Active Directory Configuration Setup on 12G Servers Using Lifecycle Controller Zhan Liu
Active Directory Configuration This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. © 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell, the Dell logo, and PowerEdge are trademarks of Dell Inc. Intel and Xeon are registered trademarks of Intel Corporation in the U.S.
Active Directory Configuration Introduction Active directory (AD) simplifies the process of user account and privilege management. With AD setup, the credentials of AD will be used for all iDRACs, and it is not necessary to configure each credential for every iDRAC. These credentials can be used for iDRAC GUI, SSH login, and for running both WSMAN and RACADM commands from the CLI.
Active Directory Configuration Pros: Not having to extend the Active Directory schema Cons: Active Directory group credentials must be entered for each iDRAC Extended Schema: Pros: Must configure only the Active Directory group credentials once for all iDRACs on the domain controller Cons: An extension to the Active Directory schema, which is irreversible, is required. 3.
Active Directory Configuration i. LDAP.1#Enable = Disabled j. ActiveDirectory.1#CertValidationEnable = Enabled k. ActiveDirectory.1#Enable = Enabled l. UserDomain.1#Name = ci.local m. ActiveDirectory.1#DomainController1 = SCCM.ci.local n. ActiveDirectory.1#Schema = Standard Schema o. ActiveDirectory.1#GlobalCatalog1 = SCCM.ci.local p. ADGroup.1#Name = iDRACAdministrators q. ADGroup.1#Domain = ci.local r. ADGroup.1#Privilege = 511 The values are shown for-example only.
Active Directory Configuration AttributeName = CertValidationEnable CurrentValue = Enabled … Check the current value (CurrentValue),which is Enabled. Therefore, the Certificate Validation is Enabled, which is the correct value we try to set. Therefore, Certificate Validation has been successfully enabled. Similarly, customer can check if other attributes have been set correctly. 6. Test the Setting To test if the setting works and the user group has the corresponding privilege, see Appendix D.
Active Directory Configuration Figure 1. Viewing the License.
Active Directory Configuration Appendix B : Build Active Directory Server Building the Domain Controller All tasks in this section are automatically performed on the server that is used as the Active Directory Server. 1. Install a supported Windows Server operating system, such as Windows Server 2008 Enterprise. 2. Make sure the date, time, and time zone on the server are correct. This is critical for Active Directory authentication with iDRAC. 3.
Active Directory Configuration Figure 2. Active Directory Domain Services Installation Wizard. 3. On the Operating System Compatibility page, click Next. 4. Select the Create a new domain in a new forest option, and then click Next. 5. Enter the FQDN of the forest root domain (for example, ci.local). 6. For both Forest and Domain functional levels, select either Windows Server 2003 or Windows Server 2008, click Next, and then click Next. If DNS is not already installed, you are asked to install it.
Active Directory Configuration Figure 3. Installation Succeeded Message Screen. Adding the certificates snap into Microsoft Management Console 1. Click Start > Run > MMC > OK. 2. On the Console 1 page, click File > Add/Remove Snap-in > select Certificates > Add > select Computer Account > Next > Local Computer > Finish > OK. It is recommended that you save Console1.msc to your local hard disk drive. You will use this console for other snap-ins later in this document.
Active Directory Configuration Figure 4. Certificate Enrollment Success Message. The contents of your certificate folder should now look similar to the following, with the newlycreated certificate.
Active Directory Configuration Figure 5. Certificate Folder Contents. Exporting the CA Certificate (You will install this certificate on iDRAC Server(s) later). 1. Locate the CA certificate. This is the certificate issued to your CA, (named ci-SCCM-CA in this example). 2. Right click CA Certificate and select All Tasks > Export. 3. In the Certificate Export Wizard, click Next > No, do not export the private key, and then click Next. 4. Select Base-64 encoded X.509 (.CER), and then click Next. 5.
Active Directory Configuration Figure 6. Completing the Certificate Export Wizard. 6. Click Finish. 7. View the success message, and then click OK. Creating iDRAC Users and Groups 1. In the left pane of Server Manager, expand Roles > Active Directory Domain Services > Active Directory Users and Computers > your domain name (ci.local). 2. In the Users container, create users that will be provided to the three different iDRAC privilege levels. (Right click Users and select New > User).
