Dell Drac 5 User Guide
Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Using the DRAC 5 With Microsoft Active Directory131 Specify Server for Active Directory Configuration If you want to specify an LDAP, Global Catalog server, or Association Object (applicable only for Extended Schema) domain instead of using the servers returned by the DNS server to search for a user name, type the following command to enable the Specify Server option: racadm config -g cfgActive Directory -o cfgADSpecifyServer Enable 1 NOTE: If you use this option, the hostname in the CA certificate is not matched against the name of the specified server. This is particularly useful if you are a DRAC administrator because it enables you to enter a hostname as well as an IP address. After the Specify Server option is enabled, you can specify an LDAP server or a Global Catalog server with an IP address or a fully qualified domain name of the server (FQDN). The FQDN consists of the hostname and the domain name of the server. NOTE: If you are using Active Directory authentication based on Kerberos, specify only the FQDN of the server; specifying the IP address is not supported. For more information, see Enabling Kerberos Authentication on page 147. To specify an LDAP server using the command line interface (CLI), type: racadm config -g cfgActive Directory -o cfgADDomainController To specify a Global Catalog server using the command line interface (CLI), type: racadm config -g cfgActive Directory -o cfgGlobalCatalog To specify an Association Object (applicable only for Extended Schema) domain using the CLI, type: racadm config -g cfgActive Directory -o cfgAODomain : where is the domain where the Association Object resides and IP/FQDN is the IP address or the FQDN of the specific host (Domain Controller of domain) to which the DRAC 5 connects.
132Using the DRAC 5 With Microsoft Active Directory To specify the Association Object, ensure that you also provide the IP or FQDN of the Global Catalog. NOTE: If you specify the IP address as 0.0.0.0, DRAC 5 will not search for any server. You can specify a list of LDAP, Global Catalog servers, or Association Objects separated by commas. DRAC 5 allows you to specify up to four IP addresses or hostnames. If LDAPS is not correctly configured for all domains and applications, enabling it may produce unexpected results during the functioning of the existing applications/domains. For Extended Schema, you can specify either Domain Controller or Global Catalog with Association Object. Specifying only the Global Catalog or only the Association Object is not applicable for Extended Schema. If you specify only the Domain Controller, all objects including User, Group, RAC, Privilege and Association should be on the same domain. If any of these objects are on different domains, use the Global Catalog with the Association Object option. You can specify up to four Domain Controllers and all these entries should point to the same domain. You can specify up to four Global Catalog servers. You can specify up to four Association Object servers. All these entries should point to the same domain. In case you are using the Association Object option, you should also configure the Global Catalog option to be able to log in. Specify the Domain Controller name where you created the user. Both IP or FQDN can be specified here. For Standard Schema, specify only the Domain Controller and the Global Catalog. Specify Association Object is not applicable with Standard Schema. You can specify the Domain Controller where the user role groups are created. Specify either the IP or the FQDN. You can specify up to four Domain Controllers. All entries should point to the same domain. If you specify only the Domain Controller, the User and Group should be on the same domain. If the Role Groups are on different domains, you have to also specify the Global Catalog server. You can specify up to four Global Catalog servers. Both the IP or the FQDN can be specified here. You can also only specify the Global Catalog servers.
Using the DRAC 5 With Microsoft Active Directory133 Configuring and Managing Active Directory Certificates To access the Active Directory Main Menu: 1 Expand the System tree and click Remote Access. 2Click the Configuration tab and click Active Directory. Ta b l e 6 - 9 l i s t s t h e Active Directory Main Menu page options. Configuring Active Directory (Standard Schema and Extended Schema) 1In the Active Directory Main Menu page, select Configure Active Directory and click Next. 2In the Active Directory Configuration and Management page, enter the Active Directory settings. Table 6-10 describes the Active Directory Configuration and Management page settings. 3Click Apply to save the settings. Table 6-9. Active Directory Main Menu Page Options Field Description Configure Active DirectoryConfigures the Active Directorys DRAC Name, ROOT Domain Name, DRAC Domain Name, Active Directory Authentication Timeout, Active Directory Schema Selection, and Role Group settings. Upload Active Directory CA CertificateUploads an Active Directory certificate to the DRAC. Download DRAC Server CertificateThe Windows Download Manager enables you to download a DRAC server certificate to your system. Vi e w A c t i v e D i r e c t o r y CA CertificateDisplays the Active Directory Certificate that has been uploaded to the DRAC.
