racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1
racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0 racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address> racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address> Extended Schema Active Directory OverviewThere are two ways to enable Extended Schema Active Directory:
Active Directory Schema ExtensionsThe Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user class attributes can include the user's first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization. Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service. Dell extension is: dell Dell base OID is: 1.2.840.113556.1.8000.1280 RAC LinkID range is: 12070 to 12079 The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension Dell. Overview of the RAC Schema ExtensionsTo provide the greatest flexibility in the multitude of customer environments, Dell provides a group of properties that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link together the users or groups with a specific set of privileges to one or more RAC devices. This model provides an Administrator maximum flexibility over the different combinations of users, RAC privileges, and RAC devices on the network without adding too much complexity. Active Directory Object OverviewFor each of the physical RACs on the network that you want to integrate with Active Directory for Authentication and Authorization, create at least one Association Object and one RAC Device Object. You can create multiple Association Objects, and each Association Object can be linked to as many users, groups of users, or RAC Device Objects as required. The users and RAC Device Objects can be members of any domain in the enterprise. However, each Association Object can be linked (or, may link users, groups of users, or RAC Device Objects) to only one Privilege Object. This example allows an Administrator to control each user's privileges on specific RACs. The RAC Device object is the link to the RAC firmware for querying Active Directory for authentication and authorization. When a RAC is added to the network, the Administrator must configure the RAC and its device object with its Active Directory name so users can perform authentication and authorization with Active Directory. Additionally, the Administrator must add the RAC to at least one Association Object in order for users to authenticate. Figure 6-2 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization. Figure 6-2. Typical Setup for Active Directory Objects
You can create as many or as few association objects as required. However, you must create at least one Association Object, and you must have one RAC Device Object for each RAC (DRAC 5) on the network that you want to integrate with Active Directory for Authentication and Authorization with the RAC (DRAC 5). The Association Object allows for as many or as few users and/or groups as well as RAC Device Objects. However, the Association Object only includes one Privilege Object per Association Object. The Association Object connects the "Users" who have "Privileges" on the RACs (DRAC 5s). Additionally, you can configure Active Directory objects in a single domain or in multiple domains. For example, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an administrator privilege to both DRAC 5 cards and give user3 a login privilege to the RAC2 card. Figure 6-3 shows how you set up the Active Directory objects in this scenario. When adding Universal Groups from separate domains, create an Association Object with Universal Scope. The Default Association objects created by the Dell Schema Extender Utility are Domain Local Groups and will not work with Universal Groups from other domains. Figure 6-3. Setting Up Active Directory Objects in a Single Domain
To configure the objects for the single domain scenario, perform the following tasks:
See" Adding DRAC 5 Users and Privileges to Active Directory" for detailed instructions. Figure 6-4 provides an example of Active Directory objects in multiple domains. In this scenario, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, and user2 and user 3 are in Domain2. In this scenario, configure user1 and user 2 with administrator privileges to both DRAC 5 cards and configure user3 with login privileges to the RAC2 card. Figure 6-4. Setting Up Active Directory Objects in Multiple Domains
To configure the objects for the multiple domain scenario, perform the following tasks:
Figure 6-4 shows the objects in Domain2.