Active Directory Configuration • In addition, in the Users container, create groups on the basis of iDRAC privilege levels that the iDRAC users belong to (Right click Users and select New > Group). Keep the default group type of Global, Security. For example, create three groups and name them: o iDRACAdministrators o iDRACOperators o iDRACReadOnlyUsers After successful completion, the list looks like the screen shot given here. Figure 7.
Active Directory Configuration Appendix C : Configure iDRAC for use with Active Directory Standard Schema At the Server(s), in your Internet Explorer or Firefox web browser, browse through to https:// and log in to the iDRAC GUI of your system as an administrator (the default username is root, and password is calvin.) Configure the iDRAC Network Settings 1. On the iDRAC GUI, go to iDRAC Settings > Network > Common Settings.
Active Directory Configuration Figure 8. iDRAC Network Settings. Configure the iDRAC Directory Services Settings 1. Go to iDRAC Settings > User Authentication > Directory Services (Reminder that an Enterprise License is required to get the Directory Services option). • Select Microsoft Active Directory, and then click Apply. • On the Active Directory Configuration and Management page, scroll through to the bottom of page and click Configure Active Directory. • Select Enable Certificate Validation.
Active Directory Configuration Figure 9. Upload Complete and the Certificate. If you get a message indicating that the Certificate is not valid, there may be a date/time discrepancy between your CA and the iDRAC. Make sure the date and time on the iDRAC match the date and time on the CA (the Active Directory Server in this document) and retry. Note: If the certificate was issued from a newly-created CA, it may continue to be reported as not valid, even though the iDRAC and CA server dates and times match.
Active Directory Configuration • For the Group Name, enter iDRACAdministrators (Note: all group names must be an exact match to the group names you created earlier in Active Directory Server). • Group Domain - enter your domain name. For example, ci.local. • Role Group Privilege Level - Select Administrator from the drop-down menu. Note that all the nine privilege options are selected.
Active Directory Configuration Figure 11. Directory Services Summary (continue) Appendix D : Test your Standard Schema Configuration 1. Click the Test Settings button in the lower-right corner of the screen. 2. In the Test User Name text box, type your administrator credentials in the username@domain.com format. For example, admin@ci.local. 3. In the Test User Password text box, type the user's password for the domain. 4. Click Start Test. 5.
Active Directory Configuration Figure 12. Administrative User Test Results. You can repeat the test with the other users you've created.
Active Directory Configuration Appendix E : Sample WINRM Commands and Mapping to iDRAC GUI Display Names For the convenience of knowing the set command for each attribute, the commands are listed individually. Dell suggests customers to use one command for SetAttributes() to setup all the attributes together. Before running the commands, customers must change the IP address to their iDRAC IP address and use the iDARC username and password.
Active Directory Configuration SkipCAcheck -SkipRevocationCheck -encoding:utf-8 -a:basic format:pretty -file:c:\users\zhan_liu\appdata\local\temp\tmpveyu4z NIC.1#DNSDomainName ci.local iDRAC.Embedded.
Active Directory Configuration Winrm command: winrm invoke SetAttributes "cimv2/root/dcim/DCIM_IDRACCardService?SystemCreationClassName=DCIM_Com puterSystem+CreationClassName=DCIM_iDRACCardService+SystemName=DCIM:Com puterSystem+Name=DCIM:iDRACCardService" r:https://192.168.0.120:443/wsman -u:root -p:****** -SkipCNcheck SkipCAcheck -SkipRevocationCheck -encoding:utf-8 -a:basic format:pretty -file:c:\users\zhan_liu\appdata\local\temp\tmphekkld PAGE 24Active Directory Configuration MessageID = RAC001 RebootRequired = No ReturnValue = 0 SetResult = Set PendingValue Name: Use DHCP to obtain DNS server address Value: disabled Winrm command: winrm invoke SetAttributes "cimv2/root/dcim/DCIM_IDRACCardService?SystemCreationClassName=DCIM_Com puterSystem+CreationClassName=DCIM_iDRACCardService+SystemName=DCIM:Com puterSystem+Name=DCIM:iDRACCardService" r:https://192.168.0.
Active Directory Configuration 192.168.0.100 iDRAC.Embedded.1 SetAttributes_OUTPUT Message = The command was successful MessageID = RAC001 RebootRequired = No ReturnValue = 0 SetResult = Set PendingValue Name: Alternate DNS server Value: no alternate DNS server is used in this example, therefore, 0.0.0.