134Using the DRAC 5 With Microsoft Active Directory 4Click the appropriate Active Directory Configuration page button to continue. See Table 6-11. 5To configure the Role Groups for Active Directory Standard Schema, click on the individual Role Group (1-5). See Table 6-12 and Table 6-13. NOTE: To save the settings on the Active Directory Configuration and Management page, you have to click Apply before proceeding to the Custom Role Group page. Table 6-10. Active Directory Configuration and Management Page Settings Setting Description Enable Active DirectoryEnables Active Directory. Checked=Enabled; Unchecked=Disabled. ROOT Domain NameThe Active Directory ROOT domain name. This value is NULL by default. The name must be a valid domain name consisting of x.y, where x is a 1-254 character ASCII string with no blank spaces between characters, and y is a valid domain type such as com, edu, gov, int, mil, net, org. TimeoutThe time in seconds to wait for Active Directory queries to complete. Minimum value is equal to or greater than 15 seconds. The default value is 120 seconds. Use Standard SchemaUses Standard Schema with Active Directory Use Extended SchemaUses Extended Schema with Active Directory DRAC NameThe name that uniquely identifies the DRAC 5 card in Active Directory. This value is NULL by default. The name must be a 1-254 character ASCII string with no blank spaces between characters. DRAC Domain NameThe DNS name (string) of the domain, where the Active Directory DRAC 5 object resides. This value is NULL by default. The name must be a valid domain name consisting of x.y, where x is a 1-254 character ASCII string with no blank spaces between characters, and y is a valid domain type such as com, edu, gov, int, mil, net, org.
Using the DRAC 5 With Microsoft Active Directory135 Role GroupsThe list of role groups associated with the DRAC 5 card. To change the settings for a role group, click their role group number, in the role groups list. The Configure Role Group window displays. NOTE: If you click on the role group link prior to applying the settings for the Active Directory Configuration and Management page, you will lose these settings. Group NameThe name that identifies the role group in the Active Directory associated with the DRAC 5 card. Group DomainThe domain that the group is in. Group PrivilegeThe privilege level for the group. Table 6-11. Active Directory Configuration and Management Page Buttons Button Description PrintPrints the Active Directory Configuration and Management page. ApplySaves the changes made to the Active Directory Configuration and Management page. Go Back to Active Directory Main MenuReturns to the Active Directory Main Menu page. Table 6-12. Role Group Privileges Setting Description Role Group Privilege LevelSpecifies the user’s maximum DRAC user privilege to one of the following: Administrator, Power User, Guest user, None, or Custom. See Table 6-13 for Role Group permissions Login to DRACEnables the user to log in to the DRAC. Configure DRACEnables the user to configure the DRAC. Table 6-10. Active Directory Configuration and Management Page Settings (continued) Setting Description
136Using the DRAC 5 With Microsoft Active Directory Configure UsersEnables the user to allow specific users to access the system. Clear LogsEnables the user to clear the DRAC logs. Execute Server Control CommandsEnables the user to execute racadm commands. Access Console RedirectionEnables the user to run Console Redirection. Access Virtual MediaEnables the user to run and use Virtual Media. Te s t A l e r t sEnables the user to send test alerts (e-mail and PET) to a specific user. Execute Diagnostic CommandsEnables the user to run diagnostic commands. Table 6-13. Role Group Permissions Property Description Administrator Login to DRAC, Configure DRAC, Configure Users, Clear Logs, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Te s t A l e r t s, Execute Diagnostic Commands Power User Login to DRAC, Clear Logs, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Te s t A l e r t s Guest User Login to DRAC CustomSelects any combination of the following permissions: Login to DRAC, Configure DRAC, Configure Users, Clear Logs, Execute Server Action Commands, Access Console Redirection, Access Virtual Media, Te s t A l e r t s, Execute Diagnostic Commands NoneNo assigned permissions Table 6-12. Role Group Privileges (continued) Setting Description
Using the DRAC 5 With Microsoft Active Directory137 Uploading an Active Directory CA Certificate 1In the Active Directory Main Menu page, select Upload Active Directory CA Certificate and click Next. 2In the Certificate Upload page, in the File Path field, type the file path of the certificate or click Browse to navigate to the certificate file. NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension. 3Click Apply. 4Click the appropriate Certificate Upload page button to continue. See Table 6-11. Downloading a DRAC Server Certificate 1In the Active Directory Main Menu page, select Download DRAC Server Certificate and click Next. 2In the File Download window, click Save and save the file to a directory on your system. 3In the Download Complete window, click Close. Viewing an Active Directory CA Certificate Use the Active Directory Main Menu page to view a CA server certificate for your DRAC 5. 1 In the Active Directory Main Menu page, select Vi e w A c t i v e D i r e c t o r y CA Certificate and click Next. Table 6-14 describes the fields and associated descriptions listed in the Certificate window. 2Click the appropriate View Active Directory CA Certificate page button to continue. See Table 6-11. Table 6-14. Active Directory CA Certificate Information Field Description Serial NumberCertificate serial number. Subject InformationCertificate attributes entered by the subject. Issuer InformationCertificate attributes returned by the issuer.
