Users Guide
4 Optionally, enable certicate validation and upload the CA-signed digital certicate used during initiation of SSL connections when
communicating with the Active Directory (AD) server. For this, the Domain Controllers and Global Catalog FQDN must be specied.
This is done in the next steps. And hence the DNS should be congured properly in the network settings.
5 Click Next.
The Active Directory Conguration and Management Step 2 of 4 page is displayed.
6 Enable Active Directory and specify the location information about Active Directory servers and user accounts. Also, specify the time
iDRAC must wait for responses from Active Directory during iDRAC login.
NOTE: If certicate validation is enabled, specify the Domain Controller Server addresses and the Global Catalog
FQDN. Make sure that DNS is congured correctly under Overview > iDRAC Settings > Network.
7 Click Next. The Active Directory Conguration and Management Step 3 of 4 page is displayed.
8 Select Standard Schema and click Next.
The Active Directory Conguration and Management Step 4a of 4 page is displayed.
9 Enter the location of Active Directory global catalog server(s) and specify privilege groups used to authorize users.
10 Click a Role Group to congure the control authorization policy for users under the standard schema mode.
The Active Directory Conguration and Management Step 4b of 4 page is displayed.
11 Specify the privileges and click Apply.
The settings are applied and the Active Directory Conguration and Management Step 4a of 4 page is displayed.
12 Click Finish. The Active Directory settings for standard schema are congured.
Conguring Active Directory with Standard schema using RACADM
1 Use the following commands:
racadm set iDRAC.ActiveDirectory.Enable 1
racadm set iDRAC.ActiveDirectory.Schema 2
racadm set iDRAC.ADGroup.Name <common name of the role group>
racadm set iDRAC.ADGroup.Domain <fully qualified domain name>
racadm set iDRAC.ADGroup.Privilege <Bit-mask value for specific RoleGroup permissions>
racadm set iDRAC.ActiveDirectory.DomainController1 <fully qualified domain name or IP
address of the domain controller>
racadm set iDRAC.ActiveDirectory.DomainController2 <fully qualified domain name or IP
address of the domain controller>
racadm set iDRAC.ActiveDirectory.DomainController3 <fully qualified domain name or IP
address of the domain controller>
racadm set iDRAC.ActiveDirectory.GlobalCatalog1 <fully qualified domain name or IP address
of the domain controller>
racadm set iDRAC.ActiveDirectory.GlobalCatalog2 <fully qualified domain name or IP address
of the domain controller>
racadm set iDRAC.ActiveDirectory.GlobalCatalog3 <fully qualified domain name or IP address
of the domain controller>
• Enter the Fully Qualied Domain Name (FQDN) of the domain controller, not the FQDN of the domain. For example, enter
servername.dell.com instead of dell.com.
• For bit-mask values for specic Role Group permissions, see Table 22. Default role group privileges .
• You must provide at least one of the three domain controller addresses. iDRAC attempts to connect to each of the congured
addresses one-by-one until it makes a successful connection. With Standard Schema, these are the addresses of the domain
controllers where the user accounts and the role groups are located.
• The Global Catalog server is only required for standard schema when the user accounts and role groups are in dierent domains. In
multiple domain case, only the Universal Group can be used.
• If certicate validation is enabled, the FQDN or IP address that you specify in this eld must match the Subject or Subject
Alternative Name eld of your domain controller certicate.
• To disable the certicate validation during SSL handshake, use the following command:
racadm set iDRAC.ActiveDirectory.CertValidationEnable 0
In this case, no Certicate Authority (CA) certicate needs to be uploaded.
• To enforce the certicate validation during SSL handshake (optional), use the following command:
racadm set iDRAC.ActiveDirectory.CertValidationEnable 1
142
Conguring user accounts and privileges