Configuring Extended Schema Active Directory to Access Your DRAC 5Before using Active Directory to access your DRAC 5, configure the Active Directory software and the DRAC 5 by performing the following steps in order:
Extending the Active Directory SchemaExtending your Active Directory schema adds a Dell organizational unit, schema classes and attributes, and example privileges and association objects to the Active Directory schema. Before you extend the schema, ensure that you have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest. You can extend your schema using one of the following methods: If you use the LDIF script file, the Dell organizational unit will not be added to the schema. The LDIF files and Dell Schema Extender are located on your Dell Systems Management Tools and Documentation DVD in the following respective directories:
To use the LDIF files, see the instructions in the readme included in the LDIF_Files directory. To use the Dell Schema Extender to extend the Active Directory Schema, see "Using the Dell Schema Extender." You can copy and run the Schema Extender or LDIF files from any location. Using the Dell Schema Extender
The schema is extended. To verify the schema extension, use the Microsoft Management Console (MMC) and the Active Directory Schema snap-in to verify that the following exist: See your Microsoft documentation for more information on how to enable and use the Active Directory Schema snap-in the MMC. Table 6-2. Class Definitions for Classes Added to the Active Directory Schema
Table 6-3. dellRacDevice Class Table 6-4. dellAssociationObject Class
Table 6-5. dellRAC4Privileges Class
Table 6-6. dellPrivileges Class
Table 6-8. List of Attributes Added to the Active Directory Schema Installing the Dell Extension to the Active Directory Users and Computers Snap-InWhen you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so the administrator can manage RAC (DRAC 5) devices, Users and User Groups, RAC Associations, and RAC Privileges. When you install your systems management software using the Dell Systems Management Tools and Documentation DVD, you can extend the snap-in by selecting the Dell Extension to the Active Directory User's and Computers Snap-In option during the installation procedure. See the Dell OpenManage Software Quick Installation Guide for additional instructions about installing systems management software. For more information about the Active Directory User's and Computers snap-in, see your Microsoft documentation. Installing the Administrator PackYou must install the Administrator Pack on each system that is managing the Active Directory DRAC 5 Objects. If you do not install the Administrator Pack, you cannot view the Dell RAC Object in the container. See "Opening the Active Directory Users and Computers Snap-In" for more information. Opening the Active Directory Users and Computers Snap-InTo open the Active Directory Users and Computers snap-in:
If you are not logged into the domain controller, you must have the appropriate Microsoft Administrator Pack installed on your local system. To install this Administrator Pack, click Start→ Run, type MMC, and press Enter. The Microsoft Management Console (MMC) appears.
Adding DRAC 5 Users and Privileges to Active DirectoryUsing the Dell-extended Active Directory Users and Computers snap-in, you can add DRAC 5 users and privileges by creating RAC, Association, and Privilege objects. To add each object type, perform the following procedures:
Creating a RAC Device ObjectThe New Object window appears.
Creating a Privilege Object
The New Object window appears.
Creating an Association ObjectThe Association Object is derived from a Group and must contain a Group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, choose the Association Scope that applies to the type of objects you intend to add. For example, if you select Universal, the association objects are only available when the Active Directory Domain is functioning in Native Mode or above. This opens the New Object window.
Adding Objects to an Association ObjectUsing the Association Object Properties window, you can associate users or user groups, privilege objects, and RAC devices or RAC device groups. If your system is running Windows 2000 mode or higher, use Universal Groups to span domains with your user or RAC objects. You can add groups of Users and RAC devices. The procedure for creating Dell-related groups and non-Dell-related groups is identical. Adding Users or User Groups
Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to a RAC device. Only one privilege object can be added to an Association Object. Adding PrivilegesClick the Products tab to add one or more RAC devices to the association. The associated devices specify the RAC devices connected to the network that are available for the defined users or user groups. Multiple RAC devices can be added to an Association Object. Adding RAC Devices or RAC Device GroupsTo add RAC devices or RAC device groups:
Configuring the DRAC 5 With Extended Schema Active Directory and
|
 |
NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension. |
The domain controllers' SSL certificates should have been signed by the root CA. Have the root CA certificate available on your management station accessing the DRAC 5 (see "Exporting the Domain Controller Root CA Certificate to the DRAC 5").
The DRAC 5 Web server automatically restarts after you click Apply.
- Log out and then log in to the DRAC 5 to complete the DRAC 5 Active
Directory feature configuration.
- In the System tree, click Remote Access.
- Click the Configuration tab and then click Network.
The Network Configuration page appears.
- If Use DHCP (for NIC IP Address) is selected under Network Settings,
then select Use DHCP to obtain DNS server address.
To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS server IP addresses.
