Dell Idrac For Blade Servers Version 1 5 Users Manual 1.5 User's Guide

2014-11-13

: Dell Dell-Idrac-For-Blade-Servers-Version-1-5-Users-Manual-118296 dell-idrac-for-blade-servers-version-1-5-users-manual-118296 dell pdf

Open the PDF directly: View PDF PDF.
Page Count: 408 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Integrated Dell Remote
Access Controller (iDRAC)
Firmware Version 1.5
User Guide
Notes and Cautions
NOTE: A NOTE indicates important information that helps you make better use of
your computer.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if
instructions are not followed.
___________________
Information in this document is subject to change without notice.
© 2009 Dell Inc. All rights reserved.
Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc.
is strictly forbidden.
Trademarks used in this text: Dell, the DELL logo, OpenManage and PowerEdge, are trademarks of
Dell Inc.; Microsoft, Windows, Windows Server, MS-DOS, Windows Vista, Internet Explorer and Active
Directory are either trademarks or registered trademarks of Microsoft Corporation in the United States
and/or other countries; Red Hat and Red Hat Enterprise Linux are registered trademarks of Red Hat
Inc. in the United States and other countries; Novell and SUSE are registered trademarks of Novell
Corporation. Intel is a registered trademark of Intel Corporation; UNIX is a registered trademark of
The Open Group in the United States and other countries.
Copyright 1998-2009 The OpenLDAP Foundation. All rights reserved. Redistribution and use in source
and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public
License. A copy of this license is available in the file LICENSE in the top-level directory of the distribution
or, alternatively, at www.OpenLDAP.org/license.html. OpenLDAP is a registered trademark of the
OpenLDAP Foundation. Individual files and/or contributed packages may be copyrighted by other parties
and subject to additional restrictions. This work is derived from the University of Michigan LDAP v3.3
distribution. This work also contains materials derived from public sources. Information about OpenLDAP
can be obtained at www.openldap.org/. Portions Copyright 1998-2004 Kurt D. Zeilenga. Portions
Copyright 1998-2004 Net Boolean Incorporated. Portions Copyright 2001-2004 IBM Corporation. All
rights reserved. Redistribution and use in source and binary forms, with or without modification, are
permitted only as authorized by the OpenLDAP Public License. Portions Copyright 1999-2003 Howard
Y.H. Chu. Portions Copyright 1999-2003 Symas Corporation. Portions Copyright 1998-2003 Hallvard B.
Furuseth. All rights reserved. Redistribution and use in source and binary forms, with or without
modification, are permitted provided that this notice is preserved. The names of the copyright holders may
not be used to endorse or promote products derived from this software without their specific prior written
permission. This software is provided "as is'' without express or implied warranty. Portions Copyright (c)
1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source
and binary forms are permitted provided that this notice is preserved and that due credit is given to the
University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote
products derived from this software without specific prior written permission. This software is provided
"as is'' without express or implied warranty. Other trademarks and trade names may be used in this
document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims
any proprietary interest in trademarks and trade names other than its own.
August 2009
Contents 3
Contents
1 iDRAC Overview . . . . . . . . . . . . . . . . . . . 25
iDRAC Management Features . . . . . . . . . . . . . . 26
iDRAC Security Features . . . . . . . . . . . . . . . . 27
iDRAC Firmware Improvements . . . . . . . . . . . . . 28
Supported Platforms . . . . . . . . . . . . . . . . . . . 28
Supported Operating Systems . . . . . . . . . . . . . . 28
Supported Web Browsers . . . . . . . . . . . . . . . . 28
Supported Remote Access Connections . . . . . . . . 29
iDRAC Ports . . . . . . . . . . . . . . . . . . . . . . . 29
Other Documents You May Need . . . . . . . . . . . . 30
2 Configuring the iDRAC. . . . . . . . . . . . . . . 33
Before You Begin . . . . . . . . . . . . . . . . . . . . 33
Interfaces for Configuring the iDRAC . . . . . . . . . . 33
Configuration Tasks . . . . . . . . . . . . . . . . . . . 36
Configure the Management Station . . . . . . . . 36
Configure iDRAC Networking. . . . . . . . . . . . 36
Configure iDRAC Users . . . . . . . . . . . . . . . 37
Configure Active Directory . . . . . . . . . . . . . 37
Configure IP Filtering and IP Blocking . . . . . . . 37
4Contents
Configure Platform Events . . . . . . . . . . . . . 38
Enabling or Disabling Local
Configuration Access . . . . . . . . . . . . . . . . 38
Configure iDRAC Services . . . . . . . . . . . . . 38
Configure Secure Sockets Layer (SSL) . . . . . . . 39
Configure Virtual Media. . . . . . . . . . . . . . . 39
Install the Managed Server Software . . . . . . . 39
Configure the Managed Server for the
Last Crash Screen Feature . . . . . . . . . . . . . 39
Configuring Networking Using the
CMC Web Interface . . . . . . . . . . . . . . . . . . . 40
Viewing FlexAddress Mezzanine
Card Fabric Connections. . . . . . . . . . . . . . . . . 40
FlexAddress MAC for iDRAC . . . . . . . . . . . . 41
Updating the iDRAC Firmware. . . . . . . . . . . . . . 42
Downloading the iDRAC Firmware
or Update Package . . . . . . . . . . . . . . . . . 43
Executing the Firmware Update . . . . . . . . . . 43
Using the DOS Update Utility . . . . . . . . . . . . 44
Verifying the Digital Signature . . . . . . . . . . . 45
Clear Your Browser’s Cache . . . . . . . . . . . . 48
Configuring iDRAC for Use with IT Assistant . . . . . . 49
Using the iDRAC Configuration Utility
to Enable Discovery and Monitoring . . . . . . . . 49
Using the iDRAC Web Interface to
Enable Discovery and Monitoring . . . . . . . . . 50
Using the Dell IT Assistant to View
iDRAC Status and Events . . . . . . . . . . . . . . 51
Contents 5
3 Configuring the Management
Station . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Management Station Set Up Steps . . . . . . . . . . . 53
Management Station Network Requirements . . . . . 53
Configuring a Supported Web Browser . . . . . . . . . 54
Opening Your Web Browser . . . . . . . . . . . . 54
Configuring Your Web Browser to
Connect to the Web Interface . . . . . . . . . . . 54
Adding iDRAC to the List of Trusted
Domains. . . . . . . . . . . . . . . . . . . . . . . 57
Viewing Localized Versions of the
Web Interface . . . . . . . . . . . . . . . . . . . 58
Setting the Locale in Linux . . . . . . . . . . . . . 58
Disabling the Whitelist Feature
in Firefox . . . . . . . . . . . . . . . . . . . . . . 59
Installing a Java Runtime Environment (JRE) . . . . . . 60
Installing Telnet or SSH Clients . . . . . . . . . . . . . 61
Telnet with iDRAC. . . . . . . . . . . . . . . . . . 61
Configuring the Backspace Key
For Your Telnet Session. . . . . . . . . . . . . . . 62
SSH With iDRAC . . . . . . . . . . . . . . . . . . 62
Installing a TFTP Server . . . . . . . . . . . . . . . . . 64
Installing Dell OpenManage IT Assistant . . . . . . . 64
6Contents
4 Configuring the Managed Server . . . . . 67
Installing the Software on the Managed Server . . . . 67
Configuring the Managed Server to
Capture the Last Crash Screen. . . . . . . . . . . . . . 68
Disabling the Windows Automatic
Reboot Option . . . . . . . . . . . . . . . . . . . . . . 69
5 Configuring the iDRAC Using
the Web Interface . . . . . . . . . . . . . . . . . . 71
Accessing the Web Interface . . . . . . . . . . . . . . 71
Logging In . . . . . . . . . . . . . . . . . . . . . . 72
Logging Out . . . . . . . . . . . . . . . . . . . . . 72
Using Multiple Browser Tabs
and Windows . . . . . . . . . . . . . . . . . . . . 73
Configuring the iDRAC NIC . . . . . . . . . . . . . . . 74
Configuring the Network and
IPMI LAN Settings . . . . . . . . . . . . . . . . . 74
Configuring IP Filtering and IP Blocking . . . . . . 77
Configuring Platform Events . . . . . . . . . . . . . . . 79
Configuring Platform Event Filters (PEF) . . . . . . 80
Configuring Platform Event Traps (PET) . . . . . . 80
Configuring E-Mail Alerts . . . . . . . . . . . . . . 81
Configuring IPMI . . . . . . . . . . . . . . . . . . . . 81
Adding and Configuring iDRAC Users . . . . . . . . . . 83
Contents 7
Securing iDRAC Communications
Using SSL and Digital Certificates . . . . . . . . . . . 86
Secure Sockets Layer (SSL) . . . . . . . . . . . . 87
Certificate Signing Request (CSR) . . . . . . . . . 87
Accessing the SSL Main Menu . . . . . . . . . . 88
Generating a New Certificate
Signing Request . . . . . . . . . . . . . . . . . . 89
Uploading a Server Certificate . . . . . . . . . . . 91
Viewing a Server Certificate . . . . . . . . . . . . 91
Configuring and Managing Active
Directory Certificates . . . . . . . . . . . . . . . . . . 92
Configuring Active Directory (Standard
Schema and Extended Schema) . . . . . . . . . . 93
Uploading an Active Directory
CA Certificate . . . . . . . . . . . . . . . . . . . . 96
Downloading an iDRAC Server Certificate . . . . . 97
Viewing an Active Directory CA Certificate . . . . 97
Enabling or Disabling Local
Configuration Access . . . . . . . . . . . . . . . . . . 98
Enabling Local Configuration Access . . . . . . . 98
Disabling Local Configuration Access . . . . . . . 98
Configuring iDRAC Services. . . . . . . . . . . . . . . 99
Updating the iDRAC Firmware. . . . . . . . . . . . . . 102
Recovering iDRAC Firmware
Using the CMC . . . . . . . . . . . . . . . . . . . 103
8Contents
6 Using the iDRAC with Microsoft
Active Directory . . . . . . . . . . . . . . . . . . 105
Advantages and Disadvantages of Extended
Schema and Standard Schema . . . . . . . . . . . . 105
Extended Schema Active Directory Overview . . . . 106
Active Directory Schema Extensions. . . . . . . 106
Overview of the RAC Schema
Extensions. . . . . . . . . . . . . . . . . . . . . 107
Active Directory Object Overview . . . . . . . . 107
Configuring Extended Schema Active
Directory to Access Your iDRAC . . . . . . . . . 111
Extending the Active Directory Schema . . . . . 111
Installing the Dell Extension to the Active
Directory Users and Computers Snap-In . . . . . 117
Adding iDRAC Users and Privileges
to Active Directory . . . . . . . . . . . . . . . . 118
Configuring the iDRAC With Extended
Schema Active Directory Using the
Web Interface. . . . . . . . . . . . . . . . . . . 121
Configuring the iDRAC With Extended
Schema Active Directory Using
RACADM . . . . . . . . . . . . . . . . . . . . . 122
Configuring the iDRAC With Extended
Schema Active Directory and SM-CLP . . . . . . 123
Active Directory Standard Schema Overview. . . . . 125
Configuring Standard Schema Active
Directory to Access Your iDRAC . . . . . . . . . 126
Configuring the iDRAC With Standard
Schema Active Directory and the
Web Interface. . . . . . . . . . . . . . . . . . . 127
Configuring the iDRAC With Standard
Schema Active Directory and RACADM . . . . . 129
Configuring the iDRAC With Standard
Schema Active Directory and SM-CLP . . . . . . 130
Contents 9
Enabling SSL on a Domain Controller . . . . . . . . . . 131
Exporting the Domain Controller
Root CA Certificate . . . . . . . . . . . . . . . . . 132
Importing the iDRAC Firmware
SSL Certificate . . . . . . . . . . . . . . . . . . . 133
Using Active Directory to Log
In To the iDRAC . . . . . . . . . . . . . . . . . . . . . 134
Frequently Asked Questions. . . . . . . . . . . . . . . 135
7 Viewing the Configuration
and Health of the Managed
Server . . . . . . . . . . . . . . . . . . . . . . . . . . 139
System Summary. . . . . . . . . . . . . . . . . . . . . 139
Main System Enclosure. . . . . . . . . . . . . . . 139
Integrated Dell Remote Access
Controller . . . . . . . . . . . . . . . . . . . . . . 140
WWN/MAC Summary . . . . . . . . . . . . . . . . . . 141
System Health . . . . . . . . . . . . . . . . . . . . . . 141
iDRAC . . . . . . . . . . . . . . . . . . . . . . . . 142
CMC. . . . . . . . . . . . . . . . . . . . . . . . . 142
Batteries . . . . . . . . . . . . . . . . . . . . . . 142
Temperatures . . . . . . . . . . . . . . . . . . . . 142
Voltages. . . . . . . . . . . . . . . . . . . . . . . 142
Power Monitoring . . . . . . . . . . . . . . . . . 142
CPU . . . . . . . . . . . . . . . . . . . . . . . . . 143
POST . . . . . . . . . . . . . . . . . . . . . . . . 143
Misc Health . . . . . . . . . . . . . . . . . . . . . 143
10 Contents
8 Configuring and Using
Serial Over LAN . . . . . . . . . . . . . . . . . . . 145
Enabling Serial Over LAN in the BIOS. . . . . . . . . 145
Configuring Serial Over LAN in
the iDRAC Web GUI . . . . . . . . . . . . . . . . . . 146
Using Serial Over LAN (SOL). . . . . . . . . . . . . . 149
Model for Redirecting SOL Over
Telnet or SSH . . . . . . . . . . . . . . . . . . . 149
Model for the SOL Proxy . . . . . . . . . . . . . 150
Model for Redirecting SOL Over
IMPItool . . . . . . . . . . . . . . . . . . . . . . 150
Disconnecting an SOL Session in
SM-CLP . . . . . . . . . . . . . . . . . . . . . . 151
Using SOL Over PuTTY . . . . . . . . . . . . . . 151
Using SOL Over Telnet With Linux . . . . . . . . 152
Using SOL Over OpenSSH with Linux. . . . . . . 152
Using SOL Over IPMItool . . . . . . . . . . . . . 153
Opening SOL With SOL Proxy. . . . . . . . . . . 153
Operating System Configuration . . . . . . . . . . . . 159
Linux Enterprise Operating System . . . . . . . . 159
Windows 2003 Enterprise . . . . . . . . . . . . . 164
9 Using GUI Console Redirection . . . . . . . 167
Overview . . . . . . . . . . . . . . . . . . . . . . . . 167
Using Console Redirection . . . . . . . . . . . . . . 167
Supported Screen Resolutions
and Refresh Rates . . . . . . . . . . . . . . . . 168
Configuring Your Management Station . . . . . . 168
Configuring Console Redirection
in the iDRAC Web Interface . . . . . . . . . . . 169
Contents 11
Opening a Console Redirection Session . . . . . . 172
Using the Video Viewer . . . . . . . . . . . . . . . . . 174
Synchronizing the Mouse Pointers. . . . . . . . . 178
Disabling or Enabling Local Console . . . . . . . . 178
Frequently Asked Questions. . . . . . . . . . . . . . . 179
10 Configuring and Using
Virtual Media . . . . . . . . . . . . . . . . . . . . 185
Overview . . . . . . . . . . . . . . . . . . . . . . . . . 185
Windows-Based Management Station . . . . . . 187
Linux-Based Management Station . . . . . . . . . 188
Configuring Virtual Media . . . . . . . . . . . . . . . . 188
Running Virtual Media. . . . . . . . . . . . . . . . . . 190
Booting From Virtual Media . . . . . . . . . . . . 192
Installing Operating Systems
Using Virtual Media . . . . . . . . . . . . . . . . 192
Using Virtual Media When the
Server’s Operating System Is Running . . . . . . . 193
Frequently Asked Questions. . . . . . . . . . . . . . . 194
12 Contents
11 Using the Local RACADM
Command Line Interface . . . . . . . . . . . . 199
Using the RACADM Command . . . . . . . . . . . . . 199
RACADM Subcommands. . . . . . . . . . . . . . . . 200
Using the RACADM Utility to
Configure the iDRAC . . . . . . . . . . . . . . . . . . 201
Displaying Current iDRAC Settings . . . . . . . . 201
Managing iDRAC Users with RACADM. . . . . . 202
Adding an iDRAC User . . . . . . . . . . . . . . 203
Enabling an iDRAC User With Permissions. . . . 203
Removing an iDRAC User . . . . . . . . . . . . . 204
Testing E-mail Alerting . . . . . . . . . . . . . . 205
Testing the iDRAC SNMP Trap
Alert Feature . . . . . . . . . . . . . . . . . . . 205
