OID database maintained by Microsoft can be viewed at msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension, dell.

Overview of the Active Directory Schema Extensions

Dell created Classes, or groups of objects, that can be configured by the user to meet their unique needs. New Classes in the schema include an Association, a Product, and a Privilege class. An Association object links the users or groups to a given set of privileges and to systems (Product Objects) in your network. This model gives an administrator control over the different combinations of users, privileges, and systems or RAC devices on the network, without adding complexity.

Active Directory Object Overview

For each of the systems that you want to integrate with Active Directory for authentication and authorization, there must be at least one Association Object and one Product Object. The Product Object represents the system. The Association Object links it with users and privileges. You can create as many Association Objects as you need.

Each Association Object can be linked to as many users, groups of users, and Product Objects as desired. The users and Product Objects can be from any domain. However, each Association Object may only link to one Privilege Object. This behavior allows an Administrator to control which users have which rights on specific systems.

The Product Object links the system to Active Directory for authentication and authorization queries. When a system is added to the network, the Administrator must configure the system and its product object with its Active Directory name so that users can perform authentication and authorization with Active Directory. The Administrator must also add the system to at least one Association Object in order for users to authenticate.

Figure 8-1 illustrates that the Association Object provides the connection that is needed for all of the authentication and authorization.

Figure 8-1. Typical Setup for Active Directory Objects

In addition, you can set up Active Directory objects in a single domain or in multiple domains. Setting up objects in a single domain does not vary, whether you are setting up RAC, Server Administrator, or IT Assistant objects. When multiple domains are involved, however, there are some differences.

For example, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an Administrator privilege on both DRAC 4 cards and give user3 a Login privilege on the RAC2 card. Figure 8-2 shows how you set up the Active Directory objects in this scenario.

Figure 8-2. Setting Up Active Directory Objects in a Single Domain

To set up the objects for the single domain scenario, perform the following tasks:

1. Create two Association Objects.
   
   
2. Create two RAC Product Objects, RAC1 and RAC2, to represent the two DRAC 4 cards.
   
   
3. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (Administrator) and Priv2 has Login privileges.
   
   
4. Group User1 and User2 into Group1.
   
   
5. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and both RAC1 and RAC2 as RAC Products in AO1.
   
   
6. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Products in AO2.
   
   

See "Adding Users and Privileges to Active Directory" for detailed instructions.

Figure 8-3 shows how to setup the Active Directory objects in multiple domains for RAC. In this scenario, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (User1, User2, and User3). User1 is in Domain1, but User2 and User3 are in Domain2. You want to give User1 and User2 Administrator privileges on both the RAC1 and the RAC2 card and give User3 a Login privilege on the RAC2 card.

Figure 8-3. Setting Up RAC Active Directory Objects in Multiple Domains

To set up the objects for this multiple domain scenario, perform the following tasks:

1. Ensure that the domain forest function is in Native or Windows 2003 mode.
   
   
2. Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain. The figure shows the objects in Domain2.
   
   
3. Create two RAC Device Objects, RAC1 and RAC2, to represent the two remote systems.
   
   
4. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (Administrator) and Priv2 has Login privileges.
   
   
5. Group User1 and User2 into Group1. The group scope of Group1 must be Universal.
   
   
6. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and both RAC1 and RAC2 as Products in AO1.
   
   
7. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as a Product in AO2.
   
   

For Server Administrator or IT Assistant, on the other hand, the users in a single Association can be in separate domains without needing to be added to a universal group. The following is a very similar example to show how Server Administrator or IT Assistant systems in separate domains affect the setup of directory objects. Instead of RAC devices, you'll have two systems running Server Administrator (Server Administrator Products sys1 and sys2). Sys1 and sys2 are in different domains. You can use any existing Users or Groups that you have in Active Directory. Figure 8-4 shows how to set up the Server Administrator Active Directory objects for this example.

Figure 8-4. Setting Up Server Administrator Active Directory Objects in Multiple Domains

To set up the objects for this multiple domain scenario, perform the following tasks:

1. Ensure that the domain forest function is in Native or Windows 2003 mode.
   
   
2. Create two Association Objects, AO1 and AO2, in any domain. The figure shows the objects in Domain1.
   
   
3. Create two Server Administrator Products, sys1 and sys2, to represent the two systems. Sys1 is in Domain1 and sys2 is in Domain2.
   