The DRAC 5 Extended Schema Active Directory feature configuration is complete.
Configuring the DRAC 5 With Extended Schema Active Directory and
RACADM
Using the following commands to configure the DRAC 5 Active Directory Feature with Extended Schema using the RACADM CLI tool instead of the Web-based interface.
racadm config -g cfgActiveDirectory -o cfgADEnable 1
racadm config -g cfgActiveDirectory -o cfgADType 1
racadm config -g cfgActiveDirectory -o cfgADRacDomain <fully qualified rac domain name>
racadm config -g cfgActiveDirectory -o cfgADRootDomain <fully qualified root domain name>
racadm config -g cfgActiveDirectory -o cfgADRacName <RAC common name>
racadm sslcertupload -t 0x2 -f <ADS root CA certificate>
racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>
- If you want to specify an LDAP, Global Catalog server, or Association
Object domain instead of using the servers returned by the DNS server to
search for a user name, type the following command to enable the Specify
Server option:
racadm config -g cfgActive Directory -o cfgADSpecifyServer Enable 1
|
NOTE: If you use this option, the hostname in the CA certificate is not matched against the name of the specified server. This is particularly useful if you are a DRAC administrator because it enables you to enter a hostname as well as an IP address. |
After the Specify Server option is enabled, you can specify an LDAP server or a Global Catalog server, with an IP address or a fully qualified domain name of the server (FQDN). The FQDN consists of the hostname and the domain name of the server.
|
NOTE: If you are using Active Directory authentication based on Kerberos, specify only the FQDN of the server; specifying the IP address is not supported. For more information, see "Enabling Kerberos Authentication." |
To specify an LDAP server using the command line interface (CLI), type:
racadm config -g cfgActive Directory -o cfgADDomainController <fully qualified domain name or IP address>
To specify a Global Catalog server using the command line interface (CLI), type:
racadm config -g cfgActive Directory -o cfgGlobalCatalog <fully qualified domain name or IP address>
To specify an Association Object domain using the command line interface (CLI), type:
racadm config -g cfgActive Directory -o cfgAODomain <domain>:<fully qualified domain name or IP address>
where <domain> is the domain where the Association Object resides and IP/FQDN is the IP address or the FQDN of the specific host (Domain Controller of domain) to which the DRAC 5 connects.
To specify the Association Object, ensure that you provide the IP or FQDN of the Global Catalog also.
|
NOTE: If you specify the IP address as 0.0.0.0, DRAC 5 will not search for any server. |
You can specify a list of LDAP, Global Catalog servers, or Association Objects separated by commas. DRAC 5 allows you to specify up to four IP addresses or hostnames.
If LDAPS is not correctly configured for all domains and applications, enabling it may produce unexpected results during the functioning of the existing applications/domains.
If you configure the Domain Controller under the Specify Server option on the DRAC and if the Association Object contains the user and RAC object on the same domain, the Active Directory login using Extended Schema will be successful. However, if either the user or the RAC object on the association is from a different domain, and if you provide only the domain controller information, the Active Directory login using Extended Schema will fail. In this case, you should configure the global catalog option to be able to log in.
- If DHCP is enabled on the DRAC 5 and you want to use the DNS
provided by the DHCP server, type the following racadm command:
racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1
- If DHCP is disabled on the DRAC 5 or you want manually to input your
DNS IP address, type following racadm commands:
racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0
racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>
racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>
Accumulating Privileges Using Extended Schema
The Extended Schema Authentication mechanism supports Privilege Accumulation from different privilege objects associated with the same user through different Association Objects. In other words, Extended Schema Authentication accumulates privileges to allow the user the super set of all assigned privileges corresponding to the different privilege objects associated with the same user.
Figure 6-5 provides an example of accumulating privileges using Extended Schema.
