Configure AD using RACADM on Dell RAC 7/8/9

Active Directory Integration in a Dell Remote Access Cards is relatively simple.

One requirement to watch out for, is the need of Active Directory root certificate on your Active Directory Server.  Without it, many devices and appliances will be unable to communicate with your AD Server, as is the case of Dell RACs and OpenManage Enterprise

There are multiple ways to configure Active Directory integration, such as RACADM, through the Web Interface, via Template deployments, and even scripts that leverage RACADM or the Redfish REST API.

In this example, I will show a relatively straightforward way of configuring your Dell RAC for integration with AD.

Note: The commands below can be executed from a “Remote” Command Line, however, for simplicity’s sake, I have connected to the DRAC using SSH.

How to configure AD using RACADM

Pre-configuration Steps:

Check if AD has ever been configured. This is just for reference only to get an idea of what is configured on the environment already or may have been misconfigured.

Obtain Active Directory information for the Domain Controller and Global Catalog

#racadm get IDRAC.ActiveDirectory.DomainController1
#racadm get IDRAC.ActiveDirectory.DomainController2
#racadm get IDRAC.ActiveDirectory.GlobalCatalog1
#racadm get IDRAC.ActiveDirectory.GlobalCatalog2

Obtain Group information

Check if group has been configured for the DRAC to authenticate against AD
#racadm get IDRAC.ADGroup.1.Name

Configuration steps:

These steps will overwrite any settings that were found using the commands provided above.

The example commands below have the following settings:

  • DC Host Name: WIN-1HRHC8JTEF5.Sysman.local
  • DNS/Global Catalog Server: 10.0.157.231 (Same as Domain controller)
  • Domain Sysman.local

In most instances, the Domain Controller (DC) has the role of Global Catalog (GC) server and has the domain information.

 

Enable and Configure the DRAC for Active Directory

1. Enable AD
#racadm set IDRAC.ActiveDirectory.Enable 1
[Key=IDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
2. Specify DC
#racadm set IDRAC.ActiveDirectory.DomainController1 WIN-1HRHC8JTEF5.Sysman.local
[Key=IDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
3. Specify Global Catalog
#racadm set IDRAC.ActiveDirectory.GlobalCatalog1 WIN-1HRHC8JTEF5.Sysman.local
[Key=IDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully

Configure the DRAC for AD Standard Schema integration

4. Standard Schema Setting
#racadm set iDRAC.ActiveDirectory.Schema 2
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully

Configure Standard Schema Settings (group)

5. Specify the Group to authenticate with to  your AD server
#racadm set IDRAC.ADGroup.1.Name "Domain Admins"
[Key=IDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
6. Configure the Domain Group in the DRAC
/admin1-> racadm set IDRAC.ADGroup.1.Domain Sysman.local
[Key=IDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
7. Set Admin privilege level, in this case, as an admin role
#racadm set iDRAC.ADGroup.1.Privilege 0x1ff
[Key=iDRAC.Embedded.1#ADGroup.1]
Object value modified successfully

Set user Domain

8.  This will allow your domain as the default log on selection (optional)
#racadm config -g cfgUserDomain -i 1 -o cfgUserDomainName Sysman.local
Object value modified successfully

Troubleshooting

This section has information on what things to look if there are problems logging after following the steps provided above.

Ensure the DRAC is enrolled to a DNS server to resolve names, such as the domain name Fully Qualified Name (FQDN)

1. Enter Domain Name Server IP Address for name resolution
#racadm config -g cfgLanNetworking -o cfgDNSServer1 10.0.157.231
Object value modified successfully
2. Register DRAC on DNS
#racadm config -g cfgLanNetworking -o cfgDNSRegisterRac 1
Object value modified successfully

Additional Settings

1. Change the root account password to prevent unauthorized access (this depends on your user account index #)
# racadm config -g CfgUserAdmin -o CfgUserAdminPassword -i 2 P@ssw0rd
Object value modified successfully
2. Configure Certificate validation if you will be providing an AD certificate for authentication
#racadm -config -g cfgActiveDirectory -o cfgADCertValidationEnable 1

Additional Troubleshooting Notes:

If there are issues logging on with AD credentials, run the “Test AD settings” option through the DRAC GUI under Directory Services .

Also, ensure that the Group Name for the user in the IDRAC AD configuration page is using the same capitalization as the Group Name from the Domain Controller. This is the only part that I have found to be case sensitive.

 

Leave a Reply