   
4. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (Administrator) and Priv2 has Login privileges.
   
   
5. Group sys2 into Group1. The group scope of Group1 must be universal.
   
   
6. Add User1 and User2 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and both sys1 and Group1 as Products in AO1.
   
   
7. Add User3 as a Member in Association Object 2 (AO2), Priv2 as a Privilege object in AO2, and Group1 as a Product in AO2.
   
   

Note that neither of the Association objects needs to be of Universal scope in this case.

Configuring Active Directory to Access Your Systems

Before you can use Active Directory to access your systems, you must configure both the Active Directory software and the systems.

1. Extend the Active Directory schema (see "Extending the Active Directory Schema").
   
   
2. Extend the Active Directory Users and Computers Snap-in (see "Installing the Dell Extension to the Active Directory Users and Computers Snap-In").
   
   
3. Add system users and their privileges to Active Directory (see "Adding Users and Privileges to Active Directory").
   
   
4. For RAC systems only, enable SSL on each of your domain controllers (see "Enabling SSL on a Domain Controller (RAC Only)").
   
   
5. Configure the system's Active Directory properties using either the Web-based interface or the CLI (see "Configuring Your Systems or Devices").
   
   

Extending the Active Directory Schema

RAC, Server Administrator, and IT Assistant schema extensions are available. You only need to extend the schema for software or hardware that you are using. Each extension must be applied individually to receive the benefit of its software-specific settings. Extending your Active Directory schema will add schema classes and attributes, example privileges and association objects, and a Dell organizational unit to the schema.

NOTE: Before you extend the schema, you must have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest.

You can extend your schema using two different methods. You can use the Dell Schema Extender utility, or you can use the Lightweight Directory Interchange Format (LDIF) script file.

NOTE: The Dell organizational unit will not be added if you use the LDIF script file.

The LDIF script files and Dell Schema Extender are located on your Dell Systems Management Consoles CD in the following respective directories:

• CD drive:\support\OMActiveDirectory Tools\installation type\LDIF Files
  
  
• CD drive:\support\OMActiveDirectory Tools\installation type\Schema Extender
  
  

Installation type will be either RAC4, RAC3, Server Administrator, or IT Assistant version 7.0 or later, depending on your choice of schema extension.

To use the LDIF files, see the instructions in the readme that is in the LDIF files directory. To use the Dell Schema Extender to extend the Active Directory Schema, perform the steps in "Using the Dell Schema Extender."

You can copy and run the Schema Extender or LDIF files from any location.

Using the Dell Schema Extender

NOTICE: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the Dell Schema Extender utility functions properly, do not modify the name or the contents of this file.

1. Click Next on the Welcome screen.
   
   
2. Read the warning and click Next again.
   
   
3. Either select Use Current Log In Credentials or enter a user name and password with schema administrator rights.
   
   
4. Click Next to run the Dell Schema Extender.
   
   
5. Click Finish.
   
   

To verify the schema extension, use the Active Directory Schema Snap-in in the Microsoft Management Console (MMC) to verify the existence of the following classes (listed in Table 8-1, Table 8-6, Table 8-7, Table 8-9, Table 8-10, Table 8-11, and Table 8-12) and attributes (listed in Table 8-13, Table 8-14, and Table 8-15). See your Microsoft documentation for more information on how to enable and use the Active Directory Schema Snap-in in the MMC.

Table 8-1. Class Definitions for Classes Added to the Active Directory Schema

Table 8-2. dellRacDevice Class 

Table 8-3. dellAssociationObject Class

Table 8-4. dellRAC4Privileges Class 

Table 8-5. dellPrivileges Class 

Table 8-6. dellProduct Class

Table 8-7. dellRAC3Privileges Class

Table 8-8. dellOmsa2AuxClass Class 

Table 8-9. dellOmsaApplication Class 

Table 8-10. dellIta7AuxClass Class

Table 8-11. dellItaApplication Class 

Table 8-12. General Attributes Added to the Active Directory Schema 

Table 8-13. RAC-specific Attributes Added to the Active Directory Schema 

Table 8-14. Server Administrator-Specific Attributes Added to the Active Directory Schema 

Table 8-15. IT Assistant-Specific Attributes Added to the Active Directory Schema

Active Directory Users and Computers Snap-In

Installing the Dell Extension to the Active Directory Users and Computers Snap-In

When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so that the administrator can manage Products, Users and User Groups, Associations, and Privileges. You only need to extend the snap-in once, even if you have added more than one schema extension. You must install the snap-in on each system that you intend to use for managing these objects. The Dell Extension to the Active Directory Users and Computers Snap-In is an option that can be installed when you install your systems management software using the Dell Systems Management Consoles CD.

