The Dell Remote Access Controller 5 (DRAC 5) supports

Microsoft Active Directory authentication, allowing

administrators to use Active Directory to manage

DRAC users and access privileges. In the past, this support

required administrators to irreversibly extend their existing

Active Directory schema. To help maximize flexibility for dif-

ferent environments, including those where extending the

Active Directory schema may be too complex or otherwise

undesirable, DRAC 5 firmware version 1.20 allows administra-

tors to use the standard Active Directory schema rather than

the extension while still providing the same functionality.

The standard-schema approach uses Active Directory

objects for configuration rather than the Dell objects in the

extended schema. Administrators can create DRAC users and

groups in Active Directory just like other standard objects and

use them when configuring Active Directory (see Figure 1). They

can carry out this configuration using any of the supported

DRAC interfaces, including the Web browser–based DRAC out-

of-band graphical user interface (GUI), the local and remote

racadm command-line interface (CLI), or serial, Telnet, or

Secure Shell (SSH) interfaces.

Configuring objects on the Active Directory server On the Active Directory server, administrators create stan-

dard user and group objects for each role (see Figure 2). Each

user should be a direct or indirect member of a group. An

indirect member is a member of a group nested in another

group—for example, if a user is a member of Group1, and

Group1 is a member of Group2, then that user is an indirect

member of Group2. DRAC 5 firmware version 1.20 supports

up to 20 nesting levels.

Configuring the DRAC 5Before configuring the DRAC 5 to use the Active Directory

standard schema, administrators should enable Active

Directory using any of the supported interfaces and then

perform the following preliminary steps:

1. ProvidetheActiveDirectoryconfigurationsettings: In the

DRAC GUI, select Configuration > Active Directory, then enter

the Active Directory root domain name in the Common

Settings section and select the Use Standard Schema

option button in the Active Directory Schema Selection sec-

tion (see Figure 3). The Active Directory root domain name

must consist of a valid domain name and valid domain type

(such as .com, .org, and so on) separated by a period.

2. UploadtheActiveDirectoryCertificateAuthority(CA)cer-

tificate: Upload the base-64 encoded X.509 (.cer) certificate

created in the Active Directory environment to the DRAC.

This certificate helps the DRAC communicate securely with

the Domain Name System (DNS) server to authenticate

DRAC users in the Active Directory database.

Related Categories:

Dell PowerEdge servers

Dell Remote Access Controller (DRAC)

Microsoft Active Directory

Remote access controllers (RACs)

Remote management

Visit www.dell.com/powersolutions

for the complete category index.

Dell™ Remote Access Controller 5 (DRAC 5) firmware version 1.20 introduces several features designed to enhance flexibility when managing Dell PowerEdge™ servers. This article discusses how administrators can configure the DRAC 5 to use the standard schema of the Microsoft® Active Directory® directory service, without deploying the schema extension required by previous firmware versions.

By RaghavendRa BaBu

deepak panamBuR

Importcorner art

here

systems management

DELL POWER SOLUTIONS | august 20071 Reprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.

ConfiguringtheDRAC5to Use the Microsoft Active Directory Standard Schema

3. Import theDRACservercertificate: Download the DRAC 5 firmware

SSL certificate and import it to all domain controller trusted-certificate

lists. (This step is not required if the certificate is signed by a well-

known CA.)

After completing these steps, administrators can continue configuring the

DRAC using the DRAC GUI, racadm CLI, or serial, Telnet, or SSH interfaces.

Configuring the DRaC 5 with the DRaC gUI Administrators can use the DRAC GUI to easily configure each role group

with the appropriate group name, group domain, privilege level, and privi-

leges. The privileges provided by the DRAC include nine user capabilities,

which administrators can combine as needed when configuring the role

groups. Figure 4 shows the default privilege level, privileges, and bit mask

values for each role group.

Administrators can configure role groups by clicking on a specific

group in the Active Directory Configuration and Management page of the

DRAC GUI. They should first enter an appropriate group name and group

domain (see Figure 5); the group name identifies the role group name in

Figure 1. DRAC 5 and Microsoft Active Directory configuration

Role group Privilege level Privileges Bit mask

1 administrator Login to dRaC, Configure dRaC, Configure users, Clear Logs, execute Server Control Commands, access Console Redirection, access virtual media, Test alerts, and execute diagnostic Commands

0x000001ff

2 power user Login to dRaC, Clear Logs, execute Server Control Commands, access Console Redirection, access virtual media, and Test alerts

0x000000f9

3 guest Login to dRaC (as user) 0x00000001

4 none none 0x00000000

5 none none 0x00000000

DRaC 5 configuration

Configuregroup name and

group domain

Creategroup object

Create user object(member of

group object)

microsoft active Directoryserver configuration

Configure role group privileges• Login to dRaC• Configure dRaC• Configure users• Clear Logs• execute Server Control Commands• access Console Redirection• access virtual media• Test alerts• execute diagnostic Commands

Figure 2. New group creation in the Microsoft Active Directory Users and Computers snap-in for the Microsoft Management Console

Figure 3. Active Directory Configuration and Management screen in the DRAC 5 GUI

Figure 4. Default privilege level, privileges, and bit mask values for DRAC 5 role groups

2www.dell.com/powersolutionsReprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.

www.dell.com/powersolutions

the Active Directory server associated with the DRAC, and the group

domain is a fully qualified root domain name for the Active Directory

forest. After entering these names, administrators should next set the

privilege level and privileges using the drop-down menu and check boxes

in the Role Group Privileges section. Finally, they should click the Apply

link to complete the configuration.