Configuring iDRAC Network Properties . . . . . 205
Configuring IPMI . . . . . . . . . . . . . . . . . 206
Configuring PEF . . . . . . . . . . . . . . . . . . 208
Configuring PET . . . . . . . . . . . . . . . . . . 209
Configuring IP Filtering (IpRange) . . . . . . . . 211
Configuring IP Filtering . . . . . . . . . . . . . . 212
Configuring IP Blocking . . . . . . . . . . . . . . 213
Configuring iDRAC Telnet and SSH
Services Using Local RACADM. . . . . . . . . . 215
Using an iDRAC Configuration File . . . . . . . . . . 216
Creating an iDRAC Configuration File. . . . . . . 216
Configuration File Syntax . . . . . . . . . . . . . 217
Modifying the iDRAC IP Address
in a Configuration File. . . . . . . . . . . . . . . 219
Contents 13
Loading the Configuration File
Into the iDRAC . . . . . . . . . . . . . . . . . . . 220
Configuring Multiple iDRACs . . . . . . . . . . . . . . 221
12 Using the iDRAC SM-CLP
Command Line Interface . . . . . . . . . . . . 223
System Management With SM-CLP . . . . . . . . . . . 223
iDRAC SM-CLP Support . . . . . . . . . . . . . . . . . 224
SM-CLP Features . . . . . . . . . . . . . . . . . . . . 224
Navigating the MAP Address Space . . . . . . . . . . 227
Targets . . . . . . . . . . . . . . . . . . . . . . . 228
Using the Show Verb . . . . . . . . . . . . . . . . . . 228
Using the -display Option . . . . . . . . . . . . . . 229
Using the -level Option . . . . . . . . . . . . . . . 229
Using the -output Option . . . . . . . . . . . . . . 229
iDRAC SM-CLP Examples . . . . . . . . . . . . . . . . 230
Server Power Management . . . . . . . . . . . . 230
. . . . . . . . . . . . . . . . . . . . . . . . . . . 230
SEL Management . . . . . . . . . . . . . . . . . . 231
MAP Target Navigation. . . . . . . . . . . . . . . 232
Setting the iDRAC IP Address,
Subnet Mask, and Gateway Address . . . . . . . 233
Updating the iDRAC Firmware
Using SM-CLP . . . . . . . . . . . . . . . . . . . 234
14 Contents
13 Deploying Your Operating
System Using iVM-CLI . . . . . . . . . . . . . . 237
Before You Begin. . . . . . . . . . . . . . . . . . . . 237
Remote System Requirements . . . . . . . . . . 237
Network Requirements . . . . . . . . . . . . . . 237
Creating a Bootable Image File . . . . . . . . . . . . 238
Creating an Image File for
Linux Systems . . . . . . . . . . . . . . . . . . . 238
Creating an Image File for
Windows Systems . . . . . . . . . . . . . . . . 238
Preparing for Deployment . . . . . . . . . . . . . . . 238
Configuring the Remote Systems . . . . . . . . . 238
Deploying the Operating System. . . . . . . . . . . . 239
Using the Virtual Media Command
Line Interface Utility . . . . . . . . . . . . . . . . . . 240
Installing the iVM-CLI Utility . . . . . . . . . . . 241
Command Line Options . . . . . . . . . . . . . . 242
iVM-CLI Parameters . . . . . . . . . . . . . . . 242
iVM-CLI Operating System
Shell Options . . . . . . . . . . . . . . . . . . . 245
14 Using the iDRAC Configuration
Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Overview . . . . . . . . . . . . . . . . . . . . . . . . 247
Starting the iDRAC Configuration Utility . . . . . . . 248
Using the iDRAC Configuration Utility. . . . . . . . . 248
LAN . . . . . . . . . . . . . . . . . . . . . . . . 249
IPMI Over LAN (On/Off) . . . . . . . . . . . . . . 249
Contents 15
LAN Parameters . . . . . . . . . . . . . . . . . . 250
Virtual Media . . . . . . . . . . . . . . . . . . . . 252
LAN User Configuration . . . . . . . . . . . . . . 252
Reset to Default. . . . . . . . . . . . . . . . . . . 253
System Event Log Menu . . . . . . . . . . . . . . 253
Exiting the iDRAC Configuration Utility . . . . . . . 254
15 Recovering and Troubleshooting
the Managed Server . . . . . . . . . . . . . . . 255
Safety First – For You and Your System . . . . . . . . . 255
Trouble Indicators . . . . . . . . . . . . . . . . . . . . 256
LED Indicators . . . . . . . . . . . . . . . . . . . 256
Hardware Trouble Indicators. . . . . . . . . . . . 257
Other Trouble Indicators . . . . . . . . . . . . . . 257
Problem Solving Tools . . . . . . . . . . . . . . . . . . 258
Checking the System Health . . . . . . . . . . . . 258
Checking the System Event Log (SEL) . . . . . . . 259
Checking the Post Codes . . . . . . . . . . . . . . 260
Viewing the Last System Crash Screen . . . . . . 260
Viewing the Most Recent Boot Sequences . . . . 261
Checking the Server Status Screen
for Error Messages . . . . . . . . . . . . . . . . . 262
Viewing the iDRAC Log . . . . . . . . . . . . . . . 270
Viewing System Information . . . . . . . . . . . . 271
Identifying the Managed Server
in the Chassis . . . . . . . . . . . . . . . . . . . . 273
Using the Diagnostics Console . . . . . . . . . . . 274
Managing Power on a Remote System. . . . . . . 275
Troubleshooting and Frequently
Asked Questions . . . . . . . . . . . . . . . . . . . . . 277
16 Contents
A RACADM Subcommand
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
help . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
config . . . . . . . . . . . . . . . . . . . . . . . . . . 284
getconfig . . . . . . . . . . . . . . . . . . . . . . . . 286
getssninfo . . . . . . . . . . . . . . . . . . . . . . . 288
getsysinfo. . . . . . . . . . . . . . . . . . . . . . . . 290
getractime . . . . . . . . . . . . . . . . . . . . . . . 292
setniccfg . . . . . . . . . . . . . . . . . . . . . . . . 293
getniccfg . . . . . . . . . . . . . . . . . . . . . . . . 295
getsvctag . . . . . . . . . . . . . . . . . . . . . . . . 296
racreset. . . . . . . . . . . . . . . . . . . . . . . . . 296
racresetcfg . . . . . . . . . . . . . . . . . . . . . . . 297
serveraction . . . . . . . . . . . . . . . . . . . . . . 298
getraclog . . . . . . . . . . . . . . . . . . . . . . . . 299
clrraclog . . . . . . . . . . . . . . . . . . . . . . . . 300
getsel . . . . . . . . . . . . . . . . . . . . . . . . . . 301
clrsel . . . . . . . . . . . . . . . . . . . . . . . . . . 302
gettracelog . . . . . . . . . . . . . . . . . . . . . . . 302
sslcsrgen . . . . . . . . . . . . . . . . . . . . . . . . 304
sslcertupload. . . . . . . . . . . . . . . . . . . . . . 305
sslcertdownload . . . . . . . . . . . . . . . . . . . . 306
Contents 17
sslcertview. . . . . . . . . . . . . . . . . . . . . . . . 307
testemail . . . . . . . . . . . . . . . . . . . . . . . . . 309
testtrap . . . . . . . . . . . . . . . . . . . . . . . . . . 311
clearasrscreen. . . . . . . . . . . . . . . . . . . . . . 312
B iDRAC Property Database
Group and Object Definitions . . . . . . . . . . . 313
Displayable Characters . . . . . . . . . . . . . . . . . 313
idRacInfo . . . . . . . . . . . . . . . . . . . . . . . . . 313
idRacProductInfo (Read Only) . . . . . . . . . . . 314
idRacDescriptionInfo (Read Only) . . . . . . . . . 314
idRacVersionInfo (Read Only) . . . . . . . . . . . 314
idRacBuildInfo (Read Only) . . . . . . . . . . . . . 315
idRacName (Read Only) . . . . . . . . . . . . . . 315
idRacType (Read Only) . . . . . . . . . . . . . . . 315
cfgLanNetworking . . . . . . . . . . . . . . . . . . . . 316
cfgDNSDomainNameFromDHCP
(Read/Write) . . . . . . . . . . . . . . . . . . . . 316
cfgDNSDomainName (Read/Write) . . . . . . . . 316
cfgDNSRacName (Read/Write) . . . . . . . . . . 317
cfgDNSRegisterRac (Read/Write) . . . . . . . . . 317
cfgDNSServersFromDHCP (Read/Write). . . . . . 317
cfgDNSServer1 (Read/Write). . . . . . . . . . . . 318
cfgDNSServer2 (Read/Write). . . . . . . . . . . . 318
cfgNicEnable (Read/Write) . . . . . . . . . . . . . 318
cfgNicIpAddress (Read/Write) . . . . . . . . . . . 319
cfgNicNetmask (Read/Write). . . . . . . . . . . . 319
cfgNicGateway (Read/Write). . . . . . . . . . . . 320
cfgNicUseDhcp (Read/Write) . . . . . . . . . . . 320
18 Contents
cfgNicMacAddress (Read Only) . . . . . . . . . 321
cfgNicVLanEnable (Read/Write) . . . . . . . . . 321
cfgNicVLanId (Read/Write) . . . . . . . . . . . . 321
cfgNicVLanPriority (Read/Write) . . . . . . . . . 322
cfgUserAdmin . . . . . . . . . . . . . . . . . . . . . 322
cfgUserAdminIpmiLanPrivilege
(Read/Write) . . . . . . . . . . . . . . . . . . . 322
cfgUserAdminPrivilege (Read/Write). . . . . . . 323
cfgUserAdminUserName (Read/Write). . . . . . 324
cfgUserAdminPassword (Write Only) . . . . . . 324
cfgUserAdminEnable . . . . . . . . . . . . . . . 325
cfgUserAdminSolEnable . . . . . . . . . . . . . 325
cfgEmailAlert. . . . . . . . . . . . . . . . . . . . . . 326
cfgEmailAlertIndex (Read Only) . . . . . . . . . 326
cfgEmailAlertEnable (Read/Write) . . . . . . . . 326
cfgEmailAlertAddress. . . . . . . . . . . . . . . 326
cfgEmailAlertCustomMsg. . . . . . . . . . . . . 327
cfgSessionManagement . . . . . . . . . . . . . . . . 327
cfgSsnMgtConsRedirMaxSessions
(Read/Write) . . . . . . . . . . . . . . . . . . . 327
cfgSsnMgtWebserverTimeout (Read/Write) . . . 328
cfgSsnMgtSshIdleTimeout (Read/Write) . . . . . 328
cfgSsnMgtTelnetIdleTimeout (Read/Write). . . . 329
cfgSerial . . . . . . . . . . . . . . . . . . . . . . . . 329
cfgSerialSshEnable (Read/Write). . . . . . . . . 329
cfgSerialTelnetEnable (Read/Write) . . . . . . . 330
Contents 19
cfgRacTuning . . . . . . . . . . . . . . . . . . . . . . 330
cfgRacTuneHttpPort (Read/Write) . . . . . . . . . 330
cfgRacTuneHttpsPort (Read/Write) . . . . . . . . 331
cfgRacTuneIpRangeEnable. . . . . . . . . . . . . 331
cfgRacTuneIpRangeAddr. . . . . . . . . . . . . . 331
cfgRacTuneIpRangeMask . . . . . . . . . . . . . 332
cfgRacTuneIpBlkEnable . . . . . . . . . . . . . . 332
cfgRacTuneIpBlkFailCount . . . . . . . . . . . . . 332
cfgRacTuneIpBlkFailWindow. . . . . . . . . . . . 333
cfgRacTuneIpBlkPenaltyTime . . . . . . . . . . . 333
cfgRacTuneSshPort (Read/Write) . . . . . . . . . 333
cfgRacTuneTelnetPort (Read/Write) . . . . . . . . 334
cfgRacTuneConRedirEncryptEnable
(Read/Write) . . . . . . . . . . . . . . . . . . . . 334
cfgRacTuneConRedirPort (Read/Write) . . . . . . 334
cfgRacTuneConRedirVideoPort
(Read/Write) . . . . . . . . . . . . . . . . . . . . 335
cfgRacTuneAsrEnable (Read/Write) . . . . . . . . 335
cfgRacTuneWebserverEnable (Read/Write) . . . . 335
cfgRacTuneLocalServerVideo (Read/Write) . . . . 336
cfgRacTuneLocalConfigDisable
(Read/Write) . . . . . . . . . . . . . . . . . . . . 336
ifcRacManagedNodeOs . . . . . . . . . . . . . . . . . 337
ifcRacMnOsHostname (Read/Write) . . . . . . . . 337
ifcRacMnOsOsName (Read/Write). . . . . . . . . 337
cfgRacSecurity. . . . . . . . . . . . . . . . . . . . . . 337
cfgSecCsrCommonName (Read/Write) . . . . . . 338
cfgSecCsrOrganizationName
(Read/Write) . . . . . . . . . . . . . . . . . . . . 338
cfgSecCsrOrganizationUnit (Read/Write) . . . . . 338
cfgSecCsrLocalityName (Read/Write) . . . . . . . 339
cfgSecCsrStateName (Read/Write) . . . . . . . . 339
cfgSecCsrCountryCode (Read/Write) . . . . . . . 339
20 Contents
cfgSecCsrEmailAddr (Read/Write) . . . . . . . . 340
cfgSecCsrKeySize (Read/Write) . . . . . . . . . 340
cfgRacVirtual. . . . . . . . . . . . . . . . . . . . . . 340
cfgVirMediaAttached (Read/Write) . . . . . . . 340
cfgVirAtapiSrvPort (Read/Write) . . . . . . . . . 341
cfgVirAtapiSrvPortSsl (Read/Write) . . . . . . . 341
cfgVirMediaBootOnce (Read/Write) . . . . . . . 342
cfgFloppyEmulation (Read/Write). . . . . . . . . 342
cfgActiveDirectory . . . . . . . . . . . . . . . . . . . 342
cfgADRacDomain (Read/Write). . . . . . . . . . 343
cfgADRacName (Read/Write) . . . . . . . . . . 343
cfgADEnable (Read/Write) . . . . . . . . . . . . 343
cfgADAuthTimeout (Read/Write) . . . . . . . . . 344
cfgADRootDomain (Read/Write) . . . . . . . . . 344
cfgADSpecifyServerEnable
(Read/Write) . . . . . . . . . . . . . . . . . . . 344
cfgADDomainController (Read/Write) . . . . . . 345
cfgADGlobalCatalog (Read/Write) . . . . . . . . 345
cfgADType (Read/Write) . . . . . . . . . . . . . 345
cfgStandardSchema . . . . . . . . . . . . . . . . . . 346
cfgSSADRoleGroupIndex (Read Only) . . . . . . 346
cfgSSADRoleGroupName (Read/Write) . . . . . 346
cfgSSADRoleGroupDomain
(Read/Write) . . . . . . . . . . . . . . . . . . . 346
cfgSSADRoleGroupPrivilege
(Read/Write) . . . . . . . . . . . . . . . . . . . 347
cfgIpmiSol . . . . . . . . . . . . . . . . . . . . . . . 347
cfgIpmiSolEnable (Read/Write). . . . . . . . . . 348
cfgIpmiSolBaudRate (Read/Write) . . . . . . . . 348
cfgIpmiSolMinPrivilege (Read/Write) . . . . . . 348
cfgIpmiSolAccumulateInterval
(Read/Write) . . . . . . . . . . . . . . . . . . . 349
Contents 21
cfgIpmiSolSendThreshold
(Read/Write) . . . . . . . . . . . . . . . . . . . . 349
cfgIpmiLan . . . . . . . . . . . . . . . . . . . . . . . . 349
cfgIpmiLanEnable (Read/Write) . . . . . . . . . . 349
cfgIpmiLanPrivLimit (Read/Write) . . . . . . . . . 350
cfgIpmiLanAlertEnable (Read/Write). . . . . . . . 350
cfgIpmiEncryptionKey (Read/Write) . . . . . . . . 351
cfgIpmiPetCommunityName (Read/Write) . . . . . 351
cfgIpmiPef . . . . . . . . . . . . . . . . . . . . . . . . 351
cfgIpmiPefName (Read Only). . . . . . . . . . . . 351
cfgIpmiPefIndex (Read Only) . . . . . . . . . . . . 352
cfgIpmiPefAction (Read/Write). . . . . . . . . . . 352
cfgIpmiPefEnable (Read/Write) . . . . . . . . . . 352
cfgIpmiPet . . . . . . . . . . . . . . . . . . . . . . . . 353
cfgIpmiPetIndex (Read/Write) . . . . . . . . . . . 353
cfgIpmiPetAlertDestIpAddr (Read/Write) . . . . . 353
cfgIpmiPetAlertEnable (Read/Write) . . . . . . . . 354
C iDRAC SMCLP Property
Database . . . . . . . . . . . . . . . . . . . . . . . . . . 355
/system1/sp1/account<1-16>. . . . . . . . . . . . . . . 355
userid (Read Only) . . . . . . . . . . . . . . . . . 355
username (Read/Write). . . . . . . . . . . . . . . 355
oemdell_ipmilanprivileges (Read/Write) . . . . . . 356
password (Write Only) . . . . . . . . . . . . . . . 356
enabledstate (Read/Write) . . . . . . . . . . . . . 357
solenabled (Read/Write) . . . . . . . . . . . . . . 357
oemdell_extendedprivileges (Read/Write) . . . . . 357
22 Contents
/system1/sp1/enetport1/*. . . . . . . . . . . . . . . . 359
macaddress (Read Only) . . . . . . . . . . . . . 359
/system1/sp1/enetport1/lanendpt1/ipendpt1. . . . . . 359
oemdell_nicenable (Read/Write) . . . . . . . . . 359
ipaddress (Read/Write) . . . . . . . . . . . . . . 360
subnetmask (Read/Write). . . . . . . . . . . . . 360
oemdell_usedhcp (Read/Write). . . . . . . . . . 360
committed (Read/Write) . . . . . . . . . . . . . 361
/system1/sp1/enetport1/lanendpt1/
ipendpt1/dnsendpt1 . . . . . . . . . . . . . . . . . . 361
oemdell_domainnamefromdhcp
(Read/Write) . . . . . . . . . . . . . . . . . . . 361
oemdell_dnsdomainname (Read/Write) . . . . . 362
oemdell_dnsregisterrac (Read/Write) . . . . . . 362
oemdell_dnsracname (Read/Write) . . . . . . . 363
oemdell_serversfromdhcp (Read/Write) . . . . . 363
/system1/sp1/enetport1/lanendpt1/ipendpt1/
dnsendpt1/remotesap1 . . . . . . . . . . . . . . . . . 363
dnsserveraddress (Read/Write) . . . . . . . . . 363
/system1/sp1/enetport1/lanendpt1/ipendpt1/
dnsendpt1/remotesap2 . . . . . . . . . . . . . . . . . 364
dnsserveraddress (Read/Write) . . . . . . . . . 364
/system1/sp1/enetport1/lanendpt1/
ipendpt1/remotesap1. . . . . . . . . . . . . . . . . . 364
defaultgatewayaddress (Read/Write) . . . . . . 364
/system1/sp1/group<1-5>. . . . . . . . . . . . . . . . 365
oemdell_groupname (Read/Write) . . . . . . . . 365
oemdell_groupdomain (Read/Write) . . . . . . . 365
oemdell_groupprivilege (Read/Write) . . . . . . 365
Contents 23
/system1/sp1/oemdell_adservice1 . . . . . . . . . . . 366
enabledstate (Read/Write) . . . . . . . . . . . . . 366
oemdell_adracname (Read/Write) . . . . . . . . . 367
oemdell_adracdomain (Read/Write) . . . . . . . . 367
oemdell_adrootdomain (Read/Write) . . . . . . . 367
oemdell_timeout (Read/Write) . . . . . . . . . . . 368