NOTE: You must install the Administrator Pack on each management station that is managing the new Active Directory objects. The installation is described in the following section, "Opening the Active Directory Users and Computers Snap-In." If you do not install the Administrator Pack, then you cannot view the new object in the container.

NOTE: For more information about the Active Directory Users and Computers snap-in, see your Microsoft documentation.

Opening the Active Directory Users and Computers Snap-In

To open the Active Directory Users and Computers snap-in, perform the following steps:

1. If you are on the domain controller, click Start® Admin Tools® Active Directory Users and Computers. If you are not on the domain controller, you must have the appropriate Microsoft administrator pack installed on your local system. To install this administrator pack, click Start® Run, type MMC and press Enter.
   
   

The Microsoft Management Console (MMC) window opens.

2. Click File (or Console on systems running Windows 2000) in the Console 1 window.
   
   
3. Click Add/Remove Snap-in.
   
   
4. Select the Active Directory Users and Computers snap-in and click Add.
   
   
5. Click Close and click OK.
   
   

Adding Users and Privileges to Active Directory

The Dell-extended Active Directory Users and Computers snap-in allows you to add DRAC, Server Administrator, and IT Assistant users and privileges by creating RAC, Association, and Privilege objects. To add an object, perform the steps in the applicable subsection.

Creating a Product Object

NOTE: Server Administrator and IT Assistant users must use Universal-type Product Groups to span domains with their product objects.

NOTE: When adding Universal-type Product Groups from separate domains, you have to create an Association object with Universal scope. The default Association objects created by the Dell Schema Extender utility are domain Local Groups and will not work with Universal-type Product Groups from other domains.

In the Console Root (MMC) window, right-click a container.

1. Select New.
   
   
2. Select a RAC, Server Administrator, or IT Assistant object, depending on which you have installed.
   
   

The New Object window opens.

3. Type in a name for the new object. This name must match the Active Directory product name as discussed in "Configuring Active Directory Using CLI on Systems Running Server Administrator", or for a RAC device, the name that you will type in step 4 of "Configuring Your Systems or Devices", or for IT Assistant, the name discussed in "Configuring Active Directory on Systems Running IT Assistant."
   
   
4. Select the appropriate Product Object.
   
   
5. Click OK.
   
   

Creating a Privilege Object

Privilege Objects must be created in the same domain as the Association Object to which they are associated.

1. In the Console Root (MMC) window, right-click a container.
   
   
2. Select New.
   
   
3. Select a RAC, Server Administrator, or IT Assistant object, depending on which you have installed.
   
   

The New Object window opens.

4. Type in a name for the new object.
   
   
5. Select the appropriate Privilege Object.
   
   
6. Click OK.
   
   
7. Right-click the privilege object that you created and select Properties.
   
   
8. Click the appropriate Privileges tab and select the privileges that you want the user to have (for more information, see Table 8-1 and Table 8-10).
   
   

Creating an Association Object

The Association Object is derived from a Group and must contain a group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, you must choose the Association Scope that applies to the type of objects you intend to add. Selecting Universal, for example, means that Association Objects are only available when the Active Directory Domain is functioning in Native Mode or above.

1. In the Console Root (MMC) window, right-click a container.
   
   
2. Select New.
   
   
3. Select a RAC, Server Administrator, or IT Assistant object, depending on which you have installed.
   
   

The New Object window opens.

4. Type in a name for the new object.
   
   
5. Select Association Object.
   
   
6. Select the scope for the Association Object.
   
   
7. Click OK.
   
   

Adding Objects to an Association Object

By using the Association Object Properties window, you can associate users or user groups, privilege objects, systems, RAC devices, and system or device groups.

NOTE: RAC users must use Universal Groups to span domains with their users or RAC objects.