Configuring the DRaC 5 with the racadm CLI The latest version of the racadm utility includes a cfgStandardSchema

group and objects that allow administrators with Configure DRAC privileges

to configure the DRAC 5 to use the Active Directory standard schema. Figure 6

shows these groups and objects along with their values and default settings;

Figure 7 shows some example commands. When modifying group and domain

names, administrators should ensure the names correspond to those on the

Active Directory server. When modifying role group privileges, administrators

should use the bit mask values in the cfgSSADRoleGroupPrivilege Figure 5. Configure Role Group screen in the DRAC 5 GUI

Figure 6. Racadm groups and objects enabling administrators to configure the DRAC 5 to use the Microsoft Active Directory standard schema

Figure 7. Example racadm commands when configuring the DRAC 5 to use the Microsoft Active Directory standard schema

group Object Values Default setting Description

cfgActiveDirectory cfgADType 1: extended schema2: Standard schema

1 defines which type is currently active

cfgStandardSchema cfgSSADRoleGroupIndex 1–5: Role groups 1–5 none Specifies the role group index as defined in the dRaC 5 guI (read-only object)

cfgSSADRoleGroupName Text, up to 254 characters none Specifies the role group name to be configured as defined in the active directory server

cfgSSADRoleGroupDomain Text, up to 254 characters none Specifies the role group domain to be configured as defined in the active directory server

cfgSSADRoleGroupPrivilege 0x00000001: Login to dRaC (bit 0)0x00000002: Configure dRaC (bit 1)0x00000004: Configure users (bit 2)0x00000008: Clear Logs (bit 3)0x00000010: execute Server Control

Commands (bit 4)0x00000020: access Console

Redirection (bit 5)0x00000040: access virtual media (bit 6)0x00000080: Test alerts (bit 7)0x00000100: execute diagnostic

Commands (bit 8)

none Specifies role group privileges to be configured as defined in the dRaC 5 guI

systems management

DELL POWER SOLUTIONS | august 20073 Reprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.

action Command

Use active Directory standard schema racadm config -g cfgActiveDirectory -o cfgADType 2

modify role group name racadm config -g cfgStandardSchema -i index -o cfgSSADRoleGroupName group_name

modify role group domain racadm config -g cfgStandardSchema -i index -o cfgSSADRoleGroupDomain fully_qualified_domain_name

modify role group privileges racadm config -g cfgStandardSchema -i index -o cfgSSADRoleGroupPrivilege privilege_bitmask

row of Figure 6 and enter the resulting bit mask value for the desired privi-

leges. For example, to assign Login to DRAC, Configure DRAC, and Configure

Users privileges to a specific group, administrators would change the

cfgSSADRoleGroupPrivilege value to 0x00000007, which is the bit

mask value of those three privileges using the OR operator (0x00000001

OR 0x00000002 OR 0x00000004 = 0x00000007).

Configuring the DRaC 5 with serial, telnet, or ssH interfaces Administrators can also execute the racadm CLI commands described in

the preceding section from a remote system using serial, Telnet, or

SSH interfaces with the appropriate syntax. For more information about

configuring these interfaces, see the Dell Remote Access Controller 5

Firmware Version 1.20 User’s Guide at support.dell.com/support/edocs/

software/smdrac3/drac5/OM5.2.

Logging in to the DRAC 5 with Active Directory credentials After configuring the DRAC 5 to use the Active Directory standard schema,

administrators can use Active Directory credentials to log in to the DRAC

through the DRAC GUI, remote racadm CLI, or a serial, Telnet, or SSH con-

sole. To log in through the DRAC GUI, they can enter https://ipaddress:

portnumber (where ipaddress is the DRAC IP address) and username@

domain as the credentials (where username is the user object created on

the Active Directory server and domain is the Active Directory domain in

which the user resides). To log in using the racadm utility, administrators

can use the following command:

racadm -r ipaddress -u username@domain

-p password racadm_command

To log in using a serial, Telnet, or SSH console, they can enter

username@domain, domain\username, or domain/username.

Simplifying DRAC 5 integration with Active DirectoryEfficient systems management can be essential in enterprise environ-

ments. By allowing administrators to choose whether to use the Active

Directory standard schema or an extended schema, DRAC 5 firmware

version 1.20 can help increase administrative flexibility when managing

Dell PowerEdge servers.

Raghavendra Babu is an engineer analyst on the Enterprise Sustaining

Block Operations team at the Dell Bangalore Development Center. He has

a B.E. in Computer Science and Engineering from Visvesvaraya Technological

University.

Deepak Panambur is an engineer senior analyst on the Enterprise Server

Test team at the Dell Bangalore Development Center. He has an M.Tech. in

Computer Science and Engineering from Visvesvaraya Technological

University.

4www.dell.com/powersolutionsReprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.

www.dell.com/powersolutions