Home > Dell > System > Dell Drac 5 User Guide

Dell Drac 5 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 418
    							Using the DRAC 5 With Microsoft Active Directory131
    Specify Server for Active Directory Configuration
    If you want to specify an LDAP, Global Catalog server, or Association Object 
    (applicable only for Extended Schema) domain instead of using the servers 
    returned by the DNS server to search for a user name, type the following 
    command to enable the Specify Server option:
    racadm config -g cfgActive Directory -o 
    cfgADSpecifyServer Enable 1
     NOTE: If you use this option, the hostname in the CA certificate is not matched 
    against the name of the specified server. This is particularly useful if you are a 
    DRAC administrator because it enables you to enter a hostname as well as an 
    IP address.
    After the Specify Server option is enabled, you can specify an LDAP server or 
    a Global Catalog server with an IP address or a fully qualified domain name of 
    the server (FQDN). The FQDN consists of the hostname and the domain 
    name of the server.
     NOTE: If you are using Active Directory authentication based on Kerberos, specify 
    only the FQDN of the server; specifying the IP address is not supported. For more 
    information, see Enabling Kerberos Authentication on page 147.
    To specify an LDAP server using the command line interface (CLI), type:
    racadm config -g cfgActive Directory -o 
    cfgADDomainController 
    To specify a Global Catalog server using the command line interface (CLI), 
    type:
    racadm config -g cfgActive Directory -o 
    cfgGlobalCatalog 
    To specify an Association Object (applicable only for Extended Schema) 
    domain using the CLI, type:
    racadm config -g cfgActive Directory -o cfgAODomain 
    :
    where  is the domain where the Association Object resides and 
    IP/FQDN is the IP address or the FQDN of the specific host (Domain 
    Controller of domain) to which the DRAC 5 connects. 
    						
    							132Using the DRAC 5 With Microsoft Active Directory
    To specify the Association Object, ensure that you also provide the IP or 
    FQDN of the Global Catalog.
     NOTE: If you specify the IP address as 0.0.0.0, DRAC 5 will not search for any 
    server.
    You can specify a list of LDAP, Global Catalog servers, or Association Objects 
    separated by commas. DRAC 5 allows you to specify up to four IP addresses 
    or hostnames.
    If LDAPS is not correctly configured for all domains and applications, 
    enabling it may produce unexpected results during the functioning of the 
    existing applications/domains.
    For Extended Schema, you can specify either Domain Controller or Global 
    Catalog with Association Object. Specifying only the Global Catalog or only 
    the Association Object is not applicable for Extended Schema. If you specify 
    only the Domain Controller, all objects including User, Group, RAC, 
    Privilege and Association should be on the same domain. If any of these 
    objects are on different domains, use the Global Catalog with the Association 
    Object option. You can specify up to four Domain Controllers and all these 
    entries should point to the same domain. You can specify up to four Global 
    Catalog servers. You can specify up to four Association Object servers. All 
    these entries should point to the same domain. In case you are using the 
    Association Object option, you should also configure the Global Catalog 
    option to be able to log in. Specify the Domain Controller name where you 
    created the user. Both IP or FQDN can be specified here.
    For Standard Schema, specify only the Domain Controller and the Global 
    Catalog. Specify Association Object is not applicable with Standard Schema. 
    You can specify the Domain Controller where the user role groups are 
    created. Specify either the IP or the FQDN. You can specify up to four 
    Domain Controllers. All entries should point to the same domain. If you 
    specify only the Domain Controller, the User and Group should be on the 
    same domain. If the Role Groups are on different domains, you have to also 
    specify the Global Catalog server. You can specify up to four Global Catalog 
    servers. Both the IP or the FQDN can be specified here. You can also only 
    specify the Global Catalog servers. 
    						