Figure 6-5. Privilege Accumulation for a User
The figure shows two Association Objects—A01 and A02. These Association Objects may be part of the same or different domains. User1 is associated to RAC1 and RAC2 through both association objects. Therefore, User1 has accumulated privileges that results when combining the Privileges set for objects Priv1 and Priv2.
For example, Priv1 had the privileges: Login, Virtual Media, and Clear Logs and Privr2 had the privileges: Login, Configure DRAC, and Test Alerts. User1 will now have the privilege set: Login, Virtual Media, Clear Logs, Configure DRAC, and Test Alerts, which is the combined privilege set of Priv1 and Priv2
Extended Schema Authentication, thus, accumulates privileges to allow the user the maximum set of privileges possible considering the assigned privileges of the different privilege objects associated to the same user.
Configuring and Managing Active Directory Certificates
To access the Active Directory Main Menu:
- Expand the System tree and click Remote Access.
- Click the Configuration tab and click Active Directory.
Table 6-9 lists the Active Directory Main Menu page options.
Table 6-9. Active Directory Main Menu Page Options
Configuring Active Directory (Standard Schema and Extended Schema)
- In the Active Directory Main Menu page, select Configure Active
Directory and click Next.
- In the Active Directory Configuration and Management page, enter the
Active Directory settings.
Table 6-10 describes the Active Directory Configuration and Management page settings.
- Click Apply to save the settings.
- Click the appropriate Active Directory Configuration page button to
continue. See Table 6-11.
- To configure the Role Groups for Active Directory Standard Schema, click
on the individual Role Group (1-5). See Table 6-12 and Table 6-13.
|
NOTE: To save the settings on the Active Directory Configuration and Management page, you have to click Apply before proceeding to the Custom Role Group page. |
Table 6-10. Active Directory Configuration and Management Page Settings
Table 6-11. Active Directory Configuration and Management Page Buttons
|
Button |
Description |
|---|---|
Prints the Active Directory Configuration and Management page. | |
Saves the changes made to the Active Directory Configuration and Management page. | |
Table 6-12. Role Group Privileges
|
Setting |
Description |
|---|---|
Specifies the user's maximum DRAC user privilege to one of the following: Administrator, Power User, Guest user, None, or Custom. See Table 6-13 for Role Group permissions | |
Enables the user to allow specific users to access the system. | |
Enables the user to send test alerts (e-mail and PET) to a specific user. | |
Table 6-13. Role Group Permissions
Uploading an Active Directory CA Certificate
- In the Active Directory Main Menu page, select Upload Active Directory
CA Certificate and click Next.
- In the Certificate Upload page, in the File Path field, type the file path of
the certificate or click Browse to navigate to the certificate file.
|
NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension. |
- Click Apply.
- Click the appropriate Certificate Upload page button to continue. See
Table 6-11.
Downloading a DRAC Server Certificate
- In the Active Directory Main Menu page, select Download DRAC Server
Certificate and click Next.
- In the File Download window, click Save and save the file to a directory on
your system.
- In the Download Complete window, click Close.
Viewing an Active Directory CA Certificate
Use the Active Directory Main Menu page to view a CA server certificate for your DRAC 5.
Table 6-14 describes the fields and associated descriptions listed in the Certificate window.
- Click the appropriate View Active Directory CA Certificate page button
to continue. See Table 6-11.
Table 6-14. Active Directory CA Certificate Information
|
Field |
Description |
|---|---|
Enabling SSL on a Domain Controller
When the DRAC 5 authenticates users against an Active Directory domain controller, it starts an SSL session with the domain controller. At this time, the domain controller should publish a certificate signed by the Certificate Authority (CA)—the root certificate of which is also uploaded into the DRAC 5. In other words, for DRAC 5 to be able to authenticate to any domain controller—whether it is the root or the child domain controller—that domain controller should have an SSL-enabled certificate signed by the domain's CA.
If you are using Microsoft Enterprise Root CA to automatically assign all your domain controllers to an SSL certificate, perform the following steps to enable SSL on each domain controller:
- Enable SSL on each of your domain controllers by installing the SSL
certificate for each controller.
