Integrating iDRAC7 With Microsoft Active Directory Whitepaper Author: Jim Slaughter
Integrating iDRAC7 with Active Directory This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. © 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell, the Dell logo, and PowerEdge are trademarks of Dell Inc. Intel and Xeon are registered trademarks of Intel Corporation in the U.S.
Integrating iDRAC7 with Active Directory Contents Overview .................................................................................................................... 1 Benefits of Integrating iDRAC7 With Microsoft Active Directory .................................................. 1 Standard Schema Versus Extended Schema .......................................................................... 1 Confirming iDRAC7 Enterprise License Installation ...................................................
Integrating iDRAC7 with Active Directory Configuring Active Directory ........................................................................................ 27 Adding Users ........................................................................................................ 32 Adding iDRACs ...................................................................................................... 32 Configuring iDRAC For Use With Active Directory Extended Schema ...........................................
Integrating iDRAC7 with Active Directory Overview Integrating iDRAC with Active Directory can be complex, and this document simplifies the process with step-by-step instructions. There are multiple ways to achieve the same results and steps vary with different operating systems and in different network environments. This document covers a standard schema setup, then adds extended schema. This lets you get hands-on experience with each option and determine the best method.
Integrating iDRAC7 with Active Directory Confirming iDRAC7 Enterprise License Installation You must have an Enterprise License installed on the iDRAC7 to use Active Directory authentication. To check the installed license level: 1. Browse to https:// and log into the iDRAC GUI of the system as an administrative user (default username is root, password is calvin.) 2. Go to Overview > Server > Licenses page. 3.
Integrating iDRAC7 with Active Directory Dell Test Environment To help you transfer the steps outlined in this document to your environment, the Dell test environment set up is as follows: Systems Used • Domain Controller - A system running Windows Server 2008 Enterprise 32-bit Service Pack 1. • Managed System - A Dell PowerEdge R720 with iDRAC7 and an Enterprise License installed. • Management Station - A system running Windows 7 and Firefox 7. (Internet Explorer is also supported).
Integrating iDRAC7 with Active Directory Promoting Server To Domain Controller and Installing DNS The steps in this section are for Windows Server 2008 Enterprise. The steps for other supported Windows Server operating systems are similar. 1. Promote the server to a Domain Controller. Click Start > Run > dcpromo. 2. In the Active Directory Domain Services Installation Wizard, click Next. Figure 2. Active Directory Domain Services Installation Wizard. 3.
Integrating iDRAC7 with Active Directory 9. In the Summary page, click Next. 10. After the installation is complete, reboot the system when prompted. Your system is now a Domain Controller running DNS. Note: If DHCP is not already running on your network, you can optionally install it on the Domain Controller at this time or use static IP addresses on your network. Installing and Configuring Active Directory Certificate Services Installing Certificate Services as an Enterprise Root CA 1.
Integrating iDRAC7 with Active Directory Figure 3. Installation Succeeded Message screen Adding Certificates Snap-in to Microsoft Management Console 1. Click Start > Run > MMC > OK. 2. In the Console 1 window, click File > Add/Remove Snap-in > select Certificates > Add > select Computer Account > Next > Local Computer > Finish > OK. It is recommended that you save Console1.msc to your Desktop. You will use this console for other snap-ins later in this document.
Integrating iDRAC7 with Active Directory Figure 4. Certificate Enrollment success message. The contents of your certificate folder should now look similar to the following, with the newly created certificate highlighted below. Figure 5. Certificate folder contents.
Integrating iDRAC7 with Active Directory Exporting CA Certificate Note: You must install this certificate on iDRAC later. 1. Locate the CA certificate. This is the certificate issued to your CA, (named test-AD2-CA in this example). 2. Right-click the CA Certificate and select All Tasks > Export. 3. In the Certificate Export Wizard, click Next > select No, do not export the private key and then click Next. 4. Select Base-64 encoded X.509 (.CER), and then click Next. 5.
Integrating iDRAC7 with Active Directory Creating iDRAC Users and Groups 1. In the left pane of Server Manager, expand Roles > Active Directory Domain Services > Active Directory Users and Computers > your domain name (test.lab). 2. In the Users container, create users that will be provided the three different iDRAC privilege levels. (Right-click on Users and select New > User).
Integrating iDRAC7 with Active Directory Figure 7. iDRAC Users and Groups Assigning the users to their corresponding groups 1. Double-click on the admin user, click the Member Of tab, and then click Add. 2. Under Enter the object names to select, type iDRAC (or part of the group name you used). 3. Click Check Names and then select the iDRACAdministrators group. 4. Click OK three times. 5.
Integrating iDRAC7 with Active Directory Configuring iDRAC7 For Use With Active Directory Standard Schema At the management station, browse to https:// using your Internet Explorer or Firefox Web browser and log into the iDRAC GUI as an administrator (default username is root, password is calvin).