    							Using the DRAC 5 With Microsoft Active Directory133
    Configuring and Managing Active Directory 
    Certificates
    To access the Active Directory Main Menu:
    1
    Expand the System tree and click Remote Access.
    2Click the Configuration tab and click Active Directory.
    Ta b l e 6 - 9  l i s t s  t h e  Active Directory Main Menu page options.
    Configuring Active Directory (Standard Schema and Extended Schema)
    1In the Active Directory Main Menu page, select Configure Active 
    Directory
     and click Next. 
    2In the Active Directory Configuration and Management page, enter the 
    Active Directory settings.
    Table 6-10 describes the 
    Active Directory Configuration and 
    Management 
    page settings.
    3Click Apply to save the settings.
    Table 6-9. Active Directory Main Menu Page Options
    Field Description
    Configure Active 
    DirectoryConfigures the Active Directorys DRAC Name, ROOT 
    Domain Name, DRAC Domain Name, Active Directory 
    Authentication Timeout, Active Directory Schema 
    Selection, and Role Group settings.
    Upload Active 
    Directory CA 
    CertificateUploads an Active Directory certificate to the DRAC.
    Download DRAC 
    Server CertificateThe Windows Download Manager enables you to 
    download a DRAC server certificate to your system. 
    Vi e w  A c t i v e  D i r e c t o r y  
    CA CertificateDisplays the Active Directory Certificate that has been 
    uploaded to the DRAC. 
    						
    							134Using the DRAC 5 With Microsoft Active Directory
    4Click the appropriate Active Directory Configuration page button to 
    continue. See Table 6-11.
    5To configure the Role Groups for Active Directory Standard Schema, click 
    on the individual Role Group (1-5). See Table 6-12 and Table 6-13.
     NOTE: To save the settings on the Active Directory Configuration and 
    Management page, you have to click Apply before proceeding to the Custom 
    Role Group page. 
    Table 6-10. Active Directory Configuration and Management Page Settings
    Setting Description
    Enable Active 
    DirectoryEnables Active Directory. Checked=Enabled; 
    Unchecked=Disabled.
    ROOT Domain NameThe Active Directory ROOT domain name. This value is 
    NULL by default.
    The name must be a valid domain name consisting of x.y, 
    where x is a 1-254 character ASCII string with no blank 
    spaces between characters, and y is a valid domain type 
    such as com, edu, gov, int, mil, net, org.
    TimeoutThe time in seconds to wait for Active Directory queries 
    to complete. Minimum value is equal to or greater than 15 
    seconds. The default value is 120 seconds.
    Use Standard SchemaUses Standard Schema with Active Directory
    Use Extended SchemaUses Extended Schema with Active Directory
    DRAC NameThe name that uniquely identifies the DRAC 5 card in 
    Active Directory. This value is NULL by default.
    The name must be a 1-254 character ASCII string with no 
    blank spaces between characters.
    DRAC Domain NameThe DNS name (string) of the domain, where the Active 
    Directory DRAC 5 object resides. This value is NULL by 
    default.
    The name must be a valid domain name consisting of x.y, 
    where x is a 1-254 character ASCII string with no blank 
    spaces between characters, and y is a valid domain type 
    such as com, edu, gov, int, mil, net, org. 
    						
    							Using the DRAC 5 With Microsoft Active Directory135
    Role GroupsThe list of role groups associated with the DRAC 5 card. 
    To change the settings for a role group, click their role 
    group number, in the role groups list. The Configure Role 
    Group window displays.
    NOTE: If you click on the role group link prior to applying the 
    settings for the Active Directory Configuration and 
    Management page, you will lose these settings.
    Group NameThe name that identifies the role group in the Active 
    Directory associated with the DRAC 5 card.
    Group DomainThe domain that the group is in.
    Group PrivilegeThe privilege level for the group.
    Table 6-11. Active Directory Configuration and Management Page Buttons
    Button Description
    PrintPrints the Active Directory Configuration and 
    Management page.
    ApplySaves the changes made to the Active Directory 
    Configuration and Management page.
    Go Back to Active 
    Directory Main MenuReturns to the Active Directory Main Menu page.
    Table 6-12. Role Group Privileges
    Setting Description
    Role Group Privilege LevelSpecifies the user’s maximum DRAC user 
    privilege to one of the following: Administrator, 
    Power User, Guest user, None, or Custom.
    See Table 6-13 for Role Group permissions
    Login to DRACEnables the user to log in to the DRAC.
    Configure DRACEnables the user to configure the DRAC. Table 6-10. Active Directory Configuration and Management Page Settings 
    (continued)
    Setting Description 
    						