oemdell_schematype (Read/Write) . . . . . . . . 368
oemdell_adspecifyserverenable
(Read/Write) . . . . . . . . . . . . . . . . . . . . 368
oemdell_addomaincontroller
(Read/Write) . . . . . . . . . . . . . . . . . . . . 369
oemdell_adglobalcatalog
(Read/Write) . . . . . . . . . . . . . . . . . . . . 369
/system1/sp1/oemdell_racsecurity1. . . . . . . . . . . 369
commonname (Read/Write) . . . . . . . . . . . . 370
organizationname (Read/Write) . . . . . . . . . . 370
oemdell_organizationunit (Read/Write) . . . . . . 370
oemdell_localityname (Read/Write) . . . . . . . . 371
oemdell_statename (Read/Write) . . . . . . . . . 371
oemdell_countrycode (Read/Write) . . . . . . . . 371
oemdell_emailaddress (Read/Write) . . . . . . . . 372
oemdell_keysize (Read/Write) . . . . . . . . . . . 372
/system1/sp1/oemdell_ssl1 . . . . . . . . . . . . . . . 372
generate (Read/Write) . . . . . . . . . . . . . . . 372
oemdell_status (Read Only) . . . . . . . . . . . . 373
oemdell_certtype (Read / Write) . . . . . . . . . . 373
24 Contents
/system1/sp1/oemdell_vmservice1 . . . . . . . . . . 374
enabledstate (Read/Write) . . . . . . . . . . . . 374
oemdell_singleboot (Read/Write). . . . . . . . . 374
oemdell_floppyemulation (Read/Write). . . . . . 375
/system1/sp1/oemdell_vmservice1/tcpendpt1. . . . . 375
portnumber (Read/Write) . . . . . . . . . . . . . 375
portnumber (Read/Write) . . . . . . . . . . . . . 376
oemdell_sslenabled (Read Only) . . . . . . . . . 376
D RACADM and SM-CLP
Equivalencies . . . . . . . . . . . . . . . . . . . . . . . 377
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
iDRAC Overview 25
iDRAC Overview
The Integrated Dell™ Remote Access Controller (iDRAC) is a systems
management hardware and software solution that provides remote
management capabilities, crashed system recovery, and power control
functions for Dell PowerEdge™ systems.
The iDRAC uses an integrated System-on-Chip microprocessor for the
remote monitor/control system. The iDRAC co-exists on the system board
with the managed PowerEdge server. The server operating system is
concerned with executing applications; the iDRAC is concerned with
monitoring and managing the server’s environment and state outside of the
operating system.
You can configure the iDRAC to send you an e-mail or Simple Network
Management Protocol (SNMP) trap alert for warnings or errors. To help you
diagnose the probable cause of a system crash, iDRAC can log event data and
capture an image of the screen when it detects that the system has crashed.
Managed servers are installed in a Dell M1000e system enclosure (chassis)
with modular power supplies, cooling fans, and a chassis management
controller (CMC). The CMC monitors and manages all components
installed in the chassis. A redundant CMC can be added to provide hot
failover if the primary CMC fails. The chassis provides access to the iDRACs
through its LCD display, local console connections, and its web interface.
All network connections to the iDRAC are through the CMC network
interface (CMC RJ45 connection port labelled "GB1"). The CMC routes
traffic to the iDRACs on its servers through a private, internal network. This
private management network is outside of the server’s data path and outside
of the operating system’s control, that is, out-of-band. The managed servers’
inband network interfaces are accessed through I/O modules (IOMs) installed
in the chassis.
26 iDRAC Overview
The iDRAC network interface is disabled by default. It must be configured
before the iDRAC is accessible. After the iDRAC is enabled and configured
on the network, it can be accessed at its assigned IP address with the iDRAC
web interface, telnet or SSH, and supported network management protocols,
such as Intelligent Platform Management Interface (IPMI).
NOTE: Dell recommends that you isolate or separate the chassis management
network, used by iDRAC and CMC, from your production network(s). Mixing
management and production or application network traffic may cause congestion
or network saturation resulting in CMC and iDRAC communication delays. The
delays may cause unpredictable chassis behavior like CMC perceiving that iDRAC
is offline even though it is operating properly, which in turn causes other
undesirable behavior.
iDRAC Management Features
The iDRAC provides the following management features:
Dynamic Domain Name System (DDNS) registration
Remote system management and monitoring using a Web interface, the
local RACADM command line interface via console redirection, and the
SM-CLP command line over a telnet/SSH connection
Support for Microsoft
®
Active Directory
®
authentication — Centralizes
iDRAC user IDs and passwords in Active Directory using the standard
schema or an extended schema
Console Redirection — Provides remote system keyboard, video, and
mouse functions
Virtual Media — Enables a managed server to access a local media drive on
the management station or ISO CD/DVD images on a network share
Monitoring — Provides access to system information and status of
components
Access to system logs — Provides access to the system event log, the
iDRAC log, and the last crash screen of the crashed or unresponsive system
that is independent of the operating system state
Dell OpenManage™ software integration — Enables you to launch the
iDRAC Web interface from Dell OpenManage Server Administrator or IT
Assistant
iDRAC Overview 27
iDRAC alert — Alerts you to potential managed node issues through an e-
mail message or SNMP trap
Remote power management — Provides remote power management
functions, such as shutdown and reset, from a management console
Single Sign-On from CMC Web interface — Once credentials are
accepted by CMC, users can access any iDRAC without additional login
NOTE: If a warning window appears during the Single Sign-On process, it
must be bypassed within 20 seconds or Single Sign-On will fail.
One-to-Many firmware update – Enables user configurable update of more
than one iDRAC using CMC GUI and command line
Intelligent Platform Management Interface (IPMI) support
Secure Sockets Layer (SSL) encryption — Provides secure remote system
management through the Web interface
Password-level security management — Prevents unauthorized access to a
remote system
Role-based authority — Provides assignable permissions for different
systems management tasks
iDRAC Security Features
The iDRAC provides the following security features:
User authentication through Microsoft Active Directory (optional) or
hardware-stored user IDs and passwords
Role-based authority, which enables an administrator to configure specific
privileges for each user
User ID and password configuration through the Web interface or
SM-CLP
SM-CLP and Web interfaces, which support 128-bit and 40-bit encryption
(for countries where 128 bit is not acceptable), using the SSL 3.0 standard
Session time-out configuration (in seconds) through the Web interface or
SM-CLP
Configurable IP ports (where applicable)
NOTE: Telnet does not support SSL encryption.
28 iDRAC Overview
Secure Shell (SSH), which uses an encrypted transport layer for higher
security
Login failure limits per IP address, with login blocking from the IP address
when the limit is exceeded
Limited IP address range for clients connecting to the iDRAC
iDRAC Firmware Improvements
The following improvements have been made to the iDRAC firmware:
Major improvements in Active Directory lookup performance
Improved responsiveness of TCP-IP networking stack
Improved health status interface between iDRAC and CMC
Security improvements using multiple third-party analysis tools
Supported Platforms
For the latest supported platforms, see the iDRAC Readme file and the
Dell Systems Software Support Matrix available at support.dell.com/manuals.
Supported Operating Systems
For the latest information, see the iDRAC Readme file and the Dell Systems
Software Support Matrix available at support.dell.com/manuals.
Supported Web Browsers
For the latest information, see the iDRAC Readme file and the Dell Systems
Software Support Matrix available at support.dell.com/manuals.
NOTE: Due to serious security flaws, support for SSL 2.0 has been discontinued.
Your browser must be configured to enable SSL 3.0 in order to work properly.
iDRAC Overview 29
Supported Remote Access Connections
Table 1-1 lists the connection features.
iDRAC Ports
Table 1-2 lists the ports iDRAC listens on for connections. Table 1-3
identifies the ports that the iDRAC uses as a client. This information is
required when opening firewalls for remote access to an iDRAC.
Table 1-1. Supported Remote Access Connections
Connection Features
iDRAC NIC
10Mbps/100Mbs/1Gbps Ethernet via CMC Gb Ethernet port
DHCP support
SNMP traps and e-mail event notification
Support for SM-CLP (telnet or SSH) command shell for
operations such as iDRAC configuration, system boot, reset,
power-on, and shutdown commands
Support for IPMI utilities such as ipmitool and ipmishell
Table 1-2. iDRAC Server Listening Ports
Port Number Function
22*
Secure Shell (SSH)
23*
Telnet
80*
HTTP
443*
HTTPS
623
RMCP/RMCP+
3668*, 3669*
Virtual Media Service
3670*, 3671*
Virtual Media Secure Service
5900*
Console Redirection keyboard/mouse
5901*
Console Redirection video
* Configurable port
30 iDRAC Overview
Other Documents You May Need
In addition to this guide, the following documents provide additional
information about the setup and operation of the iDRAC in your system:
The iDRAC online Help provides information about using the Web
interface.
•The
Dell Systems Software Support Matrix
provides information about the
various Dell systems, the operating systems supported by these systems,
and the Dell OpenManage™ components that can be installed on these
systems.
•The
Dell OpenManage Installation and Security User's Guide
provides
complete information on installation procedures and step–by–step
instructions for installing, upgrading, and uninstalling Server
Administrator for each supported operating system.
•The
Dell OpenManage Software Quick Installation Guide
provides an
overview of applications that you can install on your management station
(console) and on your managed systems and procedures for installing your
console and managed system applications on systems running supported
operating systems.
•The
Dell Chassis Management Controller User Guide
and the
Dell Chassis
Management Controller Administrator Reference Guide
provide
information about using the controller that manages all modules in the
chassis containing your PowerEdge server.
Table 1-3. iDRAC Client Ports
Port Number Function
25
SMTP
53
DNS
68
DHCP-assigned IP address
69
TFTP
162
SNMP trap
636
LDAPS
3269
LDAPS for global catalog (GC)
iDRAC Overview 31
The
Dell OpenManage IT Assistant User’s Guide
provides information
about using IT Assistant.
The
Dell OpenManage Server Administrator User’s Guide
provides
information about installing and using Server Administrator.
The
Dell Update Packages User’s Guide
provides information about
obtaining and using Dell Update Packages as part of your system update
strategy.
The following system documents are also available to provide more
information about the system in which your iDRAC is installed:
The safety instructions that came with your system provide important
safety and regulatory information. For additional regulatory information,
see the Regulatory Compliance home page at
www.dell.com/regulatory_compliance
. Warranty information may be
included within this document or as a separate document.
The
Rack Installation Guide
and
Rack Installation Instructions
included
with your rack solution describe how to install your system into a rack.
The
Getting Started Guide
provides an overview of system features, setting
up your system, and technical specifications.
The
Hardware Owner’s Manual
provides information about system
features and describes how to troubleshoot the system and install or
replace system components.
Systems management software documentation describes the features,
requirements, installation, and basic operation of the software.
Operating system documentation describes how to install (if necessary),
configure, and use the operating system software.
Documentation for any components you purchased separately provides
information to configure and install these options.
Updates are sometimes included with the system to describe changes to
the system, software, and/or documentation.
NOTE: Always read the updates first because they often supersede
information in other documents.
Release notes or readme files may be included to provide last-minute
updates to the system or documentation or advanced technical reference
material intended for experienced users or technicians.
32 iDRAC Overview
Configuring the iDRAC 33
Configuring the iDRAC
This section provides information about how to establish access to the
iDRAC and to configure your management environment to use iDRAC.
Before You Begin
Gather the following items prior to configuring the iDRAC:
Dell Chassis Management Controller User Guide
Dell Systems Management Tools and Documentation
DVD
Interfaces for Configuring the iDRAC
You can configure the iDRAC using the iDRAC Configuration Utility, the
iDRAC Web interface, the local RACADM CLI, or the SM-CLP CLI. The
local RACADM CLI is available after you have installed the operating system
and the Dell PowerEdge server management software on the managed server.
Table 2-1 describes these interfaces.
For greater security, access to the iDRAC configuration through the iDRAC
Configuration Utility or local RACADM CLI can be disabled by means of a
RACADM command (see "cfgRacTuneLocalConfigDisable (Read/Write)" on
page 336) or from the GUI (see "Enabling or Disabling Local Configuration
Access" on page 98).
NOTE: Using more than one configuration interface at the same time may generate
unexpected results.
34 Configuring the iDRAC
Table 2-1. Configuration Interfaces
Interface Description
iDRAC
Configuration
Utility
Accessed at boot time, the iDRAC Configuration utility is
useful when installing a new PowerEdge server. Use it for
setting up the network and basic security features and for
enabling other features.
iDRAC Web
Interface
The iDRAC Web interface is a browser-based management
application that you can use to interactively manage the
iDRAC and monitor the managed server. It is the primary
interface for day-to-day tasks, such as monitoring system
health, viewing the system event log, managing local iDRAC
users, and launching the CMC Web interface and console
redirection sessions.
CMC Web Interface In addition to monitoring and managing the chassis, the CMC
Web interface can be used to view the status of a managed
server, configure iDRAC network settings, and to start, stop, or
reset the managed server.
Chassis LCD Panel The LCD panel on the chassis containing the iDRAC can be
used to view the high-level status of the servers in the chassis.
During initial configuration of the CMC, the configuration
wizard allows you to enable DHCP configuration of iDRAC
networking.
Local RACADM The local RACADM command line interface runs on the
managed server. It is accessed from either the iKVM or a
console redirection session initiated from the iDRAC Web
interface. RACADM is installed on the managed server when
you install Dell OpenManage Server Administrator.
RACADM commands provide access to nearly all iDRAC
features. You can inspect sensor data, system event log records,
and the current status and configuration values maintained in
the iDRAC. You can alter iDRAC configuration values,
manage local users, enable and disable features, and perform
power functions such as shutting down or rebooting the
managed server.