Integrating iDRAC7 with Active Directory Figure 8.
Integrating iDRAC7 with Active Directory Configuring the iDRAC7 Directory Services Settings Note: You must have an iDRAC7 Enterprise license to configure the directory services settings. 1. Go to iDRAC Settings > User Authentication > Directory Services. 2. Select Microsoft Active Directory and click Apply. 3. In the Active Directory Configuration and Management page, scroll down to the bottom of the page and click Configure Active Directory. 4. Select Enable Certificate Validation. 5.
Integrating iDRAC7 with Active Directory 10. Select Specify Domain Controller Addresses and enter the FQDN of your Domain Controller for Domain Controller Server Address 1 (for example, ad2.test.lab). 11. Click Next. 12. Select Standard Schema. 13. Click Next. 14. Select Specify Global Catalog Server Addresses and enter the FQDN of your Domain Controller for Global Catalog Server Address 1 (for example, ad2.test.lab). 15. Click Role Group 1. • Group Name - Enter iDRACAdministrators.
Integrating iDRAC7 with Active Directory Figure 10. Directory Services Summary.
Integrating iDRAC7 with Active Directory Testing Standard Schema Configuration Settings 1. Click Test Settings in the lower right part of the screen. 2. In the Test User Name field, type the administrative user in username@domain.com format. For example, admin@test.lab. 3. In the Test User Password field, type the user's password for the domain. 4. Click Start Test. At the top of the results page, all tests must pass (including Certificate Validation) or must be marked Not Applicable/Not Configured.
Integrating iDRAC7 with Active Directory You can repeat the test with the other users you have created. The following figure shows the result from the read-only user. Note: The only privilege listed is Login which is the correct behavior for this user. Figure 12. Read-Only User Test Results.
Integrating iDRAC7 with Active Directory Active Directory Login Syntax Options There are different methods for authenticating as an Active Directory user. All the iDRAC interfaces (GUI, racadm, WSMAN, SSH, and Telnet) accept the following domain-username formats: Table 1. Domain username formats Format username@domain.com domain.com/username domain.com\username Example admin@test.lab test.lab/admin test.lab\admin Note: The domain name must be fully qualified.
Integrating iDRAC7 with Active Directory Authenticating with Active Directory Credentials Using SSH login Figure 13. SSH login Authenticating with Active Directory Credentials in the iDRAC GUI There is one additional option when logging into the iDRAC GUI.
Integrating iDRAC7 with Active Directory Figure 14.
Integrating iDRAC7 with Active Directory Figure 15. iDRAC GUI login option 2. Configuring Domain Controller With Active Directory Extended Schema This section builds on the standard schema setup illustrated above. It uses the users, groups, certificates, and some of the iDRAC settings made above. Keep in mind that schema extensions cannot be undone. If you are using a virtual server it is a good idea to take a snapshot of the image before proceeding. Extending the Schema 1.
Integrating iDRAC7 with Active Directory 64 Bit: DVD_DRIVE:\SYSMGMT\ManagementStation\support\OMActiveDirectory_Tools\Remot e_Management_Advanced\Schema_Extender64\SchemaExtender.exe 4. If a Security Warning message is displayed, click Run. 5. A Welcome Message is displayed, click Next. 6. A Warning Message is displayed indicating Schema Extensions cannot be undone, click Next. 7. Accept the default option to use current credentials, and then click Next.
Integrating iDRAC7 with Active Directory Viewing Active Directory Schema Changes (Optional) To view the changes made by extending the schema, install the Microsoft Active Directory Schema snap- in utility. To do this: 1. At the command prompt, type the following command, and then press ENTER: regsvr32 schmmgmt.dll 2. A message is displayed indicating that the command is successful. Click OK. 3. Open the saved Console1.msc (or create a new one by running MMC). 4. Click File > Add/Remove Snap In. 5.
Integrating iDRAC7 with Active Directory Figure 17. Installing the Active Directory Snap-In Note: If you are using a Remote Desktop to connect to the Domain Controller and if an error is displayed that installation is not permitted from Remote Desktop, map a drive letter to the DVD instead of using a Universal Naming Convention (UNC) share name and try again. 4. Click Next. 5. Accept the License agreement, and then click Next. 6. Click Install. 7. A successful message is displayed when complete.
Integrating iDRAC7 with Active Directory Install the Active Directory Users and Computers Snap-In to MMC The Dell Active Directory Snap-in extension is not fully functional in the Server Manager console. For full functionality, use Microsoft Management Console as per the following steps. Use the saved Console1.msc file or create a new console by running mmc. Add the Active Directory Users and Computers Snap-In to the console as follows: 1. Go to File > Add/Remove Snap In. 2.