    							136Using the DRAC 5 With Microsoft Active Directory
    Configure UsersEnables the user to allow specific users to access 
    the system.
    Clear LogsEnables the user to clear the DRAC logs.
    Execute Server Control 
    CommandsEnables the user to execute racadm commands.
    Access Console RedirectionEnables the user to run Console Redirection.
    Access Virtual MediaEnables the user to run and use Virtual Media.
    Te s t  A l e r t sEnables the user to send test alerts (e-mail and 
    PET) to a specific user.
    Execute Diagnostic CommandsEnables the user to run diagnostic commands.
    Table 6-13. Role Group Permissions
    Property Description
    Administrator Login to DRAC, Configure DRAC, Configure Users, Clear 
    Logs, Execute Server Control Commands, Access Console 
    Redirection, Access Virtual Media, Te s t  A l e r t s, Execute 
    Diagnostic Commands
    Power User Login to DRAC, Clear Logs, Execute Server Control 
    Commands, Access Console Redirection, Access Virtual 
    Media, Te s t  A l e r t s
    Guest User Login to DRAC
    CustomSelects any combination of the following permissions: Login to 
    DRAC, Configure DRAC, Configure Users, Clear Logs, 
    Execute Server Action Commands, Access Console 
    Redirection, Access Virtual Media, Te s t  A l e r t s, Execute 
    Diagnostic Commands
    NoneNo assigned permissions Table 6-12. Role Group Privileges 
    (continued)
    Setting Description 
    						
    							Using the DRAC 5 With Microsoft Active Directory137
    Uploading an Active Directory CA Certificate
    1In the Active Directory Main Menu page, select Upload Active Directory 
    CA Certificate
     and click Next.
    2In the Certificate Upload page, in the File Path field, type the file path of 
    the certificate or click 
    Browse to navigate to the certificate file.
     NOTE: The File Path value displays the relative file path of the certificate you 
    are uploading. You must type the absolute file path, which includes the full 
    path and the complete file name and file extension.
    3Click Apply.
    4Click the appropriate Certificate Upload page button to continue. See 
    Table 6-11.
    Downloading a DRAC Server Certificate
    1In the Active Directory Main Menu page, select Download DRAC Server 
    Certificate 
    and click Next.
    2In the File Download window, click Save and save the file to a directory on 
    your system.
    3In the Download Complete window, click Close.
    Viewing an Active Directory CA Certificate
    Use the Active Directory Main Menu page to view a CA server certificate for 
    your DRAC 5.
    1
    In the Active Directory Main Menu page, select Vi e w  A c t i v e  D i r e c t o r y  
    CA Certificate 
    and click Next.
    Table 6-14 describes the fields and associated descriptions listed in the 
    Certificate window.
    2Click the appropriate View Active Directory CA Certificate page button 
    to continue. See Table 6-11.
    Table 6-14. Active Directory CA Certificate Information
    Field Description
    Serial NumberCertificate serial number. 
    Subject InformationCertificate attributes entered by the subject.
    Issuer InformationCertificate attributes returned by the issuer.  
    						
    							138Using the DRAC 5 With Microsoft Active Directory
    Enabling SSL on a Domain Controller
    When the DRAC 5 authenticates users against an Active Directory domain 
    controller, it starts an SSL session with the domain controller. At this time, 
    the domain controller should publish a certificate signed by the Certificate 
    Authority (CA)—the root certificate of which is also uploaded into the 
    DRAC 5. In other words, for DRAC 5 to be able to authenticate to any 
    domain controller—whether it is the root or the child domain controller—
    that domain controller should have an SSL-enabled certificate signed by the 
    domain’s CA.
    If you are using Microsoft Enterprise Root CA to automatically assign all your 
    domain controllers to an SSL certificate, perform the following steps to 
    enable SSL on each domain controller:
    1
    Enable SSL on each of your domain controllers by installing the SSL 
    certificate for each controller. 
    aClick Start Administrative Tools Domain Security Policy. 
    bExpand the Public Key Policies folder, right-click Automatic 
    Certificate Request Settings 
    and click Automatic Certificate 
    Request
    .
    cIn the Automatic Certificate Request Setup Wizard, click Next and 
    select 
    Domain Controller.
    dClick Next and click Finish.
    Exporting the Domain Controller Root CA Certificate to the DRAC 5
     NOTE: If your system is running Windows 2000, the following steps may vary.
    1Locate the domain controller that is running the Microsoft Enterprise 
    CA service.
    2Click StartRun.
    3In the Run field, type mmc and click OK.
    Va l i d  F r o mCertificate issue date. 
    Va l i d  ToCertificate expiration date. Table 6-14. Active Directory CA Certificate Information 
    (continued)
    Field Description 
    						