Configuring the iDRAC 35
iVM-CLI The iDRAC Virtual Media Command Line Interface
(iVM-CLI) provides the managed server access to media on
the management station. It is useful for developing scripts to
install operating systems on multiple managed servers.
NOTE: The iVM–CLI utility is only supported with IPv4 addresses.
SM-CLP SM-CLP is the Distributed Management Task Force (DMTF)
Server Management-Command Line Protocol (SM-CLP) that
is incorporated in the iDRAC. The SM-CLP command line is
accessed by logging into the iDRAC using telnet or SSH.
SM-CLP commands implement a useful subset of the local
RACADM commands. The commands are useful for scripting
since they can be executed from a management station
command line. The output of commands can be retrieved in
well-defined formats, including XML, facilitating scripting and
integration with existing reporting and management tools.
See "RACADM and SM-CLP Equivalencies" on page 377 for a
comparison of the RACADM and SM-CLP commands.
IPMI IPMI defines a standard way for embedded management
subsystems such as the iDRAC to communicate with other
embedded systems and management applications.
You can use the iDRAC Web interface, SM-CLP, or RACADM
commands to configure IPMI Platform Event Filters (PEFs)
and Platform Event Traps (PETs).
PEFs cause the iDRAC to perform selectable actions (for
example, rebooting the managed server) when it detects a
condition. PETs instruct the iDRAC to send e-mail or IPMI
alerts when it detects specified events or conditions.
You can also use standard IPMI tools such as ipmitool and
ipmishell with iDRAC when you enable IPMI Over LAN.
Table 2-1. Configuration Interfaces (continued)
Interface Description
36 Configuring the iDRAC
Configuration Tasks
This section is an overview of the configuration tasks for the management
station, the iDRAC, and the managed server. The tasks to be performed
include configuring the iDRAC so that it can be used remotely, configuring
the iDRAC features you want to use, installing the operating system on the
managed server, and installing management software on your management
station and the managed server.
The configuration tasks that can be used to perform each task are listed
beneath the task.
NOTE: Before performing configuration procedures in this guide, the CMC and I/O
modules must be installed in the chassis and configured, and the PowerEdge server
must be physically installed in the chassis.
Configure the Management Station
Set up a management station by installing the Dell OpenManage software, a
Web browser, and other software utilities.
See "Configuring the Management Station" on page 53
Configure iDRAC Networking
Enable the iDRAC network and configure IP, netmask, gateway, and DNS
addresses.
NOTE: Access to the iDRAC configuration through the iDRAC Configuration Utility
or local RACADM CLI can be disabled by means of a RACADM command (see
"cfgRacTuneLocalConfigDisable (Read/Write)" on page 336) or from the GUI (see
"Enabling or Disabling Local Configuration Access" on page 98).
NOTE: Changing the iDRAC network settings terminates all current network
connections to the iDRAC.
NOTE: The option to configure the server using the LCD panel is available only
during the CMC initial configuration. Once the chassis is deployed, the LCD panel
cannot be used to reconfigure the iDRAC.
NOTE: The LCD panel can be used to enable DHCP to configure the iDRAC network.
If you want to assign static addresses, you must use the iDRAC Configuration Utility
or the CMC Web interface.
Configuring the iDRAC 37
Chassis LCD Panel — see the
Dell Chassis Management Controller
Firmware User Guide
iDRAC configuration utility — see "LAN" on page 249
CMC Web interface — see "Configuring Networking Using the CMC
Web Interface" on page 40
RACADM — see "cfgLanNetworking" on page 316
Configure iDRAC Users
Set up local iDRAC users and permissions. The iDRAC holds a table of
sixteen local users in firmware. You can set usernames, passwords, and roles
for these users.
NOTE: The three special characters <, >, and \ are not allowed in user names or
passwords.
You can configure iDRAC users using one of the following:
iDRAC configuration utility (configures administrative user only) — see
"LAN User Configuration" on page 252
iDRAC Web interface — see "Adding and Configuring iDRAC Users" on
page 83
RACADM — see "Adding an iDRAC User" on page 203
Configure Active Directory
In addition to the local iDRAC users, you can use Microsoft® Active
Directory® to authenticate iDRAC user logins.
See "Using the iDRAC with Microsoft Active Directory" on page 105
NOTE: When using iDRAC in an Active Directory environment, be sure your user
names conform to the Active Directory naming convention in force in your
environment.
Configure IP Filtering and IP Blocking
In addition to user authentication, you can prevent unauthorized access by
rejecting connection attempts from IP addresses outside of a defined range
and by temporarily blocking connections from IP addresses where
authentication has failed multiple times within a configurable timespan.
38 Configuring the iDRAC
iDRAC Web interface — see "Configuring IP Filtering and IP Blocking" on
page 77
RACADM — see "Configuring IP Filtering (IpRange)" on page 211,
"Configuring IP Blocking" on page 213
Configure Platform Events
Platform events occur when the iDRAC detects a warning or critical
condition from one of the managed server’s sensors.
Configure Platform Event Filters (PEFs) to choose the events you want to
detect, such as rebooting the managed server, when an event is detected.
iDRAC Web interface — see "Configuring Platform Event Filters (PEF)"
on page 80
RACADM — see "Configuring PEF" on page 208
Configure Platform Event Traps (PETs) to send alert notifications to an IP
address, such as a management station with IPMI software or to send an
e-mail to a specified e-mail address.
iDRAC Web interface — see "Configuring Platform Event Traps (PET)"
on page 80
RACADM — see "Configuring PET" on page 209
Enabling or Disabling Local Configuration Access
Access to critical configuration parameters, such as network configuration
and user privileges, can be disabled. Once disabled, the setting remains
persistent across reboots. Configuration write access is blocked for both the
local RACADM program and the iDRAC Configuration Utility (at boot).
Web access to configuration parameters is unimpeded and configuration data
is always available for viewing. For information about the iDRAC Web
interface, see "Enabling or Disabling Local Configuration Access" on page 98.
For cfgRac Tuning commands, see "cfgRacTuning" on page 330.
Configure iDRAC Services
Enable or disable the iDRAC network services — such as telnet, SSH, and the
Web server interface — and reconfigure ports and other service parameters.
iDRAC Web interface — see "Configuring iDRAC Services" on page 99
Configuring the iDRAC 39
RACADM — see "Configuring iDRAC Telnet and SSH Services Using
Local RACADM" on page 215
Configure Secure Sockets Layer (SSL)
Configure SSL for the iDRAC web server.
iDRAC Web interface — see "Secure Sockets Layer (SSL)" on page 87
RACADM — see "cfgRacSecurity" on page 337, "sslcsrgen" on page 304,
"sslcertupload" on page 305, "sslcertdownload" on page 306, "sslcertview"
on page 307
Configure Virtual Media
Configure the virtual media feature so that you can install the operating
system on the PowerEdge server. Virtual media allows the managed server to
access media devices on the management station or ISO CD/DVD images on
a network share as if they were devices on the managed server.
iDRAC Web interface — see "Configuring and Using Virtual Media" on
page 185
iDRAC configuration utility — see "Virtual Media" on page 252
Install the Managed Server Software
Install the operating system on the PowerEdge server using virtual media and
then install the Dell OpenManage software on the managed PowerEdge
server and set up the last crash screen feature.
Console redirection — see "Installing the Software on the Managed
Server" on page 67
iVM-CLI — see "Using the Virtual Media Command Line Interface
Utility" on page 240
Configure the Managed Server for the Last Crash Screen Feature
Set up the managed server so that the iDRAC can capture the screen image
after an operating system crash or freeze.
Managed Server — see "Configuring the Managed Server to Capture the
Last Crash Screen" on page 68, "Disabling the Windows Automatic
Reboot Option" on page 69
40 Configuring the iDRAC
Configuring Networking Using the CMC Web
Interface
NOTE: You must have Chassis Configuration Administrator privilege to set up
iDRAC network settings from the CMC.
NOTE: The default CMC user is root and the default password is calvin.
NOTE: The CMC IP address can be found in the iDRAC Web interface by clicking
System Remote Access CMC. You can also launch the CMC Web interface from
this page.
1
Use your Web browser to log in to the CMC web user interface using a
URL of the form https://<
CMC-IP-address>
or https://<
CMC-DNS-
name
>.
2
Enter the CMC username and password and click
OK
.
3
Click the plus (+) symbol next to
Chassis
in the left column, then click
Servers
.
4
Click the
Setup
iDRAC
tab. The
Deploy iDRAC
page allows you to
configure the iDRAC network settings on the server modules.
5
Enter common iDRAC deployment settings; click
Auto-Populate Using
QuickDeploy Settings
to populate the
iDRAC Network Settings
section,
and then click
Apply iDRAC Network Settings
to make the setting
changes to the listed iDRACs.
Viewing FlexAddress Mezzanine Card Fabric
Connections
The M1000e includes FlexAddress, an advanced multilevel, multistandard
networking system. FlexAddress allows the use of persistent, chassis-assigned
World Wide Names and MAC addresses (WWN/MAC) for each managed
server port connection.
NOTE: In order to avoid errors that may lead to an inability to power on the
managed server, you must have the correct type of mezzanine card installed for
each port and fabric connection.
Configuring the iDRAC 41
Configuration of the FlexAddress feature is performed using the CMC Web
interface. For more information on the FlexAddress feature and its
configuration, see your Dell Chassis Management Controller User Guide and
the Chassis Management Controller (CMC) Secure Digital (SD) Card
Technical Specification document.
After the FlexAddress feature has been enabled and configured for the
chassis, click System Properties WWN/MAC to view a list of installed
mezzanine cards, the fabrics and ports to which they are connected, the fabric
port location, type of fabric, and server-assigned or chassis-assigned MAC
addresses for each installed embedded Ethernet and optional mezzanine card
port.
The Server–Assigned column displays the server–assigned WWN/MAC
addresses embedded in the controller's hardware. WWN/MAC addresses
showing N/A indicate that an interface for the specified fabric is not installed.
The Chassis–Assigned column displays the chassis–assigned WWN/MAC
addresses used for the particular slot. WWN/MAC addresses showing N/A
indicate that the FlexAddress feature is not installed. A green check mark in
the Server–Assigned and Chassis–Assigned columns indicates the active
addresses.
To view a list of installed mezzanine cards, the type of mezzanine cards
installed, and if FlexAddress is configured, click System Properties
Summary.
FlexAddress MAC for iDRAC
The FlexAddress feature replaces the server–assigned MAC addresses with
chassis–assigned MAC addresses and is now implemented for iDRAC along
with blade LOMs, mezzanine cards, and I/O modules. The iDRAC
FlexAddress feature supports preservation of the slot specific MAC address
for iDRACs in a chassis. The chassis–assigned MAC address is stored in the
CMC non–volatile memory and is sent to iDRAC during iDRAC boot time or
if you change the settings in the CMC FlexAddress page.
If the chassis–assigned MAC address is enabled by CMC, iDRAC displays the
value in the MAC Address field on the System Remote Access iDRAC
Properties tab Remote Access Information and in the System Remote
Access iDRAC Network/Security Network page. The MAC address is
also displayed on the System Properties tab WWN/MAC page and on the
System Properties tab Summary page.
42 Configuring the iDRAC
CAUTION: With the FlexAddress enabled, if you switch from the server–assigned
MAC address to a chassis–assigned MAC address or vice–versa, the iDRAC IP
address also changes.
NOTE: You can enable or disable the iDRAC FlexAddress feature only through
CMC. iDRAC GUI only reports the status. Any existing vKVM or vMedia session
terminates if the FlexAddress setting is changed in the CMC FlexAddress page.
Enabling FlexAddress through RACADM
You will not be able to enable FlexAddress using racadm setflexaddr
- f idrac 1 where idrac is one of the supported fabric names.
But without the fabric name option (–f) , you can enable FlexAddress at the
slot level using the following CMC command:
racadm setflexaddr -i <slot_no> 1
Then enable FlexAddress at the fabric level by executing the following CMC
RACADM command:
racadm setflexaddr -f <fabric_name> 1
See the Dell Chassis Management Controller Administrator Reference Guide
for more information on CMC RACADM subcommands.
Updating the iDRAC Firmware
Updating the iDRAC firmware installs a new firmware image in the iDRAC
flash memory. iDRAC supports one-to-many firmware updates through the
CMC in normal mode, not just for corruption. You can update the firmware
using any of the following methods:
SM-CLP
load
command
iDRAC Web interface
Dell Update Package (for Linux or Microsoft Windows)
DOS iDRAC Firmware update utility
CMC Web interface (use this method if the iDRAC firmware is corrupted,
or if you want to perform one-to-many updates with CMC 2.0 or later
firmware. See your
Dell Chassis Management Controller User Guide
for
more information.)
Configuring the iDRAC 43
Downloading the iDRAC Firmware or Update Package
Download the firmware from support.dell.com. The firmware image is
available in several different formats to support the different update methods
available.
To update the iDRAC firmware using the iDRAC Web interface or SM-CLP,
or to recover the iDRAC using the CMC Web interface, download the binary
image, packaged as a self-extracting archive.
To update the iDRAC firmware from the managed server, download the
operating system-specific Dell Update Package (DUP) for the operating
system running on the server whose iDRAC you are updating.
To update the iDRAC firmware using the DOS iDRAC Firmware update
utility, download both the update utility and the binary image, which are
packaged in self-extracting archive files.
Executing the Firmware Update
NOTE: When the iDRAC firmware update begins, all existing iDRAC sessions are
disconnected and new sessions are not permitted until the update process is
completed.
NOTE: The chassis fans run at 100% during the iDRAC firmware update. When the
update is complete, normal fan speed regulation resumes. This is normal behavior,
designed to protect the server from overheating during a time when it cannot send
sensor information to the CMC.
To use a Dell Update Package for Linux or Microsoft Windows, execute the
operating-specific DUP on the managed server.
When using the SM-CLP load command, place the firmware binary image in
a directory where a Trivial File Transfer Protocol (TFTP) server can transfer it
to the iDRAC. See "Updating the iDRAC Firmware Using SM-CLP" on
page 234.
When using the iDRAC Web interface or the CMC Web interface, place the
firmware binary image on a disk that is accessible to the management station
from which you are running the Web interface. See "Updating the iDRAC
Firmware" on page 102.
NOTE: The iDRAC Web interface also allows you to reset the iDRAC configuration
to the factory defaults.
44 Configuring the iDRAC
You must use the CMC Web interface to update the firmware when the
CMC detects that the iDRAC firmware is corrupted, as could occur if the
iDRAC firmware update progress is interrupted before it completes. See
"Recovering iDRAC Firmware Using the CMC" on page 103.
The CMC Web interface (CMC 2.0 or later) also provides a one-to-many
out-of-band iDRAC firmware update capacity that can be used at any time.
NOTE: After the CMC updates the firmware of the iDRAC, the iDRAC generates
new SHA1 and MD5 keys for the SSL certificate. Because the keys are different
from those in the open Web browser, all browser windows that are connected to
the iDRAC must be closed after the firmware update is complete. If the browser
windows are not closed, an Invalid Certificate error message is displayed.
NOTE: If you are backdating your iDRAC firmware from version 1.20 to an earlier
version, you must delete the existing Internet Explorer ActiveX browser plugin on
any Windows-based management station to allow the firmware to install a
compatible version of the ActiveX plugin. To delete the ActiveX plugin, navigate to
c:\WINNT\Downloaded Program Files and delete the file DELL IMC KVM Viewer.
Using the DOS Update Utility
To update the iDRAC firmware using the DOS update utility, boot the
managed server to DOS, and execute the idrac16d command. The syntax for
the command is:
idrac16d [-f] [-i=<
filename
>] [-l=<
logfile
>]
When executed with no options, the idrac16d command updates the iDRAC
firmware using the firmware image file
firmimg.imc
in the current directory.
The options are as follows:
-f — forces the update. The -f option can be used to downgrade the
firmware to an earlier image.
-i=<
filename
> — specifies the filename image that contains the
firmware image. This option is required if the firmware filename has been
changed from the default name firmimg.imc.
-l=<
logfile
> — logs output from the update activity. This option is used
for debugging.
CAUTION: If you enter incorrect arguments for the idrac16d command or supply
the -h option, you may notice an additional option, -nopresconfig, in the
usage output. This option is used to update the firmware without preserving any
Configuring the iDRAC 45
configuration information. You should not use this option unless explicitly told to
do so by a Dell Support representative because it deletes all of your existing
iDRAC configuration information such as IP addresses, users, and passwords.
Verifying the Digital Signature
A digital signature is used to authenticate the identity of the signer of a file
and to certify that the original content of the file has not been modified since
it was signed.