Exporting the Domain Controller Root CA Certificate to the DRAC 5
|
NOTE: If your system is running Windows 2000, the following steps may vary. |
- Locate the domain controller that is running the Microsoft Enterprise
CA service.
- Click Start→ Run.
- In the Run field, type mmc and click OK.
- In the Console 1 (MMC) window, click File (or Console on Windows 2000
machines) and select Add/Remove Snap-in.
- In the Add/Remove Snap-In window, click Add.
- In the Standalone Snap-In window, select Certificates and click Add.
- Select Computer account and click Next.
- Select Local Computer and click Finish.
- Click OK.
- In the Console 1 window, expand the Certificates folder, expand the
Personal folder, and click the Certificates folder.
- Locate and right-click the root CA certificate, select All Tasks, and click
Export... .
- In the Certificate Export Wizard, click Next, and select No do not export
the private key.
- Click Next and select Base-64 encoded X.509 (.cer) as the format.
- Click Next and save the certificate to a directory on your system.
- Upload the certificate you saved in step 14 to the DRAC 5.
To upload the certificate using RACADM, see "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface".
To upload the certificate using the Web-based interface, perform the following procedure:
- Log in to the DRAC 5 Web-based interface.
- Expand the System tree and click Remote Access.
- Click the Configuration tab, and then click Security.
- In the Security Certificate Main Menu page, select Upload Server
Certificate and click Apply.
- In the Certificate Upload screen, perform one of the following
procedures:
- Click Apply.
Importing the DRAC 5 Firmware SSL Certificate
|
NOTE: If the Active Directory Server is set to authenticate the client during an SSL session initialization phase, you need to upload the DRAC 5 Server certificate to the Active Directory Domain controller as well. This additional step is not required if the Active Directory does not perform a client authentication during an SSL session's initialization phase. |
Use the following procedure to import the DRAC 5 firmware SSL certificate to all domain controller trusted certificate lists.
|
NOTE: If your system is running Windows 2000, the following steps may vary. |
|
NOTE: If the DRAC 5 firmware SSL certificate is signed by a well-known CA, you are not required to perform the steps in this section. |
The DRAC 5 SSL certificate is the identical certificate used for the DRAC 5 Web server. All DRAC 5 controllers are shipped with a default self-signed certificate.
To access the certificate using the DRAC 5 Web-based interface, select Configuration→ Active Directory→ Download DRAC 5 Server Certificate.
- On the domain controller, open an MMC Console window and select
Certificates→ Trusted Root Certification Authorities.
- Right-click Certificates, select All Tasks and click Import.
- Click Next and browse to the SSL certificate file.
- Install the RAC SSL Certificate in each domain controller's Trusted Root
Certification Authority.
If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your Domain Controllers.
- Click Next and select whether you would like Windows to automatically
select the certificate store based on the type of certificate, or browse to a
store of your choice.
- Click Finish and click OK.
Setting the SSL Time on the DRAC 5
When the DRAC 5 authenticates an Active Directory user, the DRAC 5 also verifies the certificate published by the Active Directory server to ensure that the DRAC is communicating with an authorized Active Directory server.
This check also ensures that the validity of the certificate is within the time range specified by the DRAC 5. However, there could be a mismatch between the time zones specified on the certificate and the DRAC 5. This could happen when the DRAC 5 time reflects the local system time and the certificate reflects time in GMT.
To ensure that the DRAC 5 uses the GMT time to compare with the certificate times, you must set the time zone offset object.
racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset <offset value>
See "cfgRacTuneTimezoneOffset (Read/Write)" for more details.
Supported Active Directory Configuration
The Active Directory querying algorithm of the DRAC 5 supports multiple trees in a single forest.