    							Using the DRAC 5 With Microsoft Active Directory139
    4In the Console 1 (MMC) window, click Fil e (or Console on Windows 2000 
    machines
    ) and select Add/Remove Snap-in.
    5In the Add/Remove Snap-In window, click Add.
    6In the Standalone Snap-In window, select Certificates and click Add.
    7Select Computer account and click Next.
    8Select Local Computer and click Finish.
    9Click OK.
    10In the Console 1 window, expand the Certificates folder, expand the 
    Pe r s o n a l folder, and click the Certificates folder.
    11Locate and right-click the root CA certificate, select All Tasks, 
    and click
    Export... .
    12In the Certificate Export Wizard, click Next, and select No do not export 
    the private key
    .
    13Click Next and select Base-64 encoded X.509 (.cer) as the format.
    14Click Next and save the certificate to a directory on your system. 
    15Upload the certificate you saved in step 14 to the DRAC 5. 
    To upload the certificate using RACADM, see Configuring the DRAC 5 
    With Extended Schema Active Directory and Web-Based Interface on 
    page 126.
    To upload the certificate using the Web-based interface, perform the 
    following procedure:
    aOpen a supported Web browser window.
    bLog in to the DRAC 5 Web-based interface.
    cExpand the System tree and click Remote Access.
    dClick the Configuration tab, and then click Security.
    eIn the Security Certificate Main Menu page, select Upload Server 
    Certificate
     and click Apply. 
    						
    							140Using the DRAC 5 With Microsoft Active Directory
    fIn the Certificate Upload screen, perform one of the following 
    procedures:
    •Click 
    Browse and select the certificate
    •In the 
    Va l u e field, type the path to the certificate.
    gClick Apply.
    Importing the DRAC 5 Firmware SSL Certificate
     NOTE: If the Active Directory Server is set to authenticate the client during an SSL 
    session initialization phase, you need to upload the DRAC 5 Server certificate to the 
    Active Directory Domain controller as well. This additional step is not required if the 
    Active Directory does not perform a client authentication during an SSL session’s 
    initialization phase.
    Use the following procedure to import the DRAC 5 firmware SSL certificate 
    to all domain controller trusted certificate lists.
     NOTE: If your system is running Windows 2000, the following steps may vary.
     
    NOTE: If the DRAC 5 firmware SSL certificate is signed by a well-known CA, you 
    are not required to perform the steps in this section.
    The DRAC 5 SSL certificate is the identical certificate used for the DRAC 5 
    Web server. All DRAC 5 controllers are shipped with a default self-signed 
    certificate. 
    To access the certificate using the DRAC 5 Web-based interface, select 
    Configuration Active DirectoryDownload DRAC 5 Server Certificate.
    1
    On the domain controller, open an MMC Console window and select 
    Certificates Trusted Root Certification Authorities.
    2Right-click Certificates, select All Tasks and click Import.
    3Click Next and browse to the SSL certificate file. 
    4Install the RAC SSL Certificate in each domain controller’s Trusted Root 
    Certification Authority
    . 
    If you have installed your own certificate, ensure that the CA signing your 
    certificate is in the 
    Trusted Root Certification Authority list. If the 
    Authority is not in the list, you must install it on all your Domain Controllers. 
    						
    All Dell manuals Comments (0)