If you do not already have it installed on your system, you must install the
Gnu Privacy Guard (GPG) to verify a digital signature. To use the standard
verification procedure, perform the following steps:
1
Download the Dell Linux public GnuPG key, if you do not already have it,
by navigating to
lists.us.dell.com
and clicking the
Dell Public GPG key
link. Save the file to your local system. The default name is
linux-security-
publickey.txt
.
2
Import the public key to your gpg trust database by running the following
command:
gpg --import
<Public Key Filename>
NOTE: You must have your private key to complete the process.
3
To avoid a distrusted-key warning, change the trust level for the Dell
Public GPG key.
a
Type the following command:
gpg --edit-key 23B66A9D
b
Within the GPG key editor, type
fpr
. The following message appears:
pub 1024D/23B66A9D 2001-04-16 Dell, Inc.
(Product Group) <linux-security@dell.com>
Primary key fingerprint: 4172 E2CE 955A 1776
A5E6 1BB7 CA77 951D 23B6 6A9D
If the fingerprint of your imported key is the same as above, you have a
correct copy of the key.
c
While still in the GPG key editor, type
trust
. The following menu
appears:
Please decide how far you trust this user to
correctly verify other users' keys (by looking
46 Configuring the iDRAC
at passports, checking fingerprints from
different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision?
d
Ty p e
5
<Enter>. The following prompt appears:
Do you really want to set this key to ultimate
trust? (y/N)
e
Ty p e
y
<Enter> to confirm your choice.
f
Ty p e
quit
<Enter> to exit the GPG key editor.
You must import and validate the public key only once.
4
Obtain the package you need, for example the Linux DUP or self-
extracting archive) and its associated signature file from the Dell Support
website at
support.dell.com/support/downloads
.
NOTE: Each Linux Update Package has a separate signature file, which is
shown on the same web page as the Update Package. You need both the
Update Package and its associated signature file for verification. By default,
the signature file is named the same as the DUP filename with a .sign
extension. For example, if a Linux DUP is named PEM600_BIOS_LX_2.1.2.BIN,
its signature filename is PEM600_BIOS_LX_2.1.2.BIN.sign. The iDRAC
firmware image also has an associated .sign file, which is included in the self-
extracting archive with the firmware image. To download the files, right-click
on the download link and use the Save Target As… file option.
5
Verify the Update Package:
gpg --verify
<Linux Update Package signature
filename> <Linux Update Package filename>
Configuring the iDRAC 47
The following example illustrates the steps that you follow to verify a
PowerEdge M600 BIOS Update Package:
1
Download the following two files from
support.dell.com
:
• PEM600_BIOS_LX_2.1.2.BIN.sign
• PEM600_BIOS_LX_2.1.2.BIN
2
Import the public key by running the following command line:
gpg --import <linux-security-publickey.txt>
The following output message appears:
gpg: key 23B66A9D: "Dell Computer Corporation
(Linux Systems Group) <linux-
security@dell.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
3
Set the GPG trust level for the Dell public key. if you haven’t done so
previously.
a
Typing the following command:
gpg --edit-key 23B66A9D
b
At the command prompt, type the following commands:
fpr
trust
c
Ty p e
5
<Enter> to choose
I trust ultimately
from the
menu.
d
Ty p e
y
<Enter> to confirm your choice.
e
Ty p e
quit
<Enter> to exit the GPG key editor.
This completes validation of the Dell public key.
4
Verify the PEM600 BIOS package digital signature by running the
following command:
gpg --verify PEM600_BIOS_LX_2.1.2.BIN.sign
PEM600_BIOS_LX_2.1.2.BIN
48 Configuring the iDRAC
The following output message appears:
gpg: Signature made Fri Jul 11 15:03:47 2008
CDT using DSA key ID 23B66A9D
gpg: Good signature from "Dell, Inc. (Product
Group) <linux-security@dell.com>"
NOTE: If you have not validated the key as shown in step 3, you will receive
additional messages:
gpg: WARNING: This key is not certified with a
trusted signature!
gpg: There is no indication that the signature
belongs to the owner.
Primary key fingerprint: 4172 E2CE 955A 1776
A5E6 1BB7 CA77 951D 23B6 6A9D
Clear Your Browser’s Cache
To be able to use the features in the latest iDRAC, you must clear the
browser’s cache to remove/delete any old web pages that may be stored on the
system.
Internet Explorer
1
Start Internet Explorer.
2
Click
Tools
, and then click
Internet Options
.
The
Internet Options
window appears.
3
Click the
General
tab.
4
Under
Temporary Internet files
, click
Delete Files
.
The
Delete Files
window appears.
5
Click to check
Delete all offline content
, and then click
OK
.
6
Click OK to close the
Internet Options
window.
Configuring the iDRAC 49
Firefox
1
Start Firefox.
2
Click
Edit
Preferences
.
3
Click the
Privacy
tab.
4
Click the
Clear Cache Now
.
5
Click
Close
.
Configuring iDRAC for Use with IT Assistant
Dell™ OpenManage™ IT Assistant comes preconfigured to discover managed
devices that comply with Simple Network Management Protocol (SNMP)
version 1 and version 2c and Intelligent Platform Management Interface
(IPMI) version 2.0.
The iDRAC complies with IPMI version 2.0. This section describes the steps
to configure an iDRAC for discovery and monitoring by IT Assistant. There
are two ways to accomplish this: through the iDRAC Configuration Utility
and through the iDRAC's graphical Web interface.
Using the iDRAC Configuration Utility to Enable Discovery and
Monitoring
To set up an iDRAC for IPMI discovery and alert trap sending at the iDRAC
configuration utility level, you need to restart your managed server (blade)
and observe its power-up using the iKVM and either a remote monitor and
console keyboard or a Serial-Over-LAN (SOL) connection. When Press
<Ctrl-E> for Remote Access Setup is displayed, press
<Ctrl><E>.
When the iDRAC Configuration Utility screen appears, use the arrow keys
to scroll down.
1
Enable
IPMI over LAN
.
2
Enter your site's
RMCP+ Encryption Key
, if used.
NOTE: See your senior Network Administrator or CIO to discuss implementing
this option because it adds valuable security protection and must be
implemented site wide in order to function properly.
3
At
LAN Parameters
, press <Enter> to enter the sub-screen. Use the up-
arrow and down-arrow keys to navigate.
50 Configuring the iDRAC
4
Toggle
LAN Alert Enabled
to
On
using the spacebar.
5
Enter the IP address of your Management Station into
Alert Destination
1
.
6
Enter a name string into
iDRAC Name
with a consistent naming
convention across your data center. The default is
iDRAC-{
Service
Tag
}
.
Exit the iDRAC Configuration Utility by pressing <Esc>, <Esc>, and then
<Enter> to save your changes. Your server will now boot into normal
operation, and IT Assistant will discover it during the next scheduled
Discovery pass.
Using the iDRAC Web Interface to Enable Discovery and Monitoring
IPMI Discovery can also be enabled through the remote Web Interface:
1
Enter the IP address of your iDRAC into your browser.
2
Log in using a user name and password with Administrator rights.
3
Select
iDRAC
Network/Security
Network
.
4
Scroll down to
IPMI LAN Settings
.
5
Make sure
Enable IPMI over LAN
is selected.
6
Set
Channel Privilege Level Limit
to
Administrator
.
7
Enter your site's RMCP+
Encryption Key
, if used.
8
Click
Apply
, if needed.
9
Navigate to
System
Alert Management
Platform Events
.
10
Select
Generate Alert
for the
Event
categories for which you wish to set
traps.
11
Click
Apply
if you've made changes.
12
Click
Trap Settings
.
13
Enter the IP address of your Management Station in the first available
Destination IP Address
textbox.
14
Make sure the
Enabled
box is selected.
15
Click
Apply
if you've made changes.
You can now send a test trap by clicking the Send link.
Configuring the iDRAC 51
Dell highly recommends that for security purposes you create a separate user
account for IPMI commands with its own user name, IPMI over LAN
privileges, and password.
1
Navigate to
iDRAC
Network/Security
Users
.
2
Click on the number of an undefined
User
.
3
Enable the
User
and enter a
Name
and
Password
.
4
Make sure
Maximum LAN User Privilege Granted
is set to
Administrator
.
5
Click
Apply
to save your changes.
Using the Dell IT Assistant to View iDRAC Status and Events
After Discovery is complete, the iDRACs will show up in the Servers category
of the ITA Devices detail screen, and iDRAC information can be seen by
clicking on the iDRAC name. This is different than DRAC5 systems, where
the management card shows up in the RAC group. This is due to the fact that
iDRAC uses IPMI discovery as opposed to SNMP.
iDRAC error and warning traps can now be seen in the primary Alert Log of
IT Assistant. They will show up in the Unknown category, but the trap
description and severity will be accurate.
For more information on using IT Assistant to manage your data center,
please read the IT Assistant User's Guide.
52 Configuring the iDRAC
Configuring the Management Station 53
Configuring the Management
Station
A management station is a computer used to monitor and manage the Dell™
PowerEdge™ servers and other modules in the chassis. This section describes
software installation and configuration tasks that set up a management
station to work with the iDRAC. Before you begin configuring the iDRAC,
follow the procedures in this section to ensure that you have installed and
configured the tools you will need.
Management Station Set Up Steps
To set up your Management Station, perform the following steps:
1
Set up the management station network.
2
Install and configure a supported Web browser.
3
Install a Java Runtime Environment (JRE) (optional for Windows).
4
Install telnet or SSH clients, if required.
5
Install a TFTP server, if required.
6
Install Dell OpenManage™ IT Assistant (optional).
Management Station Network Requirements
To access the iDRAC, the management station must be on the same network
as the CMC RJ45 connection port labelled "GB1". It is possible to isolate the
CMC network from the network the managed server is on, so that your
management station may have LAN access to the iDRAC but not to the
managed server.
54 Configuring the Management Station
Using the iDRAC console redirection feature (see "Configuring and Using
Serial Over LAN" on page 145), you can access the managed server’s console
even if you do not have network access to the server’s ports. You can also
perform several management functions on the managed server, such as
rebooting the computer and using iDRAC facilities. To access network and
application services hosted on the managed server, however, you may need an
additional NIC in the management computer.
Configuring a Supported Web Browser
The following sections provide instructions for configuring the supported
Web browsers for use with the iDRAC Web interface.
NOTE: You may receive a message "A webpage is not responding on the following
website: <Web site name>" in Internet Explorer® 8.0. To resolve this issue, see:
http://blogs.msdn.com/ie/archive/2009/05/04/ie8-in-windows-7-rc-reliability-and-
telemetry.aspx and http://support.microsoft.com/?kbid=970858.
Opening Your Web Browser
The iDRAC Web Interface is designed to be viewed in a supported Web
browser at a minimum screen resolution of 800 pixels wide by 600 pixels high.
In order to view the interface and access all features, ensure that your
resolution is set to at least 800 by 600 pixels and/or resize your browser, as
needed.
NOTE: In some situations, most often during the first session after a firmware
update, users of Internet Explorer 6 may see the message Done, with errors
displayed in the browser status bar along with a partially rendered page in the main
browser window. This error can also occur if you are experiencing connectivity
problems or have the Windows Firewall enabled. These are known issues with
Internet Explorer 6. Because Internet Explorer 7 does not exhibit these issues, Dell
recommends that you upgrade.
Configuring Your Web Browser to Connect to the Web Interface
If you are connecting to the iDRAC Web interface from a management
station that connects to the Internet through a proxy server, you must
configure the Web browser to access the Internet from this server.
To configure the Internet Explorer Web browser to access a proxy server,
perform the following steps:
Configuring the Management Station 55
1
Open a Web browser window.
2
Click
Tools
, and click
Internet Options
.
The
Internet Options
window appears.
3
Select
Tools
Internet Options
Security
Local Network
(Internet
Explorer 7)
-or-
Local Intranet
(Internet Explorer 6).
4
Click the
Custom Level
.
5
Select
Medium-Low
from the drop-down menu, and click
Reset
. Click
OK
to confirm. You will need to re-enter the
Custom Level
dialog by
clicking its button.
6
Scroll down to the section labeled
ActiveX controls and plug-ins
, and
check each setting, as different versions of Internet Explorer have differing
settings in
Medium-Low
state:
Automatic prompting for ActiveX controls:
Enable
Binary and script behaviors:
Enable
Download signed ActiveX controls:
Prompt
Initialize and script ActiveX controls not marked as safe:
Prompt
Run ActiveX controls and plug-ins:
Enable
Script ActiveX controls marked safe for scripting:
Enable
In the section on
Downloads
:
Automatic prompting for file downloads:
Enable
File download:
Enable
Font download:
Enable
In the
Miscellaneous
section:
Allow META-REFRESH:
Enable
Allow scripting of Internet Explorer Web browser control:
Enable
Allow script-initiated windows without size or position constraints:
Enable
Don't prompt for client certificate selection when no certificates or
only one certificate exists:
Enable
Launching programs and files in an IFRAME:
Enable
56 Configuring the Management Station
Open files based on content, not file extension:
Enable
Software channel permissions:
Low safety
Submit nonencrypted form data:
Enable
Use Pop-up Blocker:
Disable
In the
Scripting
section:
Active scripting:
Enable
Allow paste operations via script:
Enable
Scripting of Java applets:
Enable
7
Select
Tools
Internet Options
Advanced
.
8
Make sure the following items are checked or unchecked:
In the
Browsing
section:
Always send URLs as UTF-8: checked
Disable script debugging (Internet Explorer): checked
Disable script debugging: (Other): checked
Display a notification about every script error: unchecked
Enable Install On demand (Other): checked
Enable page transitions: checked
Enable third-party browser extensions: checked
Reuse windows for launching shortcuts: unchecked
In the
HTTP 1.1 settings
section:
Use HTTP 1.1: checked
Use HTTP 1.1 through proxy connections: checked
In the
Java (Sun)
section:
Use JRE 1.6.x_yz: checked (optional; version may differ)
In the
Multimedia
section:
Enable automatic image resizing: checked
Play animations in web pages: checked
Play videos in web pages: checked
Configuring the Management Station 57
Show pictures: checked
In the
Security
section:
Check for publishers' certificate revocation: unchecked
Check for signatures on downloaded programs: checked
Use SSL 2.0: unchecked
Use SSL 3.0: checked
Use TLS 1.0: checked
Warn about invalid site certificates: checked
Warn if changing between secure and not secure mode: checked
Warn if forms submittal is being redirected: checked
NOTE: If you choose to alter any of the above settings, first understand the
consequences of doing so. For example, if you choose to block pop-ups,
portions of the iDRAC Web User Interface will not function properly.
9
Click
Apply
.
10
Click
OK
.
11
Select the
Connections
tab.
12
Under
Local Area Network (LAN) settings
, click
LAN Settings
.
13
If the
Use a proxy server
box is selected, select the
Bypass proxy server for
local addresses
box.
14
Click
OK
twice.
15
Close and restart your browser to make sure all changes take effect.
Adding iDRAC to the List of Trusted Domains
When you access the iDRAC Web interface through the Web browser, you
may be prompted to add the iDRAC IP address to the list of trusted domains
if the IP address is missing from the list. When completed, click Refresh or
relaunch the Web browser to establish a connection to the iDRAC Web
interface.
58 Configuring the Management Station
Viewing Localized Versions of the Web Interface
The iDRAC Web interface is supported on the following operating system
languages:
English (en-us)
French (fr)
German (de)
Spanish (es)
Japanese (ja)
Simplified Chinese (zh-cn)
The ISO identifiers in parentheses denote the specific language variants
which are supported. Use of the interface with other dialects or languages is
not supported and may not function as intended. For some supported
languages, resizing the browser window to 1024 pixels wide may be necessary
in order to view all features.
The iDRAC Web Interface is designed to work with localized keyboards for
the specific language variants listed above. Some features of the iDRAC Web
Interface, such as Console Redirection, may require additional steps to access
certain functions/letters. For more details on how to use localized keyboards
in these situations, see "Using the Video Viewer" on page 174. Use of other
keyboards is not supported and may cause unexpected problems.
NOTE: See the browser documentation on how to configure or set up different
languages and view localized versions of the iDRAC Web interface.
Setting the Locale in Linux
The console redirection viewer requires a UTF-8 character set to display
correctly. If your display is garbled, check your locale and reset the character
set if needed.
The following steps show how to set the character set on a Red Hat®
Enterprise Linux® client with a Simplified Chinese GUI:
1
Open a command terminal.
