Dell Drac 5 User Manual
Have a look at the manual Dell Drac 5 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Using the DRAC 5 With Microsoft Active Directory101 Figure 6-1. Configuration of DRAC 5 with Microsoft Active Directory and Standard Schema Table 6-1. Default Role Group Privileges Role GroupsDefault Privilege LevelPermissions Granted Bit Mask Role Group 1Administrator Login to DRAC, Configure DRAC, Configure Users, Clear Logs, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Te s t A l e r t s, Execute Diagnostic Commands0x000001ff Role Group 2Power User Login to DRAC, Clear Logs, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Test Alerts0x000000f9 Role GroupRole Group Name and Domain NameRole Definition User Configuration on Active Directory SideConfiguration on DRAC 5 Side
102Using the DRAC 5 With Microsoft Active Directory NOTE: The Bit Mask values are used only when setting Standard Schema with the RACADM. There are two ways to enable Standard Schema Active Directory: With the DRAC 5 web-based user interface. See Configuring the DRAC 5 With Standard Schema Active Directory and Web-Based Interface. With the RACADM CLI tool. See Configuring the DRAC 5 With Standard Schema Active Directory and RACADM. Configuring Standard Schema Active Directory to Access Your DRAC 5 You need to perform the following steps to configure the Active Directory before an Active Directory user can access the DRAC 5: 1 On an Active Directory server (domain controller), open the Active Directory Users and Computers Snap-in. 2Create a group or select an existing group. The name of the group and the name of this domain will need to be configured on the DRAC 5 either with the web-based interface or RACADM (see Configuring the DRAC 5 With Standard Schema Active Directory and Web-Based Interface or Configuring the DRAC 5 With Standard Schema Active Directory and RACADM). 3Add the Active Directory user as a member of the Active Directory group to access the DRAC 5. Role Group 3Guest User Login to DRAC0x00000001 Role Group 4NoneNo assigned permissions 0x00000000 Role Group 5NoneNo assigned permissions 0x00000000 Table 6-1. Default Role Group Privileges (continued) Role GroupsDefault Privilege LevelPermissions Granted Bit Mask
Using the DRAC 5 With Microsoft Active Directory103 Configuring the DRAC 5 With Standard Schema Active Directory and Web-Based Interface 1Open a supported Web browser window. 2Log in to the DRAC 5 Web-based interface. 3Expand the System tree and click Remote Access. 4Click the Configuration tab and select Active Directory. 5On the Active Directory Main Menu page, select Configure Active Directory and click Next. 6In the Common Settings section: aSelect the Enable Active Directory check box. bTy p e t h e Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest. cTy p e t h e Timeout time in seconds. 7Click Use Standard Schema in the Active Directory Schema Selection section. 8Click Apply to save the Active Directory settings. 9In the Role Groups column of the Standard Schema settings section, click a Role Group. The Configure Role Group page appears, which includes a role group’s Group Name, Group Domain, and Role Group Privileges. 10Ty p e t h e Group Name. The group name identifies the role group in the Active Directory associated with the DRAC 5 card. 11Ty p e t h e Group Domain. The Group Domain is the fully qualified root domain name for the forest. 12In the Role Group Privileges page, set the group privileges. Table 6-12 describes the Role Group Privileges. Table 6-13 describes the Role Group Permissions. If you modify any of the permissions, the existing Role Group Privilege (Administrator, Power User, or Guest User) will change to either the Custom group or the appropriate Role Group Privilege based on the permissions modified. 13Click Apply to save the Role Group settings.
104Using the DRAC 5 With Microsoft Active Directory 14Click Go Back To Active Directory Configuration and Management. 15Click Go Back To Active Directory Main Menu. 16Upload your domain forest Root CA certificate into the DRAC 5. aSelect the Upload Active Directory CA Certificate check-box and then click Next. bIn the Certificate Upload page, type the file path of the certificate or browse to the certificate file. NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension. The domain controllers SSL certificates should have been signed by the root CA. Ensure that the root CA certificate is available on your management station that is accessing the DRAC 5 (see Exporting the Domain Controller Root CA Certificate to the DRAC 5). cClick Apply. The DRAC 5 Web server automatically restarts after you click Apply. 17Log out and then log in to the DRAC 5 to complete the DRAC 5 Active Directory feature configuration. 18In the System tree, click Remote Access. 19Click the Configuration tab and then click Network. The Network Configuration page appears. 20If Use DHCP (for NIC IP Address) is selected under Network Settings, select Use DHCP to obtain DNS server address. To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS server IP addresses. 21Click Apply Changes. The DRAC 5 Standard Schema Active Directory feature configuration is complete.