138Using the DRAC 5 With Microsoft Active Directory Enabling SSL on a Domain Controller When the DRAC 5 authenticates users against an Active Directory domain controller, it starts an SSL session with the domain controller. At this time, the domain controller should publish a certificate signed by the Certificate Authority (CA)—the root certificate of which is also uploaded into the DRAC 5. In other words, for DRAC 5 to be able to authenticate to any domain controller—whether it is the root or the child domain controller— that domain controller should have an SSL-enabled certificate signed by the domain’s CA. If you are using Microsoft Enterprise Root CA to automatically assign all your domain controllers to an SSL certificate, perform the following steps to enable SSL on each domain controller: 1 Enable SSL on each of your domain controllers by installing the SSL certificate for each controller. aClick Start Administrative Tools Domain Security Policy. bExpand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request . cIn the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller. dClick Next and click Finish. Exporting the Domain Controller Root CA Certificate to the DRAC 5 NOTE: If your system is running Windows 2000, the following steps may vary. 1Locate the domain controller that is running the Microsoft Enterprise CA service. 2Click StartRun. 3In the Run field, type mmc and click OK. Va l i d F r o mCertificate issue date. Va l i d ToCertificate expiration date. Table 6-14. Active Directory CA Certificate Information (continued) Field Description
Using the DRAC 5 With Microsoft Active Directory139 4In the Console 1 (MMC) window, click Fil e (or Console on Windows 2000 machines ) and select Add/Remove Snap-in. 5In the Add/Remove Snap-In window, click Add. 6In the Standalone Snap-In window, select Certificates and click Add. 7Select Computer account and click Next. 8Select Local Computer and click Finish. 9Click OK. 10In the Console 1 window, expand the Certificates folder, expand the Pe r s o n a l folder, and click the Certificates folder. 11Locate and right-click the root CA certificate, select All Tasks, and click Export... . 12In the Certificate Export Wizard, click Next, and select No do not export the private key . 13Click Next and select Base-64 encoded X.509 (.cer) as the format. 14Click Next and save the certificate to a directory on your system. 15Upload the certificate you saved in step 14 to the DRAC 5. To upload the certificate using RACADM, see Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface on page 126. To upload the certificate using the Web-based interface, perform the following procedure: aOpen a supported Web browser window. bLog in to the DRAC 5 Web-based interface. cExpand the System tree and click Remote Access. dClick the Configuration tab, and then click Security. eIn the Security Certificate Main Menu page, select Upload Server Certificate and click Apply.
140Using the DRAC 5 With Microsoft Active Directory fIn the Certificate Upload screen, perform one of the following procedures: •Click Browse and select the certificate •In the Va l u e field, type the path to the certificate. gClick Apply. Importing the DRAC 5 Firmware SSL Certificate NOTE: If the Active Directory Server is set to authenticate the client during an SSL session initialization phase, you need to upload the DRAC 5 Server certificate to the Active Directory Domain controller as well. This additional step is not required if the Active Directory does not perform a client authentication during an SSL session’s initialization phase. Use the following procedure to import the DRAC 5 firmware SSL certificate to all domain controller trusted certificate lists. NOTE: If your system is running Windows 2000, the following steps may vary. NOTE: If the DRAC 5 firmware SSL certificate is signed by a well-known CA, you are not required to perform the steps in this section. The DRAC 5 SSL certificate is the identical certificate used for the DRAC 5 Web server. All DRAC 5 controllers are shipped with a default self-signed certificate. To access the certificate using the DRAC 5 Web-based interface, select Configuration Active DirectoryDownload DRAC 5 Server Certificate. 1 On the domain controller, open an MMC Console window and select Certificates Trusted Root Certification Authorities. 2Right-click Certificates, select All Tasks and click Import. 3Click Next and browse to the SSL certificate file. 4Install the RAC SSL Certificate in each domain controller’s Trusted Root Certification Authority . If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your Domain Controllers.