2
Ty p e
locale
and press <Enter>. Output similar to the following output
appears:
Configuring the Management Station 59
LANG=zh_CN.UTF-8
LC_CTYPE="zh_CN.UTF-8"
LC_NUMERIC="zh_CN.UTF-8"
LC_TIME="zh_CN.UTF-8"
LC_COLLATE="zh_CN.UTF-8"
LC_MONETARY="zh_CN.UTF-8"
LC_MESSAGES="zh_CN.UTF-8"
LC_PAPER="zh_CN.UTF-8"
LC_NAME="zh_CN.UTF-8"
LC_ADDRESS="zh_CN.UTF-8"
LC_TELEPHONE="zh_CN.UTF-8"
LC_MEASUREMENT="zh_CN.UTF-8"
LC_IDENTIFICATION="zh_CN.UTF-8"
LC_ALL=
3
If the values include
"zh_CN.UTF-8"
, no changes are required. If the
values do not include
"zh_CN.UTF-8"
, go to step 4.
4
Edit the
/etc/sysconfig/i18n
file with a text editor.
5
In the file, apply the following changes:
Current entry:
LANG="zh_CN.GB18030"
SUPPORTED="zh_CN.GB18030:zh_CH.GB2312:zh_CN:zh"
Updated entry:
LANG="zh_CN.UTF-8"
SUPPORTED="zh_CN.UTF-
8:zh_CN.GB18030:zh_CH.GB2312:zh_CN:zh"
6
Log out and then log in to the operating system.
When you switch from any other language, ensure that this fix is still valid. If
not, repeat this procedure.
Disabling the Whitelist Feature in Firefox
Firefox® has a "whitelist" security feature that requires user permission to
install plugins for each distinct site that hosts a plugin. If enabled, the
whitelist feature requires you to install a console redirection viewer for each
iDRAC you visit, even though the viewer versions are identical.
60 Configuring the Management Station
To disable the whitelist feature and avoid unnecessary plugin installations,
perform the following steps:
1
Open a Firefox Web browser window.
2
In the address field, type
about:config
and press <Enter>.
3
In the
Preference Name
column, locate and double-click
xpinstall.whitelist.required
.
The values for
Preference Name
,
Status
,
Ty p e
, and
Val u e
change to bold
text. The
Status
value changes to
user set
and the
Val u e
value changes to
false
.
4
In the
Preferences
Name
column, locate
xpinstall.enabled
.
Ensure that
Val u e
is
true
. If not, double-click
xpinstall.enabled
to set
Val u e
to
true
.
Installing a Java Runtime Environment (JRE)
NOTE: If you use the Internet Explorer browser, an ActiveX control is provided for
the console viewer. You can also use the Java console viewer with Internet
Explorer if you install a JRE and configure the console viewer in iDRAC web
interface before you launch the viewer. See "Configuring Console Redirection in the
iDRAC Web Interface" on page 169 for more information.
You can choose to use the Java viewer instead before you launch the viewer.
If you use the Firefox browser you must install a JRE (or a Java Development
Kit [JDK]) to use the console redirection feature. The console viewer is a Java
application that is downloaded to the management station from the iDRAC
Web interface and then launched with Java Web Start on the management
station.
Go to java.sun.com to install a JRE or JDK. Version 1.6 (Java 6.0) or higher is
recommended.
The Java Web Start program is automatically installed with the JRE or JDK.
The file jviewer.jnlp is downloaded to your desktop and a dialog box prompts
you for what action to take. It may be necessary to associate the .jnlp
extension type with the Java Web Start application in your browser.
Otherwise, click Open with and then select the javaws application, which is
located in the bin subdirectory of your JRE installation directory.
Configuring the Management Station 61
NOTE: If the .jnlp file type is not associated with Java Web Start after installing JRE
or JDK, you can set the association manually. For Windows (javaws.exe) click
Start Control Panel Appearance and Themes Folder Options. Under the File
Types tab, highlight .jnlp under Registered file types, and then click Change. For
Linux (javaws), start Firefox, and click Edit Preferences Downloads, and then
click View and Edit Actions.
For Linux, once you have installed either JRE or JDK, add a path to the Java
bin directory to the front of your system PATH. For example, if Java is
installed in /usr/java, add the following line to your local .bashrc or
/etc/profile:
PATH=/usr/java/bin:$PATH; export PATH
NOTE: There may already be PATH-modification lines in the files. Ensure that the
path information you enter does not create conflicts.
Installing Telnet or SSH Clients
By default, the iDRAC telnet service is disabled and the SSH service is
enabled. Since telnet is an insecure protocol, you should use it only if you
cannot install an SSH client or your network connection is otherwise secured.
NOTE: There can be only one active telnet or SSH connection to the iDRAC at a
time. When there is an active connection, other connection attempts are denied.
Telnet with iDRAC
Telnet is included in Microsoft
®
Windows® and Linux operating systems and
can be run from a command shell. You may also choose to install a
commercial or freely available telnet client with more convenience features
than the standard version included with your operating system.
If your management station is running Windows XP or Windows 2003, you
may experience an issue with the characters in an iDRAC telnet session.This
issue may occur as a frozen login where the return key does not respond and
the password prompt does not appear.
To fix this issue, download hotfix 824810 from the Microsoft Support website
at support.microsoft.com. See Microsoft Knowledge Base article 824810 for
more information.
62 Configuring the Management Station
Configuring the Backspace Key For Your Telnet Session
Depending on the telnet client, using the <Backspace> key may produce
unexpected results. For example, the session may echo ^h. However, most
Microsoft and Linux telnet clients can be configured to use the
<Backspace> key.
To configure Microsoft telnet clients to use the <Backspace> key, perform
the following steps:
1
Open a command prompt window (if required).
2
If you are not running a telnet session, type:
telnet
If you are running a telnet session, press <Ctrl><]>.
3
At the prompt, type:
set bsasdel
The following message appears:
Backspace will be sent as delete.
To configure a Linux telnet session to use the <Backspace> key, perform the
following steps:
1
Open a shell and type:
stty erase ^h
2
At the prompt, type:
telnet
SSH With iDRAC
Secure Shell (SSH) is a command line connection with the same capabilities
as a telnet session, but with session negotiation and encryption to improve
security. The iDRAC supports SSH version 2 with password authentication.
SSH is enabled by default on the iDRAC.
You can use PuTTY or OpenSSH on a management station to connect to the
managed server’s iDRAC. When an error occurs during the login procedure,
the ssh client issues an error message. The message text is dependent on the
client and is not controlled by the iDRAC.
Configuring the Management Station 63
NOTE: OpenSSH should be run from a VT100 or ANSI terminal emulator on
Windows. Running OpenSSH at the Windows command prompt does not result in
full functionality (that is, some keys do not respond and no graphics are displayed).
Only one telnet or SSH session is supported at any given time. The session
timeout is controlled by the cfgSsnMgtSshIdleTimeout property as
described in "iDRAC Property Database Group and Object Definitions" on
page 313.
The iDRAC SSH implementation supports multiple cryptography schemes,
as shown in Table 3-1.
NOTE: SSHv1 is not supported.
Table 3-1. Cryptography Schemes
Scheme Type Scheme
Asymmetric Cryptography Diffie-Hellman DSA/DSS 512-1024 (random)
bits per NIST specification
Symmetric Cryptography
AES256-CBC
RIJNDAEL256-CBC
AES192-CBC
RIJNDAEL192-CBC
AES128-CBC
RIJNDAEL128-CBC
BLOWFISH-128-CBC
3DES-192-CBC
ARCFOUR-128
Message Integrity
HMAC-SHA1-160
HMAC-SHA1-96
HMAC-MD5-128
• HMAC-MD5-96
Authentication
•Password
64 Configuring the Management Station
Installing a TFTP Server
NOTE: If you use only the iDRAC Web interface to transfer SSL certificates and
upload new iDRAC firmware, no TFTP server is required.
Trivial File Transfer Protocol (TFTP) is a simplified form of the File Transfer
Protocol (FTP). It is used with the SM-CLP and RACADM command line
interfaces to transfer files to and from the iDRAC.
The only times when you need to copy files to or from the iDRAC are when
you update the iDRAC firmware or install certificates on the iDRAC. If you
choose to use SM-CLP or RACADM when you perform these tasks, a TFTP
server must be running on a computer the iDRAC can access by IP number or
DNS name.
You can use the netstat -a command on Windows or Linux operating systems
to see if a TFTP server is already listening. Port 69 is the TFTP default port. If
no server is running, you have the following options:
Find another computer on the network running a TFTP service
If you are using Linux, install a TFTP server from your distribution
If you are using Windows, install a commercial or free TFTP server
Installing Dell OpenManage IT Assistant
Your system includes the Dell OpenManage System Management Software
Kit. This kit includes, but is not limited to, the following components:
Dell Systems Management Tools and Documentation
DVD — Contains all
the latest Dell systems management console products, including Dell
OpenManage IT Assistant; provides the tools you need to configure your
system and delivers firmware, diagnostics, and Dell-optimized drivers for
your system; and helps you stay current with documentation for systems,
systems management software products, peripherals, and RAID
controllers.
Configuring the Management Station 65
Dell Support website and Readme files — Check Readme files and the
Dell Support website at
support.dell.com
for the most recent information
about your Dell products.
Use the
Dell Systems Management Tools and Documentation
DVD
to install the
management console software, including Dell OpenManage IT Assistant, on
the management station. For instructions on installing this software, see your
Quick Installation Guide.
66 Configuring the Management Station
Configuring the Managed Server 67
Configuring the Managed Server
This section describes tasks to set up the managed server to enhance your
remote management capabilities. These tasks include installing the Dell™
OpenManage™ Server Administrator software and configuring the managed
server to capture the last crash screen.
Installing the Software on the Managed Server
The Dell management software includes the following features:
Local RACADM CLI — allows you to configure and administer the
iDRAC from the managed system. It is a powerful tool for scripting
configuration and management tasks.
Server Administrator is required to use the iDRAC last crash screen
feature.
Server Administrator — a Web interface that allows you to administer the
remote system from a remote host on the network.
Server Administrator Instrumentation Service — provides access to
detailed fault and performance information gathered by industry-standard
systems management agents and allows remote administration of
monitored systems, including shutdown, startup, and security.
Server Administration Storage Management Service — provides storage
management information in an integrated graphical view.
Server Administrator Logs — displays logs of commands issued to or by
the system, monitored hardware events, POST events, and system alerts.
You can view logs on the home page, print or save them as reports, and
send them by e-mail to a designated service contact.
Use the
Dell Systems Management Tools and Documentation
DVD to install
Server Administrator.
For instructions on installing this software, see your
Quick Installation Guide.
68 Configuring the Managed Server
Configuring the Managed Server to Capture the
Last Crash Screen
The iDRAC can capture the last crash screen so that you can view it in the
Web interface to help troubleshoot the cause of the managed system crash.
Follow these steps to enable the last crash screen feature.
1
Install Dell OpenManage Server Administrator. For more information
about installing Server Administrator, see the
Dell OpenManage Server
Administrator User’s Guide
.
2
If you are running a Microsoft
®
Windows
®
operating system, ensure that
the Automatically Reboot feature is deselected in the
Windows Startup
and Recovery Settings
. See "Disabling the Windows Automatic Reboot
Option" on page 69.
3
Enable the Last Crash Screen (disabled by default) in the iDRAC Web
interface.
To enable the Last Crash Screen, click
System
Remote Access
iDRAC
Network/Security
Services
, then select the
Enabled
check box under the
Automated System Recovery Agent
heading.
To enable the Last Crash Screen using local RACADM, open a command
prompt on the managed system and type the following command:
racadm config -g cfgRacTuning -o
cfgRacTuneAsrEnable 1
4
In the Server Administrator Web-based interface, enable the
Auto
Recovery
timer and set the
Auto Recovery
action to
Reset
,
Power Off
, or
Power Cycle
.
For information about how to configure the
Auto Recovery
timer, see the
Dell OpenManage Server Administrator User's Guide
. To ensure that the
last crash screen can be captured, the
Auto Recovery
timer should be set to
60 seconds. The default setting is 480 seconds.
The last crash screen is not available if the
Auto Recovery
action is set to
Shutdown
or
Power Cycle
when the managed server is powered off.
Configuring the Managed Server 69
Disabling the Windows Automatic Reboot Option
To ensure that the iDRAC can capture the last crash screen, disable the
Automatic Reboot option on managed servers running Microsoft Windows
Server® or Windows Vista®.
1
Open the Windows
Control Panel
and double-click the
System
icon.
2
Click the
Advanced
tab.
3
Under
Startup and Recovery
, click
Settings
.
4
Deselect the
Automatically restart
check box.
5
Click
OK
twice.
70 Configuring the Managed Server
Configuring the iDRAC Using the Web Interface 71
Configuring the iDRAC Using the
Web Interface
The iDRAC provides a Web interface that enables you to configure the
iDRAC properties and users, perform remote management tasks, and
troubleshoot a remote (managed) system for problems. For everyday systems
management, use the iDRAC Web interface. This chapter provides
information about how to perform common systems management tasks with
the iDRAC Web interface and provides links to related information.
Most Web interface configuration tasks can also be performed with local
RACADM commands or with SM-CLP commands.
Local RACADM commands are executed from the managed server. For more
information about local RACADM, see "Using the Local RACADM
Command Line Interface" on page 199.
SM-CLP commands are executed in a shell that can be accessed remotely
with a telnet or SSH connection. For more information about SM-CLP, see
"Using the iDRAC SM-CLP Command Line Interface" on page 223.
Accessing the Web Interface
To access the iDRAC Web interface, perform the following steps:
1
Open a supported Web browser window.
See "Supported Web Browsers" on page 28 for more information.
2
In the
Address
field, type
https://<
iDRAC-IP-address
>
and press
<Enter>.
If the default HTTPS port number (port 443) has been changed, type:
https://<
iDRAC-IP-address>:<port-number
>
72 Configuring the iDRAC Using the Web Interface
where
iDRAC-IP-address
is the IP address for the iDRAC and
port-number
is the HTTPS port number.
The iDRAC
Login
window appears.
Logging In
You can log in as either an iDRAC user or as a Microsoft® Active Directory®
user. The default user name and password are root and calvin, respectively.
You must have been granted Login to iDRAC privilege by the administrator
to log in to the iDRAC.
To log in, perform the following steps:
1
In the
Username
field, type one of the following:
Your iDRAC user name.
The user name for local users is case–sensitive. Examples are
root
,
it_user
, or
john_doe
.
Your Active Directory user name.
Active Directory names can be entered in any of the forms
<
domain
>\<
username
>, <
domain
>/<
username
>, or
<
user
>@<
domain
>. They are not case–sensitive. Examples are
dell.com
\
john_doe,
or
JOHN_DOE@DELL.COM
.
2
In the
Password
field, type your iDRAC user password or Active Directory
user password. Passwords are case–sensitive.
3
Click
OK
or press <Enter>.
Logging Out
1
In the upper-right corner of the main window, click
Logout
to close the
session.
2
Close the browser window.
NOTE: The Logout button does not appear until you log in.
NOTE: Closing the browser without gracefully logging out may cause the session
to remain open until it times out. It is strongly recommended that you click the
logout button to end the session; otherwise, the session may remain active until the
session timeout is reached.
Configuring the iDRAC Using the Web Interface 73
NOTE: Closing the iDRAC Web interface within Microsoft Internet Explorer® using
the close button ("x") at the top right corner of the window may generate an
application error. To fix this issue, download the latest Cumulative Security Update
for Internet Explorer from the Microsoft Support website, located at
support.microsoft.com.
CAUTION: If you have opened multiple web GUI sessions either through <Ctrl+T>
or <Ctrl+N> to access the same iDRAC from the same management station, and
then log out of any one session, all the Web GUI sessions will be terminated.
Using Multiple Browser Tabs and Windows
Different versions of Web browsers exhibit different behaviors when opening
new tabs and windows. Microsoft Internet Explorer 6 does not support tabs;
therefore, each browser window opened becomes a new iDRAC Web
interface session. Internet Explorer (IE) 7 and IE 8 have the option to open
tabs as well as windows. Each tab inherits the characteristics of the most
recently opened tab. Press <Ctrl–T> to open a new tab and <Ctrl–N> to
open a new browser window from the active session. You will be logged in
with your already authenticated credentials. Closing any one tab expires all
iDRAC Web interface tabs. Also, if a user logs in with Power User privileges
on one tab, and then logs in as Administrator on another tab, both open tabs
then have Administrator privileges.
Tab behavior in Firefox 2 and Firefox 3 is the same as IE 7 and IE 8; new tabs
are new sessions. Window behavior in Firefox is different. Firefox windows
operate with the same privileges as the latest window opened. For example,
if one Firefox window is open with a Power User logged in and another
window is open with Administrator privileges, both users will now have
Administrator privileges.