DRAC 5 Active Directory Authentication supports mixed mode (that is, the domain controllers in the forest run different operating systems, such as Microsoft Windows NT® 4.0, Windows 2000, or Windows Server 2003). However, all objects used by the DRAC 5 querying process (among user, RAC Device Object, and Association Object) should be in the same domain. The Dell-extended Active Directory Users and Computers snap-in checks the mode and limits users in order to create objects across domains if in mixed mode.
DRAC 5 Active Directory supports multiple domain environments provided the domain forest function level is Native mode or Windows 2003 mode. In addition, the groups among Association Object, RAC user objects, and RAC Device Objects (including Association Object) must be universal groups.
|
NOTE: The Association Object and the Privilege Object must be in the same domain. The Dell-extended Active Directory Users and Computers snap-in forces you to create these two objects in the same domain. Other objects can be in different domains. |
Using Active Directory to Log Into the DRAC 5
You can use Active Directory to log in to the DRAC 5 using one of the following methods:
The login syntax is the same for all three methods:
<username@domain>
or
<domain>\<username> or <domain>/<username>
where username is an ASCII string of 1–256 bytes.
White space and special characters (such as \, /, or @) cannot be used in the user name or the domain name.
|
NOTE: You cannot specify NetBIOS domain names, such as Americas, because these names cannot be resolved. |
You can also log into the DRAC 5 using the Smart Card. For more information, see "Logging Into the DRAC 5 Using Active Directory Smart Card Authentication."
Using Active Directory Single Sign-On
You can enable the DRAC 5 to use Kerberos—a network authentication protocol—to enable single sign-on and log into the DRAC 5. For more information on setting up the DRAC 5 to use the Active Directory Single Sign-On feature, see "Enabling Kerberos Authentication."
Configuring the DRAC 5 to Use Single Sign-On
- Navigate to Remote Access→ Configuration tab→ Active Directory
subtab→ select Configure Active Directory.
- On the Active Directory Configuration and Management page, select
Single Sign-On.
This option enables you to log into the DRAC 5 directly after logging into your workstation.
Logging Into the DRAC 5 Using Single Sign-On
https://<IP address>
If the default HTTPS port number (port 443) has been changed, type:
https://<IP address>:<port number>
where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number.
The DRAC 5 Single Sign-On page appears.
The DRAC 5 logs you in, using your credentials that were cached in the operating system when you logged in using your valid Active Directory account.
Frequently Asked Questions
Are there any restrictions on Domain Controller SSL configuration?
Yes. All Active Directory servers' SSL certificates in the forest must be signed by the same root CA since DRAC 5 only allows uploading one trusted CA SSL certificate.
I created and uploaded a new RAC certificate and now the Web-based interface does not launch.
If you use Microsoft Certificate Services to generate the RAC certificate, one possible cause of this is you inadvertently chose User Certificate instead of Web Certificate when creating the certificate.
To recover, generate a CSR and then create a new web certificate from Microsoft Certificate Services and load it using the RACADM CLI from the managed system by using the following racadm commands:
racadm sslcsrgen [-g] [-u] [-f {filename}]
racadm sslcertupload -t 1 -f {web_sslcert}
What can I do if I cannot log into the DRAC 5 using Active Directory authentication? How do I troubleshoot the issue?
- Ensure that you use the correct user domain name during a login and not
the NetBIOS name.
- If you have a local DRAC user account, log into the DRAC 5 using your
local credentials.
After you are logged in:
- Ensure that you have checked the Enable Active Directory box on the
DRAC 5 Active Directory configuration page.
- Ensure that the DNS setting is correct on the DRAC 5 Networking
configuration page.
- Ensure that you have uploaded the Active Directory certificate from
your Active Directory root CA to the DRAC 5.
- Check the Domain Controller SSL certificates to ensure that they
have not expired.
- Ensure that your DRAC Name, Root Domain Name, and DRAC
Domain Name match your Active Directory environment
configuration.
- Ensure that the DRAC 5 password has a maximum of 127 characters.
While the DRAC 5 can support passwords of up to 256 characters,
Active Directory only supports passwords that have a maximum length
of 127 characters.