You can add groups of Users and Products. You can create Dell-related groups in the same way that you created other groups.

To add Users or User Groups:

1. Right-click the Association Object and select Properties.
   
   
2. Select the Users tab and click Add.
   
   
3. Type the User or User Group name or browse to select one and click OK.
   
   

Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to a system.

NOTE: You can add only one Privilege Object to an association object.

To add a privilege:

1. Select the Privileges Object tab and click Add.
   
   
2. Type the Privilege Object name or browse for one and click OK.
   
   

Click the Products tab to add one or more systems or devices to the association. The associated objects specify the products connected to the network that are available for the defined users or user groups.

NOTE: You can add multiple systems or RAC devices to an Association Object.

To add Products:

1. Select the Products tab and click Add.
   
   
2. Type the system, device, or group name and click OK.
   
   
3. In the Properties window, click Apply and then OK.
   
   

Enabling SSL on a Domain Controller (RAC Only)

If you plan to use Microsoft Enterprise Root CA to automatically assign all your domain controllers SSL certificates, you must perform the following steps to enable SSL on each domain controller.

1. Install a Microsoft Enterprise Root CA on a Domain Controller.
   
   
   1. Select Start® Control Panel® Add or Remove Programs.
      
      
   2. Select Add/Remove Windows Components.
      
      
   3. In the Windows Components Wizard, select the Certificate Services check box.
      
      
   4. Select Enterprise root CA as CA Type and click Next.
      
      
   5. Enter Common name for this CA, click Next, and click Finish.
      
      
2. Enable SSL on each of your domain controllers by installing the SSL certificate for each controller.
   
   
   1. Click Start® Administrative Tools® Domain Security Policy.
      
      
   2. Expand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request.
      
      
   3. In the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller.
      
      
   4. Click Next and click Finish.
      
      

Exporting the Domain Controller Root CA Certificate (RAC Only)

NOTE: The following steps may vary slightly if you are using Windows 2000.

1. Go to the domain controller on which you installed the Microsoft Enterprise CA service.
   
   
2. Click Start® Run.
   
   
3. Type mmc and click OK.
   
   
4. In the Console 1 (MMC) window, click File (or Console on Windows 2000 systems) and select Add/Remove Snap-in.
   
   
5. In the Add/Remove Snap-in window, click Add.
   
   
6. In the Standalone Snap-in window, select Certificates and click Add.
   
   
7. Select Computer account and click Next.
   
   
8. Select Local Computer and click Finish.
   
   
9. Click OK.
   
   
10. In the Console 1 window, expand the Certificates folder, expand the Personal folder, and click the Certificates folder.
    
    
11. Locate and right-click the root CA certificate, select All Tasks, and click Export.
    
    
12. In the Certificate Export Wizard, click Next and select No do not export the private key.
    
    
13. Click Next and select Base-64 encoded X.509 (.cer) as the format.
    
    
14. Click Next and save the certificate to a location of your choice. You will need to upload this certificate to the DRAC 4. To do this, go to the DRAC 4 Web-based interface® Configuration tab® Active Directory page. Or, you can use the racadm CLI commands (see "Configuring DRAC 4 and DRAC 5 Active Directory Settings Using the racadm CLI").
    
    
15. Click Finish and click OK.
    
    

Importing the DRAC 4 Firmware SSL Certificate to All Domain Controllers' Trusted Certificate Lists

NOTE: If the DRAC 4 firmware SSL certificate is signed by a well-known CA, you do not need to perform the steps described in this section.

NOTE: The following steps may vary slightly if you are using Windows 2000.

1. The DRAC 4 SSL certificate is the same certificate that is used for the DRAC 4 Web server. All DRAC 4 controllers are shipped with a default self-signed certificate. You can get this certificate from the DRAC 4 by selecting Download DRAC 4 Server Certificate (see the DRAC 4 Web-based interface Configuration tab and the Active Directory subtab).
   
   
2. On the domain controller, open an MMC Console window and select Certificates ® Trusted Root Certification Authorities.
   
   
3. Right-click Certificates, select All Tasks and click Import.
   
   
4. Click Next and browse to the SSL certificate file.
   
   
5. Install the RAC SSL Certificate in each domain controller's Trusted Root Certification Authority.
   
   

If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the CA is not in the list, you must install it on all your Domain Controllers.

6. Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice.
   
   
7. Click Finish and click OK.
   
   

Importing the DRAC 5 Firmware SSL Certificate to All Domain Controllers' Trusted Certificate Lists

NOTE: If the DRAC 5 firmware SSL certificate is signed by a well-known CA, you do not need to perform the steps described in this section.

NOTE: The following steps may vary slightly if you are using Windows 2000.

The DRAC 5 SSL certificate is the same certificate that is used for the DRAC 4 Web server. All DRAC 4 controllers are shipped with a default self-signed certificate.

1. To access the certificate using the DRAC 5 Web-based interface, select Configuration® Active Directory® Download DRAC 5 Server Certificate.
   
   
2. On the domain controller, open an MMC Console window and select Certificates ® Trusted Root Certification Authorities.
   
   
3. Right-click Certificates, select All Tasks and click Import.
   
   
4. Click Next and browse to the SSL certificate file.
   
   
5. Install the RAC SSL Certificate in each domain controller's Trusted Root Certification Authority.
   
   

If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the CA is not in the list, you must install it on all your Domain Controllers.

6. Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice.
   
   
7. Click Finish and click OK.
   
   

Configuring Your Systems or Devices

For instructions on how to configure your Server Administrator or IT Assistant systems using CLI commands, see "Configuring Active Directory Using CLI on Systems Running Server Administrator" and "Configuring Active Directory on Systems Running IT Assistant." For DRAC users, there are two ways to configure DRAC 4. See either "Configuring the DRAC 4 Using the Web-Based Interface" or "Configuring DRAC 4 and DRAC 5 Active Directory Settings Using the racadm CLI."

NOTE: The systems on which Server Administrator and/or IT Assistant are installed must be a part of the Active Directory domain and should also have computer accounts on the domain.

Configuring Active Directory Using CLI on Systems Running Server Administrator

You can use the omconfig preferences dirservice command to configure the Active Directory service. The productoem.ini file is modified to reflect these changes. If the adproductname is not present in the productoem.ini file, a default name will be assigned. The default value will be system name-software-product name, where system name is the name of the system running Server Administrator, and software-product name refers to the name of the software product defined in omprv32.ini (that is, computerName-omsa).

NOTE: This command is applicable only on systems running the Windows operating system.

NOTE: Restart the Server Administrator service after you have configured Active Directory.

Table 8-16 shows the valid parameters for the command.

Table 8-16. Active Directory Service Configuration Parameters

Configuring Active Directory on Systems Running IT Assistant

By default, the Active Directory product name corresponds to the machinename-ita, where machinename is the name of the system on which IT Assistant is installed. To configure a different name, locate the itaoem.ini file in your installation directory. Edit the file to add the line "adproductname=text" where text is the name of the product object that you created in Active Directory. For example, the itaoem.ini file will contain the following syntax if the Active Directory product name is configured to mgmtStationITA.

productname=IT Assistant
startmenu=Dell OpenManage Applications
autdbid=ita
accessmask=3
startlink=ITAUIServlet
adsupport=true
adproductname=mgmtStationITA

NOTE: Restart the IT Assistant services after saving the itaoem.ini file to the disk.

Configuring the DRAC 4 Using the Web-Based Interface

1. Log in to the Web-based interface using the default user, root, and its password.
   
   
2. Click the Configuration tab and select the Active Directory.
   
   
3. Select the Enable Active Directory check box.
   
   
4. Type the DRAC 4 Name. This name must be the same as the common name of the RAC object you created in your Domain Controller (see "Installing the Dell Extension to the Active Directory Users and Computers Snap-In").
   
   
5. Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest.
   
   
6. Type the DRAC 4 Domain Name (for example, drac4.com). Do not use the NetBIOS name. The DRAC 4 Domain Name is the fully qualified domain name of the subdomain where the RAC Device Object is located.
   
   
7. Click Apply to save the Active Directory settings.
   
   
8. Click Upload Active Directory CA Certificate to upload your domain forest Root CA certificate into the DRAC 4. Your domain forest domain controllers' SSL certificates need to have signed this root CA certificate. Have the root CA certificate available on your local system (see "Exporting the Domain Controller Root CA Certificate (RAC Only)"). Specify the full path and filename of the root CA certificate and click Upload to upload the root CA certificate to the DRAC 4 firmware. The DRAC 4 Web server automatically restarts after you click Upload. You must log in again to complete the DRAC 4 Active Directory feature configuration.
   