Table 5-1. User Privilege Behavior in Supported Browsers
Browser Tab Behavior Window Behavior
Microsoft Internet
Explorer 6
Not applicable New session
Microsoft IE 7 and IE 8 From latest session opened New session
Firefox 2 and Firefox 3 From latest session opened From latest session opened
74 Configuring the iDRAC Using the Web Interface
Configuring the iDRAC NIC
This section assumes that the iDRAC has already been configured and is
accessible on the network. See "Configure iDRAC Networking" on page 36 for
help with the initial iDRAC network configuration.
Configuring the Network and IPMI LAN Settings
NOTE: You must have Configure iDRAC privilege to perform the following steps.
NOTE: Most DHCP servers require a server to store a client identifier token in its
reservations table. The client (iDRAC, for example) must provide this token during
DHCP negotiation. The iDRAC supplies the client identifier option using a one-byte
interface number (0) followed by a six-byte MAC address.
1
Click
System
Remote Access
iDRAC
.
2
Click the
Network/Security
Network
tab to open the
Network
Configuration
page.
Table 5-2, Table 5-3, and Table 5-4 describe the
Network Settings
,
IPMI
LAN Settings
, and the
VLAN Settings
in the
Network Configuration
page.
3
When you have completed entering the required settings, click
Apply
.
4
Click the appropriate button to continue. See Table 5-5.
Table 5-2. Network Settings
Setting Description
Enable NIC When checked, indicates that the NIC is enabled and activates
the remaining controls in this group. When a NIC is disabled,
all communication to and from the iDRAC through the
network is blocked.
MAC Address Displays the Media Access Control (MAC) address that
uniquely identifies each node in a network. The MAC address
cannot be changed.
Use DHCP (For
NIC IP Address)
Prompts the iDRAC to obtain an IP address for the NIC from
the Dynamic Host Configuration Protocol (DHCP) server. Also
deactivates the Static IP Address, Static Subnet Mask, and
Static Gateway controls.
Configuring the iDRAC Using the Web Interface 75
Static IP Address Allows you to enter or edit a static IP address for the iDRAC
NIC. To change this setting, deselect the Use DHCP (For NIC
IP Address) checkbox.
Static Subnet Mask Allows you to enter or edit a subnet mask for the iDRAC NIC.
To change this setting, first deselect the Use DHCP (For NIC
IP Address) checkbox.
Static Gateway Allows you to enter or edit a static gateway for the iDRAC NIC.
To change this setting, first deselect the Use DHCP (For NIC
IP Address) checkbox.
Use DHCP to
obtain DNS server
addresses
Enable DHCP to obtain DNS server addresses by selecting the
Use DHCP to obtain DNS server addresses check box. When
not using DHCP to obtain the DNS server addresses, provide
the IP addresses in the Static Preferred DNS Server and Static
Alternate DNS Server fields.
NOTE: When the Use DHCP to obtain DNS server addresses
checkbox is selected, IP addresses cannot be entered into the
Static Preferred DNS Server and Static Alternate DNS Server
fields.
Static Preferred
DNS Server
Allows the user to enter or edit a static IP address for the
preferred DNS server. To change this setting, first deselect the
Use DHCP to obtain DNS server addresses check box.
Static Alternate
DNS Server
Uses the secondary DNS server IP address when Use DHCP to
obtain DNS server addresses is not selected. Enter an IP
address of 0.0.0.0 if there is no alternate DNS server.
Register iDRAC on
DNS
Registers the iDRAC name on the DNS server.
DNS iDRAC Name Displays the iDRAC name. The default name is idrac-
service_tag, where service_tag is the service tag number of the
Dell server. For example: idrac-00002.
Table 5-2. Network Settings (continued)
Setting Description
76 Configuring the iDRAC Using the Web Interface
Use DHCP for
DNS Domain
Name
Uses the default DNS domain name. When the box is not
selected and the Register iDRAC on DNS option is selected,
modify the DNS domain name in the DNS Domain Name
field.
NOTE: To select the Use DHCP for DNS Domain Name checkbox,
also select the Use DHCP (For NIC IP Address) check box.
DNS Domain
Name
The default DNS Domain Name is blank. When the Use
DHCP for DNS Domain Name check box is selected, this
option is grayed out and the field cannot be modified.
Community String Contains the community string to use in Simple Network
Management Protocol (SNMP) alert traps sent from the
iDRAC. SNMP alert traps are transmitted by the iDRAC when
a platform event occurs. The default is public.
SMTP Server
Address
The IP address of the Simple Mail Transfer Protocol (SMTP)
server that the iDRAC communicates with to send e-mail alerts
when a platform event occurs. The default is 127.0.0.1.
Table 5-3. IPMI LAN Settings
Setting Description
Enable IPMI Over
LAN
When checked, indicates that the IPMI LAN channel is
enabled.
Channel Privilege
Level Limit
Configures the maximum privilege level, for the user, that can
be accepted on the LAN channel. Select one of the following
options: Administrator, Operator, or User. The default is
Administrator.
Encryption Key Configures the encryption key: 0 to 20 hexadecimal characters
(with no blanks allowed).
Table 5-2. Network Settings (continued)
Setting Description
Configuring the iDRAC Using the Web Interface 77
Configuring IP Filtering and IP Blocking
NOTE: You must have Configure iDRAC permission to perform the following steps.
1
Click
System
Remote Access
iDRAC
and then click the
Network/Security
tab to open the
Network Configuration
page.
2
Click
Advanced Settings
to configure the network security settings.
Table 5-4. VLAN Settings
Setting Description
Enable VLAN ID Yes—Enabled. No—Disabled. If enabled, only matched Virtual
LAN (VLAN) ID traffic is accepted.
NOTE: The VLAN settings can only be configured through the
CMC Web Interface. iDRAC displays only the current enablement
status and you cannot modify the settings in this screen. See the
Dell Chassis Management Controller User Guide for more
information.
VLAN ID VLAN ID field of 802.1g fields. Displays a value from 1 to 4094
except 4001 to 4020.
Priority Priority field of 802.1g fields. This is used to identify the
priority of the VLAN ID and displays a value from 0 to 7 for the
VLAN Priority.
Table 5-5. Network Configuration Page Buttons
Button Description
Advanced Settings Opens the Network Security page, allowing you to enter IP
range, and IP blocking attributes.
Print Prints the Network Configuration values that appear on the
screen.
Refresh Reloads the Network Configuration page.
Apply Saves any new settings made to the Network Configuration
page.
NOTE: Changes to the NIC IP address settings will close all user
sessions and require users to reconnect to the iDRAC Web
interface using the updated IP address settings. All other changes
will require the NIC to be reset, which may cause a brief loss in
connectivity.
78 Configuring the iDRAC Using the Web Interface
Table 5-6 describes the
Network Security
page settings.
3
When you have finished configuring the settings, click
Apply
.
4
Click the appropriate
button to continue. See Table 5-7.
Table 5-6. Network Security Page Settings
Settings Description
IP Range Enabled Enables the IP Range checking feature, which defines a range of
IP addresses that can access the iDRAC.
IP Range Address Determines the acceptable IP subnet address. The default is
192.168.1.0.
IP Range Subnet
Mask
Defines the significant bit positions in the IP address. The
subnet mask should be in the form of a netmask, where the
more significant bits are all 1's with a single transition to all
zeros in the lower-order bits. The default is 255.255.255.0.
IP Blocking
Enabled
Enables the IP address blocking feature, which limits the
number of failed login attempts from a specific IP address for a
pre–selected time span.
IP Blocking Fail
Count
Sets the number of login failures attempted from an IP address
before the login attempts are rejected from that address. The
default is 10.
IP Blocking Fail
Window
Determines the time span in seconds within which IP Block
Fail Count failures must occur to trigger the IP Block Penalty
Time. The default is 3600.
IP Blocking Penalty
Time
The time span in seconds that login attempts from an IP
address with excessive failures are rejected. The default is 3600.
Table 5-7. Network Security Page Buttons
Button Description
Print Prints the Network Security values that appear on the screen.
Refresh Reloads the Network Security page.
Apply Saves any new settings that you made to the Network Security
page.
Configuring the iDRAC Using the Web Interface 79
Configuring Platform Events
Platform event configuration provides a mechanism for configuring the
iDRAC to perform selected actions on certain event messages. The actions
include no action, reboot system, power cycle system, power off system, and
generate an alert (Platform Event Trap [PET] and/or e-mail).
The filterable platform events are listed in Table 5-8.
When a platform event occurs (for example, a Battery Probe Warning), a
system event is generated and recorded in the System Event Log (SEL). If
this event matches a platform event filter (PEF) that is enabled and you have
configured the filter to generate an alert (PET or e-mail), then a PET or
e-mail alert is sent to one or more configured destinations.
If the same platform event filter is also configured to perform an action (such
as rebooting the system), the action is performed.
Go Back to
Network Page
Returns to the Network page.
Table 5-8. Filterable Platform Events
Index Platform Event
1 Battery Probe Warning
2 Battery Probe Failure
3 Discrete Voltage Probe Failure
4 Temperature Probe Warning
5 Temperature Probe Failure
6 Processor Failure
7 Processor Absent
8 Hardware Log Failure
9 Automatic System Recovery
Table 5-7. Network Security Page Buttons (continued)
Button Description
80 Configuring the iDRAC Using the Web Interface
Configuring Platform Event Filters (PEF)
NOTE: Configure platform event filters before you configure the platform event
traps or e-mail alert settings.
1
Log in to the iDRAC Web interface. See "Accessing the Web Interface" on
page 71.
2
Click
System
and then the
Alert Management
tab.
3
On the
Platform Events
page, enable
Alert Generation
for an event by
clicking the corresponding
Generate Alert
checkbox for that event.
NOTE: You can enable or disable Alert Generation for all events by clicking the
checkbox next to the Generate Alert column heading.
4
Click the radio button below the action you would like to enable for each
event. Only one action can be set for each event.
5
Click
Apply
.
NOTE: Generate Alert must be enabled for an alert to be sent to any valid,
configured destination (PET or e-mail).
Configuring Platform Event Traps (PET)
NOTE: You must have Configure iDRAC permission to add or enable/disable
an SNMP alert. The following options will not be available if you do not have
Configure iDRAC permission.
1
Log in to the remote system using a supported Web browser. See
"Accessing the Web Interface" on page 71.
2
Ensure that you followed the procedures in "Configuring Platform Event
Filters (PEF)" on page 80.
3
Configure your PET destination IP address:
a
Click the
Enable
checkbox next to the
Destination Number
you
would like to activate.
b
Enter an IP address in the
Destination IP Address
box.
NOTE: The destination community string must be the same as the iDRAC
community string.
c
Click
Apply
.
Configuring the iDRAC Using the Web Interface 81
NOTE: To successfully send a trap, configure the Community String value on
the Network Configuration page. The Community String value indicates the
community string to use in a Simple Network Management Protocol (SNMP)
alert trap sent from the iDRAC. SNMP alert traps are transmitted by the iDRAC
when a platform event occurs. The default setting for the Community String is
Public.
d
Click
Send
to test the configured alert (if desired).
e
Repeat step a through step d for any remaining destination numbers.
Configuring E-Mail Alerts
1
Log in to the remote system using a supported Web browser.
2
Ensure that you followed the procedures in "Configuring Platform Event
Filters (PEF)" on page 80.
3
Configure your e-mail alert settings.
a
On the
Alert Management
tab, click
Email Alert Settings
.
4
Configure your e-mail alert destination.
a
In the
Email Alert Number
column, click a destination number.
There are four possible destinations to receive alerts.
b
Ensure that the
Enabled
checkbox is selected.
c
In the
Destination Email Address
field, type a valid e-mail address.
d
Click
Apply
.
NOTE: To successfully send a test e-mail, the SMTP Server Address must be
configured on the Network Configuration page. The IP address of the SMTP
Server communicates with the iDRAC to send e-mail alerts when a platform
event occurs.
e
Click
Send
to test the configured e-mail alert (if desired).
f
Repeat step a through step e for any remaining e-mail alert settings.
Configuring IPMI
1
Log in to the remote system using a supported Web browser.
2
Configure IPMI over LAN.
a
Click
System
Remote Access
iDRAC
, then click the
Network/Security
.
82 Configuring the iDRAC Using the Web Interface
b
In the
Network Configuration
page under
IPMI LAN Settings
, select
Enable IPMI Over LAN
.
c
Update the IPMI LAN channel privileges, if required:
NOTE: This setting determines the IPMI commands that can be executed
from the IPMI over LAN interface. For more information, see the IPMI 2.0
specifications.
Under
IPMI LAN Settings
, click the
Channel Privilege Level Limit
drop-down menu, select
Administrator
,
Operator
, or
User
and click
Apply
.
d
Set the IPMI LAN channel encryption key, if required.
NOTE: The iDRAC IPMI supports the RMCP+ protocol.
NOTE: The encryption key must consist of an even number of hexadecimal
characters with a maximum length of 20 characters.
Under
IPMI LAN Settings
in the
Encryption Key field
, type the
encryption key.
e
Click
Apply
.
3
Configure IPMI Serial over LAN (SOL).
a
Click
System
Remote Access
iDRAC
.
b
Click the
Network Security
tab, then click
Serial Over LAN
.
c
On the
Serial Over LAN Configuration
page, click the
Enable Serial
Over LAN
checkbox to enable Serial over LAN.
d
Update the IPMI SOL baud rate.
NOTE: To redirect the serial console over the LAN, ensure that the SOL baud
rate is identical to your managed server’s baud rate.
Click the
Baud Rate
drop-down menu to select a data speed of
19.2 kbps, 57.6 kbps or 115.2 kbps.
e
Click
Apply
.
Configuring the iDRAC Using the Web Interface 83
Adding and Configuring iDRAC Users
To manage your system with the iDRAC and maintain system security, create
unique users with specific administrative permissions (or role-based
authority).
To add and configure iDRAC users, perform the following steps:
NOTE: You must have Configure iDRAC permission to perform the following steps.
1
Click
System
Remote Access
iDRAC
and then click the
Network/Security
tab.
2
Open the
Users
page to configure users.
The
Users
page displays each user’s
User ID, State, Username, IPMI LAN
Privileges
,
iDRAC Privileges
, and
Serial Over LAN
.
NOTE: User-1 is reserved for the IPMI anonymous user and is not configurable.
3
In the
User ID
column, click a user ID number.
4
On the
User Configuration
page, configure the user’s properties and
privileges.
Table 5-9 describes the
General
settings for configuring an iDRAC user
name and password.
Table 5-10
describes
the
IPMI LAN Privileges
for configuring the user’s
LAN privileges.
Table 5-11
describes
the
User Group
permissions for the
IPMI LAN
Privileges
and the
iDRAC User Privileges
settings.
Table 5-12
describes
the
iDRAC Group
permissions. If you add an
iDRAC
User Privilege
to the
Administrator
,
Power User
, or
Guest User
, the
iDRAC Group
will change to the
Custom
group.
5
When completed, click
Apply
.
6
Click the appropriate button to continue. See Table 5-13.
84 Configuring the iDRAC Using the Web Interface
Table 5-9. General Properties
Property Description
User ID Contains one of 16 preset User ID numbers. This field
cannot be edited.
Enable User When checked, indicates that the user’s access to the
iDRAC is enabled. When unchecked, user access is
disabled.
Username Specifies an iDRAC user name with up to 16 characters.
Each user must have a unique user name.
NOTE: User names on the iDRAC cannot include the /
(forward slash) or . (period) characters.
NOTE: If the user name is changed, the new name will not
appear in the user interface until the next user login.
Change Password Enables the New Password and Confirm New Password
fields. When unchecked, the user’s Password cannot be
changed.
New Password Enables editing the iDRAC user’s password. Enter a
Password with up to 20 characters. The characters will not
display.
NOTE: The three special characters <, >, and \ are not
allowed in user names or passwords.
Confirm New Password Retype the iDRAC user’s password to confirm.
Table 5-10. IPMI LAN User Privileges
Property Description
Maximum LAN User
Privilege Granted
Specifies the user’s maximum privilege on the IPMI LAN
channel to one of the following user groups: None,
Administrator, Operator, or User.
Enable Serial Over LAN Allows the user to use IPMI Serial Over LAN. When
checked, this privilege is enabled.
Configuring the iDRAC Using the Web Interface 85
Table 5-11. iDRAC User Privileges
Property Description
iDRAC Group Specifies the user’s maximum iDRAC user privilege as
one of the following: Administrator, Power User, Guest
User, Custom, or None.
See Table 5-12 for iDRAC Group permissions.
Login to iDRAC Enables the user to log in to the iDRAC.
Configure iDRAC Enables the user to configure the iDRAC.
Configure Users Enables the user to allow specific users to access the
system.
Clear Logs Enables the user to clear the iDRAC logs.
Execute Server Control
Commands
Enables the user to execute RACADM commands.
Access Console
Redirection
Enables the user to run Console Redirection.
Access Virtual Media Enables the user to run and use Virtual Media.