Using the DRAC 5 With Microsoft Active Directory105 Configuring the DRAC 5 With Standard Schema Active Directory and RACADM Using the following commands to configure the DRAC 5 Active Directory Feature with Standard Schema using the RACADM CLI instead of the Web-based interface. 1 Open a command prompt and type the following racadm commands: racadm config -g cfgActiveDirectory -o cfgADEnable 1 racadm config -g cfgActiveDirectory -o cfgADType 2 racadm config -g cfgActiveDirectory -o cfgADRootDomain < fully qualified root domain name> racadm config -g cfgStandardSchema -i < index> -o cfgSSADRoleGroupName < common name of the role group> racadm config -g cfgStandardSchema -i < index> -o cfgSSADRoleGroupDomain < fully qualified domain name> racadm config -g cfgStandardSchema -i < index> -o cfgSSADRoleGroupPrivilege < Bit Mask Number for specific user permissions > racadm sslcertupload -t 0x2 -f < ADS root CA certificate > racadm sslcertdownload -t 0x1 -f < RAC SSL certificate > NOTE: For Bit Mask number values, see Table B-4. 2If DHCP is enabled on the DRAC 5 and you want to use the DNS provided by the DHCP server, type the following racadm commands: racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1 3 If DHCP is disabled on the DRAC 5 or you want manually to input your DNS IP address, type the following racadm commands: racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0 racadm config -g cfgLanNetworking -o cfgDNSServer1 < primary DNS IP address> racadm config -g cfgLanNetworking -o cfgDNSServer2 < secondary DNS IP address>
106Using the DRAC 5 With Microsoft Active Directory Extended Schema Active Directory Overview There are two ways to enable Extended Schema Active Directory: With the DRAC 5 web-based user interface. See Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface. With the RACADM CLI tool. See Configuring the DRAC 5 With Extended Schema Active Directory and RACADM. Active Directory Schema Extensions The Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user class attributes can include the user’s first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization. Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsofts Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service. Dell extension is: dell Dell base OID is: 1.2.840.113556.1.8000.1280 RAC LinkID range is:12070 to 12079 The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension Dell.
Using the DRAC 5 With Microsoft Active Directory107 Overview of the RAC Schema Extensions To provide the greatest flexibility in the multitude of customer environments, Dell provides a group of properties that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link together the users or groups with a specific set of privileges to one or more RAC devices. This model provides an Administrator maximum flexibility over the different combinations of users, RAC privileges, and RAC devices on the network without adding too much complexity. Active Directory Object Overview For each of the physical RACs on the network that you want to integrate with Active Directory for Authentication and Authorization, create at least one Association Object and one RAC Device Object. You can create multiple Association Objects, and each Association Object can be linked to as many users, groups of users, or RAC Device Objects as required. The users and RAC Device Objects can be members of any domain in the enterprise. However, each Association Object can be linked (or, may link users, groups of users, or RAC Device Objects) to only one Privilege Object. This example allows an Administrator to control each user’s privileges on specific RACs. The RAC Device object is the link to the RAC firmware for querying Active Directory for authentication and authorization. When a RAC is added to the network, the Administrator must configure the RAC and its device object with its Active Directory name so users can perform authentication and authorization with Active Directory. Additionally, the Administrator must add the RAC to at least one Association Object in order for users to authenticate. Figure 6-2 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.
108Using the DRAC 5 With Microsoft Active Directory Figure 6-2. Typical Setup for Active Directory Objects NOTE: The RAC privilege object applies to both DRAC 4 and DRAC 5. You can create as many or as few association objects as required. However, you must create at least one Association Object, and you must have one RAC Device Object for each RAC (DRAC 5) on the network that you want to integrate with Active Directory for Authentication and Authorization with the RAC (DRAC 5). The Association Object allows for as many or as few users and/or groups as well as RAC Device Objects. However, the Association Object only includes one Privilege Object per Association Object. The Association Object connects the Users who have Privileges on the RACs (DRAC 5s). Additionally, you can configure Active Directory objects in a single domain or in multiple domains. For example, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an administrator privilege to both DRAC 5 cards and give user3 a login privilege to the RAC2 card. Figure 6-3 shows how you set up the Active Directory objects in this scenario. Association Object User(s) Group(s)Privilege ObjectRAC Device Object(s) RAC4 Privilege Object
Using the DRAC 5 With Microsoft Active Directory109 When adding Universal Groups from separate domains, create an Association Object with Universal Scope. The Default Association objects created by the Dell Schema Extender Utility are Domain Local Groups and will not work with Universal Groups from other domains. Figure 6-3. Setting Up Active Directory Objects in a Single Domain To configure the objects for the single domain scenario, perform the following tasks: 1 Create two Association Objects. 2Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards. 3Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges. 4Group user1 and user2 into Group1. 5Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1. 6Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2. AO1 AO2 Priv2 Priv1 Group1 RAC2 RAC1 User3 User2 User1
110Using the DRAC 5 With Microsoft Active Directory See Adding DRAC 5 Users and Privileges to Active Directory for detailed instructions. Figure 6-4 provides an example of Active Directory objects in multiple domains. In this scenario, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, and user2 and user 3 are in Domain2. In this scenario, configure user1 and user 2 with administrator privileges to both DRAC 5 cards and configure user3 with login privileges to the RAC2 card. Figure 6-4. Setting Up Active Directory Objects in Multiple Domains To configure the objects for the multiple domain scenario, perform the following tasks: 1 Ensure that the domain forest function is in Native or Windows 2003 mode. 2Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain. Figure 6-4 shows the objects in Domain2. 3Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards. AO1 AO2 Priv2 Priv1 Group1 RAC2 RAC1 User3 User2 User1Domain2 Domain1