Active Directory Configuration Name: Microsoft Active Directory Description: Check this option. Disable LDAP will enable Microsoft active directory Value: Disabled Winrm command: winrm invoke SetAttributes "cimv2/root/dcim/DCIM_IDRACCardService?SystemCreationClassName=DCIM_Com puterSystem+CreationClassName=DCIM_iDRACCardService+SystemName=DCIM:Com puterSystem+Name=DCIM:iDRACCardService" r:https://192.168.0.
Active Directory Configuration SetAttributes_OUTPUT Message = The command was successful MessageID = RAC001 RebootRequired = No ReturnValue = 0 SetResult = Set PendingValue Name: Enable Active Directory Value: Enabled Winrm command winrm invoke SetAttributes "cimv2/root/dcim/DCIM_IDRACCardService?SystemCreationClassName=DCIM_Com puterSystem+CreationClassName=DCIM_iDRACCardService+SystemName=DCIM:Com puterSystem+Name=DCIM:iDRACCardService" r:https://192.168.0.
Active Directory Configuration UserDomain.1#Name ci.local iDRAC.Embedded.
Active Directory Configuration Name: Standard Schema Value: Standard Schema Winrm command winrm invoke SetAttributes "cimv2/root/dcim/DCIM_IDRACCardService?SystemCreationClassName=DCIM_Com puterSystem+CreationClassName=DCIM_iDRACCardService+SystemName=DCIM:Com puterSystem+Name=DCIM:iDRACCardService" r:https://192.168.0.120:443/wsman -u:root -p:****** -SkipCNcheck SkipCAcheck -SkipRevocationCheck -encoding:utf-8 -a:basic format:pretty -file:c:\users\zhan_liu\appdata\local\temp\tmpccwahb
Active Directory Configuration SetAttributes_OUTPUT Message = The command was successful MessageID = RAC001 RebootRequired = No ReturnValue = 0 SetResult = Set PendingValue Name: Role Group1 Group Name Description: The group name of group1, in this example, iDRACAdministrators Value: iDRACAdministrators Winrm command winrm invoke SetAttributes "cimv2/root/dcim/DCIM_IDRACCardService?SystemCreationClassName=DCIM_Com puterSystem+CreationClassName=DCIM_iDRACCardService+SystemName=DCIM:Com puterSystem+Name=DCI
Active Directory Configuration SkipCAcheck -SkipRevocationCheck -encoding:utf-8 -a:basic format:pretty -file:c:\users\zhan_liu\appdata\local\temp\tmpqjgepl ADGroup.1#Domain ci.local iDRAC.Embedded.
Active Directory Configuration RebootRequired = No ReturnValue = 0 SetResult = Set PendingValue Notes: For group 2 (group 3, …), run the commands for Role Group1 Group Name, Role Group1 Group Domain and Role Group1 Privilege Level by using ADGroup.2 (ADGroup3, …) instead of ADGroup1, and then change the corresponding group name and privilege level to the value you choose. You can setup a maximum of five groups.
Active Directory Configuration DCIM_LifecycleJob ElapsedTimeSinceCompletion InstanceID = JID_596502937751 JobStartTime = TIME_NOW JobStatus = Ready For Execution JobUntilTime = 20211111101111 Message = NA MessageArguments = NA MessageID = NA Name = iDRACConfig:iDRAC.Embedded.1 PercentComplete = 0 Until: JobStatus != Completed [['Ready For Execution']] winrm get "cimv2/root/dcim/DCIM_LifecycleJob?InstanceID=JID_596502937751" r:https://192.168.0.
Active Directory Configuration SetPublicCertificate_OUTPUT ReturnValue = 0 Sample xml file content (SetDirectoryCACert.xml) PAGE 35Active Directory Configuration References [1] Integrating iDRAC 7 with Microsoft Active Directory http://en.community.dell.com/techcenter/extras/m/white_papers/20078288/download.aspx [2] http://moss.dell.com/sites/softdevwiki/Wiki%20Pages/PKCS12.aspx [3] Dell iDRACCard Profile 1.3 http://en.community.dell.com/techcenter/extras/m/white_papers/20263520/download.aspx [4] LC Integration Best Practices http://moss.dell.