   
9. Click the Configuration tab and select Network.
   
   
10. If DRAC 4 NIC DHCP is enabled, place a check next to Use DHCP to obtain DNS server address. If you want to input a DNS server IP address manually, remove the check next to Use DHCP to obtain DNS server address and input your primary and alternate DNS Server IP addresses.
    
    
11. Click Apply to complete the DRAC 4 Active Directory feature configuration.
    
    

Configuring the DRAC 5 Using the Web-Based Interface

1. Open a supported Web browser window.
   
   
2. Log in to the DRAC 5 Web-based interface.
   
   
3. Expand the System tree and click Remote Access.
   
   
4. Click the Configuration tab and select Active Directory.
   
   
5. In the Active Directory Main Menu page, select Configure Active Directory and click Next.
   
   
6. Select the Enable Active Directory check box.
   
   
7. Type the DRAC 5 Name. This name must be the same as the common name of the RAC object you created in your Domain Controller (see "Installing the Dell Extension to the Active Directory Users and Computers Snap-In").
   
   
8. Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest.
   
   
9. Type the DRAC Domain Name (for example, drac5.com). Do not use the NetBIOS name. The DRAC Domain Name is the fully qualified domain name of the sub-domain where the RAC Device Object is located.
   
   
10. Type the Timeout time in seconds.
    
    
11. Click Apply to save the Active Directory settings.
    
    
12. Click Go Back To Active Directory Main Menu.
    
    
13. Upload your domain forest Root CA certificate into the DRAC 5.
    
    
    • Select the Upload Active Directory CA Certificate check box and then click Next.
      
      
    • In the Certificate Upload page, type the file path of the certificate or browse to the certificate file, and click Apply.
      
      

NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension.

Your domain forest domain controllers' SSL certificates need to have signed this root CA certificate. Have the root CA certificate available on your local system. See Exporting the Domain Controller Root CA Certificate (RAC Only).

The DRAC 5 Web server automatically restarts after you click Apply.

14. Log out and then log in to the DRAC 5 to complete the DRAC 5 Active Directory feature configuration.
    
    
15. In the System tree, click Remote Access.
    
    
16. Click the Configuration tab and then click Network.
    
    

The Network Configuration page appears.

17. If Use DHCP (for NIC IP Address) is selected under Network Settings, then select Use DHCP to obtain DNS server address.
    
    

To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS Server IP addresses.

18. Click Apply Changes.
    
    

This completes the DRAC 5 Active Directory feature configuration.

Configuring DRAC 4 and DRAC 5 Active Directory Settings Using the racadm CLI

Using the following commands to configure the DRAC 4 Active Directory feature using the racadm CLI instead of the Web-based interface.

1. Open a command prompt and type the following racadm commands:
   
   

racadm config -g cfgActiveDirectory -o cfgADEnable 1
racadm config -g cfgActiveDirectory -o cfgADRacDomain <fully qualified rac domain name>
racadm config -g cfgActiveDirectory -o cfgADRootDomain <fully qualified root domain name>
racadm config -g cfgActiveDirectory -o cfgADRacName <RAC common name>
racadm sslcertupload -t 0x2 -f <ADS root CA certificate>
racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

2. If DHCP is enabled and you want to use the DNS provided by the DHCP server, type the following:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

3. If DHCP is disabled or you want manually to input your DNS IP address, type the following commands:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0
racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>
racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

4. Press <Enter> to complete the Active Directory feature configuration.
   
   

See the Dell Remote Access Controller 4 User's Guide or Dell Remote Access Controller 5 User's Guide for more information.

Using Active Directory to Log In To the DRAC 5

You can use Active Directory to log in to the DRAC 5 using one of the following methods:

• Web-based interface
  
  
• Remote RACADM
  
  
• Serial or telnet console.
  
  

The login syntax is consistent for all three methods:

<username@domain> (or) <domain>\<username> (or) <domain>/<username>

where username is an ASCII string of 1–256 bytes.

White space and special characters (such as \, /, or @) cannot be used in the user name or the domain name.

Back to Contents Page