Integrating iDRAC7 with Active Directory Table 3.
Integrating iDRAC7 with Active Directory The privilege object lists all the privilege names. In this example, all the options are selected since this object controls the Administrator's privileges. If it is DellIDRACGuestPriv object, only the Login option is selected. Similarly, DellIDRACPowerPriv has by default all but two options selected. To customize user privileges, it is recommended to use the DellIDRACPowerPriv object by selecting the required options.
Integrating iDRAC7 with Active Directory Figure 20. Creating a New Dell Object The New OpenManage Remote Management Object Advanced window is displayed. Figure 21. Entering Object Name 2. In the Enter Object Name field, type a unique name for the iDRAC object. For example, idrac1. 3. Select the iDRAC Device Object option and click OK. The iDRAC device object appears in the Users container in Active Directory.
Integrating iDRAC7 with Active Directory Figure 22. iDRAC Device Object 4. Expand the Dell Container under yourdomain.com (test.lab), right-click on Dell iDRAC Admin User Association and select Properties. • On the Users tab, click Add > Object Types > select Groups, and then click OK. • Under Enter the object names to select, enter iDRACAdministrators, click Check Names. The object should be found as shown by an underline, and then click OK.
Integrating iDRAC7 with Active Directory Figure 23. Configuring the Admin User Association Object 5. Click the Privilege Object tab. It is pre-populated with the DellAdminPriv object. 6. On the Products tab, click Add. 7. Under Enter the object names to select, enter the iDRAC object name used earlier (idrac1) and then click Check Names (it should be found as shown by an underline). Click OK.
Integrating iDRAC7 with Active Directory Figure 24. Configuring the iDRAC Admin User Association Object (continued) 8. Repeat for the Guest User (also known as the read-only User): • Right-click on Dell iDRAC Guest User Association and select Properties. • On the Users tab, click Add > Object Types > select Groups, and then click OK. • In the Enter the object names to select field, enter iDRACReadOnlyUsers and click Check Names (it must display the object). Click OK.
Integrating iDRAC7 with Active Directory • Enter the DRAC name (idrac1) and click Check Names (it must display the object). Click OK and again click OK. Adding Users You can add new users to the appropriate Active Directory group (iDRACAdministrators, and so on) with no further configuration necessary. Adding iDRACs If you need to set up additional iDRACs, create a new iDRAC object with a unique name for each object (such as idrac2, idrac3, and so on).
Integrating iDRAC7 with Active Directory l. Specify the iDRAC Domain Name (for example, test.lab). m. Click Finish. A summary page similar to the following is displayed. Figure 25.
Integrating iDRAC7 with Active Directory Note: At the bottom of the page (not visible in the figure), you see sections labeled Standard Schema Settings and Standard Schema Role Groups. These are retained in the iDRAC configuration but are not used when Extended Schema is selected. This allows you to easily switch between the two schema options with minimal additional configuration. Testing Extended Schema Configuration 1.
Integrating iDRAC7 with Active Directory Figure 26. Test Results for Administrative User. It is recommended that you also run the test for users with lower privilege levels (the users that were named readonly and operator earlier) to confirm everything is configured correctly. You can now authenticate to the iDRAC for all services (RACADM, WSMAN, SSH, Telnet, and the GUI) as shown earlier in the Authentication Examples section.
Integrating iDRAC7 with Active Directory Creating an Active Directory User with Customized iDRAC Privileges This example creates a new user, assigns the user to the iDRACOperators group, modifies the default privileges held by the Power User role (also known as the Operator role), and then tests the configuration. 1. At the Domain Controller, under Active Directory Users and Computers create a new user with the login name John_Smith.
Integrating iDRAC7 with Active Directory 6. Click OK. 7. At the management station, log out of the iDRAC GUI. 8. Log into the iDRAC GUI as John_Smith. Make sure to specify the domain (test.lab). A System Summary page similar to the following figure is displayed. Figure 28. John Smith's System Summary page Notice the Virtual Console Preview section (upper right of Summary Page) is not shown and is replaced with a message indicating that the user does not have access.
Integrating iDRAC7 with Active Directory 9. Test the settings for John_Smith's privileges to confirm everything is configured properly: a. Log out and log back in as an administrative user in the iDRAC GUI. b. Go to iDRAC Settings > User Authentication > Directory Services > Microsoft Active Directory > Test Settings. c. Enter John_Smith@yourdomain.com (John_Smith@test.lab), John's password, and then click Start Test. d.
Integrating iDRAC7 with Active Directory Summary Active Directory integration with iDRAC7 can greatly simplify management of your iDRAC users and privileges. This document simplifies the set up process and enables you to evaluate the Standard Schema and Extended Schema options for use with the Dell iDRAC.