Test Alerts Enables the user to send test alerts (e-mail and PET) to a
specific user.
Execute Diagnostic
Commands
Enables the user to run diagnostic commands.
Table 5-12. iDRAC Group Permissions
User Group Permissions Granted
Administrator Login to iDRAC, Configure iDRAC, Configure Users, Clear
Logs, Execute Server Control Commands, Access Console
Redirection, Access Virtual Media, Test Alerts, Execute
Diagnostic Commands
Power User Login to iDRAC, Clear Logs, Execute Server Control
Commands, Access Console Redirection, Access Virtual
Media, Test Alerts
Guest User Login to iDRAC
86 Configuring the iDRAC Using the Web Interface
Securing iDRAC Communications Using SSL and
Digital Certificates
This section provides information about the following data security features
that are incorporated in your iDRAC:
Secure Sockets Layer (SSL)
Certificate Signing Request (CSR)
Accessing the SSL main menu
Generating a new CSR
Uploading a server certificate
Viewing a server certificate
Custom Selects any combination of the following permissions: Login to
iDRAC, Configure iDRAC, Configure Users, Clear Logs,
Execute Server Action Commands, Access Console
Redirection, Access Virtual Media, Test Alerts, Execute
Diagnostic Commands
None No assigned permissions
Table 5-13. User Configuration Page Buttons
Button Action
Print Prints the User Configuration values that appear on the
screen.
Refresh Reloads the User Configuration page.
Apply Saves any new settings made to the user configuration.
Go Back To Users
Page
Returns to the Users Page.
Table 5-12. iDRAC Group Permissions (continued)
User Group Permissions Granted
Configuring the iDRAC Using the Web Interface 87
Secure Sockets Layer (SSL)
The iDRAC includes a Web server that is configured to use the industry-
standard SSL security protocol to transfer encrypted data over a network.
Built upon public-key and private-key encryption technology, SSL is a widely
accepted technology for providing authenticated and encrypted
communication between clients and servers to prevent eavesdropping across a
network.
An SSL-enabled system can perform the following tasks:
Authenticate itself to an SSL-enabled client
Allow the client to authenticate itself to the server
Allow both systems to establish an encrypted connection
The encryption process provides a high level of data protection. The iDRAC
employs the 128-bit SSL encryption standard, the most secure form of
encryption generally available for Internet browsers in North America.
The iDRAC Web server has a Dell self-signed SSL digital certificate (Server
ID) by default. To ensure high security over the Internet, replace the Web
server SSL certificate with a certificate signed by a well-known certificate
authority. To initiate the process of obtaining a signed certificate, you can use
the iDRAC Web interface to generate a Certificate Signing Request (CSR)
with your company’s information. You can then submit the generated CSR to
a CA such as VeriSign or Thawte.
Certificate Signing Request (CSR)
A CSR is a digital request to a Certificate Authority (CA) for a secure server
certificate. Secure server certificates allow clients of the server to trust the
identity of the server they have connected to and to negotiate an encrypted
session with the server.
A Certificate Authority is a business entity that is recognized in the IT
industry for meeting high standards of reliable screening, identification, and
other important security criteria. Examples of CAs include Thawte and
VeriSign. After the CA receives a CSR, they review and verify the information
the CSR contains. If the applicant meets the CA’s security standards, the CA
issues a digitally-signed certificate that uniquely identifies that applicant for
transactions over networks and on the Internet.
88 Configuring the iDRAC Using the Web Interface
After the CA approves the CSR and sends the certificate, upload the
certificate to the iDRAC firmware. The CSR information stored on the
iDRAC firmware must match the information contained in the certificate.
Accessing the SSL Main Menu
1
Click
System
Remote Access
iDRAC
, then click the
Network/Security
tab.
2
Click
SSL
to open the
SSL Main Menu
page.
Use the SSL Main Menu page to generate a CSR to send to a CA. The CSR
information is stored on the iDRAC firmware.
Table 5-14 describes the options available when generating a CSR.
Table 5-15 describes the available buttons on the SSL Main Menu page.
Table 5-14. SSL Main Menu Options
Field Description
Generate a New
Certificate Signing
Request (CSR)
Select the option and click Next to open the Generate
Certificate Signing Request (CSR) page.
NOTE: Each new CSR overwrites any previous CSR on the
firmware. For a CA to accept your CSR, the CSR in the
firmware must match the certificate returned from the CA.
Upload Server
Certificate
Select the option and click Next to open the Certificate
Upload page and upload the certificate sent to you by the
CA.
NOTE: Only X509, Base 64-encoded certificates are accepted
by the iDRAC. DER-encoded certificates are not accepted.
View Server Certificate Select the option and click Next to open the View Server
Certificate page and view an existing server certificate.
Configuring the iDRAC Using the Web Interface 89
Generating a New Certificate Signing Request
NOTE: Each new CSR overwrites any previous CSR data stored in the firmware.
The CSR in the firmware must match the certificate returned from the CA.
Otherwise, the iDRAC will not accept the certificate.
1
On the
SSL Main Menu
page, select
Generate a New Certificate Signing
Request (CSR)
and click
Next
.
2
On the
Generate Certificate Signing Request (CSR)
page, enter a value
for each CSR attribute.
Table 5-16 describes the
Generate Certificate Signing Request (CSR)
page options.
3
Click
Generate
to create the CSR.
4
Click
Download
to save the CSR file to your local computer.
5
Click the appropriate button to continue. See Table 5-17.
Table 5-15. SSL Main Menu Buttons
Button Description
Print Prints the SSL Main Menu values that appear on the
screen.
Refresh Reloads the SSL Main Menu page.
Next Processes the information on the SSL Main Menu page
and continues to the next step.
Table 5-16. Generate Certificate Signing Request (CSR) Page Options
Field Description
Common Name The exact name being certified (usually the Web server's
domain name, for example, www.xyzcompany.com). Only
alphanumeric characters, hyphens, underscores, and
periods are valid. Spaces are not valid.
Organization Name The name associated with this organization (for example,
XYZ Corporation). Only alphanumeric characters,
hyphens, underscores, periods and spaces are valid.
90 Configuring the iDRAC Using the Web Interface
Organization Unit The name associated with an organizational unit, such as a
department (for example, Information Technology). Only
alphanumeric characters, hyphens, underscores, periods,
and spaces are valid.
Locality The city or other location of the entity being certified (for
example, Round Rock). Only alphanumeric characters and
spaces are valid. Do not separate words using an underscore
or other character.
State Name The state or province where the entity who is applying for a
certification is located (for example, Texas). Only
alphanumeric characters and spaces are valid. Do not use
abbreviations.
Country Code The name of the country where the entity applying for
certification is located.
Email The e-mail address associated with the CSR. Type the
company’s e-mail address, or any e-mail address associated
with the CSR. This field is optional.
Key Size Specify the size of the Certificate Signing Request (CSR)
key to be generated. The size may be 512, 1024 or 2048.
Table 5-17. Generate Certificate Signing Request (CSR) Page Buttons
Button Description
Print Prints the Generate Certificate Signing Request values
that appear on the screen.
Refresh Reloads the Generate Certificate Signing Request page.
Generate Generates a CSR and then prompts the user to save it to a
specified directory.
Download Downloads the certificate to the local computer.
Go Back to SSL Main
Menu
Returns the user to the SSL Main Menu page.
Table 5-16. Generate Certificate Signing Request (CSR) Page Options (continued)
Field Description
Configuring the iDRAC Using the Web Interface 91
Uploading a Server Certificate
1
In the
SSL Main Menu
page, select
Upload Server Certificate
and click
Next
.
The
Certificate Upload
page appears.
2
In the
File Path
field, type the path to the certificate or click
Browse
to
navigate to the certificate file.
NOTE: The File Path value displays the relative file path of the certificate you
are uploading. You must type the absolute file path, which includes the full
path and the complete file name and file extension.
3
Click
Apply
.
4
Click the appropriate button to continue. See Table 5-18.
Viewing a Server Certificate
1
On the
SSL Main Menu
page, select
View Server Certificate
and click
Next
.
Table 5-19 describes the fields and associated descriptions listed in the
Certificate
window.
2
Click the appropriate button to continue. See Table 5-20.
Table 5-18. Certificate Upload Page Buttons
Button Description
Print Prints the values that appear on the Certificate Upload
page.
Refresh Reloads the Certificate Upload page.
Apply Applies the certificate to the iDRAC firmware.
Go Back to SSL Main
Menu
Returns the user to the SSL Main Menu page.
Table 5-19. Certificate Information
Field Description
Serial Number Certificate serial number
Subject Information Certificate attributes entered by the subject
92 Configuring the iDRAC Using the Web Interface
Configuring and Managing Active Directory
Certificates
NOTE: You must have Configure iDRAC permission to configure Active Directory
and upload, download, and view an Active Directory certificate.
NOTE: For more information about Active Directory configuration and how to
configure Active Directory with the standard schema or an extended schema, see
"Using the iDRAC with Microsoft Active Directory" on page 105.
To access the Active Directory Main Menu:
1
Click
System
Remote Access
iDRAC,
and then click the
Network/Security
tab.
2
Click
Active Directory
to open the
Active Directory Main Menu
page.
Table 5-21 lists the
Active Directory Main Menu
page options.
Issuer Information Certificate attributes returned by the issuer
Valid From Issue date of the certificate
Valid To Expiration date of the certificate
Table 5-20. View Server Certificate Page Buttons
Button Description
Print Prints the View Server Certificate values that appear on the
screen.
Refresh Reloads the View Server Certificate page.
Go Back to SSL Main
Menu
Return to the SSL Main Menu page.
Table 5-19. Certificate Information (continued)
Field Description
Configuring the iDRAC Using the Web Interface 93
Click the appropriate button to continue. See Table 5-22.
Configuring Active Directory (Standard Schema and Extended Schema)
1
On the
Active Directory Main Menu
page, select
Configure Active
Directory
and click
Next
.
2
On the
Active Directory Configuration
page, enter the Active Directory
settings.
Table 5-23 describes the
Active Directory Configuration and
Management
page settings.
3
Click
Apply
to save the settings.
4
Click the appropriate button to continue. See Table 5-24.
Table 5-21. Active Directory Main Menu Page Options
Field Description
Configure Active
Directory
Configures the Active Directory ROOT Domain Name,
Active Directory Authentication Timeout, Active Directory
Schema Selection, iDRAC Name, iDRAC Domain Name,
Role Groups, Group Name, and Group Domain settings.
Upload Active
Directory CA
Certificate
Uploads an Active Directory certificate to the iDRAC.
Download iDRAC
Server Certificate
The Windows Download Manager downloads an iDRAC
server certificate to the system.
View Active Directory
CA Certificate
Displays an Active Directory Certificate that has been
uploaded to the iDRAC.
Table 5-22. Active Directory Main Menu Page Buttons
Button Definition
Print Prints the Active Directory Main Menu values that appear
on the screen.
Refresh Reloads the Active Directory Main Menu page.
Next Processes the information on the Active Directory Main
Menu page and continues to the next step.
94 Configuring the iDRAC Using the Web Interface
5
To configure the Role Groups for Active Directory Standard Schema, click
on the individual Role Group (1-5). See Table 5-25 and Table 5-26.
NOTE: To save the settings on the Active Directory Configuration page, click
Apply before proceeding to the Custom Role Group page.
Table 5-23. Active Directory Configuration Page Settings
Setting Description
Enable Active
Directory
When checked, enables Active Directory. The default is
disabled.
ROOT Domain Name The Active Directory ROOT domain name. This default is
blank.
The name must be a valid domain name consisting of x.y,
where x is a 1-254 character ASCII string with no spaces
between characters, and y is a valid domain type such as
com, edu, gov, int, mil, net, or org. The default is blank.
Timeout The time, in seconds, to wait for Active Directory queries to
complete. Minimum value is equal to or greater than
15 seconds. The default value is 120.
Use Standard Schema Uses standard schema with Active Directory.
Use Extended Schema Uses the extended schema with Active Directory.
iDRAC Name The name that uniquely identifies the iDRAC in Active
Directory. This default is blank.
The name must be a 1-254 character ASCII string with no
spaces between characters.
iDRAC Domain Name The DNS name of the domain, where the Active Directory
iDRAC object resides. This default is blank.
The name must be a valid domain name consisting of x.y,
where x is a 1-254 character ASCII string with no spaces
between characters, and y is a valid domain type such as
com, edu, gov, int, mil, net, or org.
Role Groups The list of role groups associated with the iDRAC.
To change the settings for a role group, click their role group
number, in the role groups list.
Group Name The name that identifies the role group in the Active
Directory associated with the iDRAC. This default is blank.
Configuring the iDRAC Using the Web Interface 95
Group Domain The domain type where the Role Group resides.
Group Privilege Displays the level of privileges assigned to the Role Group.
The privileges are: None, Administrator, Power User, Guest
User, or Custom.
Table 5-24. Active Directory Configuration Page Buttons
Button Description
Print Prints the Active Directory Configuration values that
appear on the screen.
Refresh Reloads the Active Directory Configuration page.
Apply Saves any new settings made to the Active Directory
Configuration page.
Go Back to Active
Directory Main Menu
Returns to the Active Directory Main Menu page.
Table 5-25. Role Group Privileges
Setting Description
Role Group Privilege Level Specifies the user’s maximum iDRAC user
privilege as one of the following:
Administrator, Power User, Guest User, No
Access, or Custom.
See Table 5-26 for Role Group permissions.
Login to iDRAC Allows the group log in access to the iDRAC.
Configure iDRAC Allows the group permission to configure the
iDRAC.
Configure Users Allows the group permission to configure
users.
Clear Logs Allows the group permission to clear logs.
Execute Server Control Commands Allows the group permission to execute server
control commands.
Table 5-23. Active Directory Configuration Page Settings (continued)
Setting Description
96 Configuring the iDRAC Using the Web Interface
Uploading an Active Directory CA Certificate
1
On the
Active Directory Main Menu
page, select
Upload Active
Directory CA Certificate
and click
Next
.
2
On the
Certificate Upload page,
type the file path of the certificate in the
File Path
field, or click
Browse
to navigate to the certificate file.
Access Console Redirection Allows the group access to Console
Redirection.
Access Virtual Media Allows the group access to Virtual Media.
Test Alerts Allows the group to send test alerts (e-mail and
PET) to a specific user.
Execute Diagnostic Commands Allows the group permission to execute
diagnostic commands.
Table 5-26. Role Group Permissions
Property Description
Administrator Login to iDRAC, Configure iDRAC,
Configure Users, Clear Logs, Execute Server
Control Commands, Access Console
Redirection, Access Virtual Media, Test
Alerts, Execute Diagnostic Commands
Power User Login to iDRAC, Clear Logs, Execute Server
Control Commands, Access Console
Redirection, Access Virtual Media, Test Alerts
Guest User Login to iDRAC
Custom Selects any combination of the following
permissions: Login to iDRAC, Configure
iDRAC, Configure Users, Clear Logs, Execute
Server Action Commands, Access Console
Redirection, Access Virtual Media, Test
Alerts, Execute Diagnostic Commands
No Access No assigned permissions
Table 5-25. Role Group Privileges (continued)
Setting Description
Configuring the iDRAC Using the Web Interface 97
NOTE: The File Path value displays the relative file path of the certificate you are
uploading. You must type the absolute file path, which includes the full path and the
complete file name and file extension.
Ensure that the domain controller’s SSL certificates have been signed by the
same Certificate Authority and that this Certificate is available on the
management station accessing the iDRAC.
3
Click
Apply
.
4
Click the appropriate button to continue. See Table 5-27.
Downloading an iDRAC Server Certificate
1
On the
Active Directory Main Menu
page, select
Download iDRAC
Server Certificate
and click
Next
.
2
Save the file to a directory on your system.
3
In the
Download Complete
window, click
Close
.
Viewing an Active Directory CA Certificate
Use the Active Directory Main Menu page to view a CA server certificate for
your iDRAC.
1
On the
Active Directory Main Menu
page, select
View Active Directory
CA Certificate
and click
Next
.
Table 5-28 describes the fields and associated descriptions listed in the
Certificate
window.
2
Click the appropriate button to continue. See Table 5-29.
Table 5-27. Certificate Upload Page Buttons
Button Description
Print Prints the Certificate Upload values that appear on the
screen.
Refresh Reloads the Certificate Upload page.
Apply Applies the certificate to the iDRAC firmware.
Go Back to Active
Directory Main Menu
Returns to the Active Directory Main Menu page.
98 Configuring the iDRAC Using the Web Interface
Enabling or Disabling Local Configuration Access
NOTE: The default setting for local configuration access is Enabled.
Enabling Local Configuration Access
1
Click
System
Remote Access
iDRAC
Network/Security
Services
.
2
Under
Local Configuration
, click to deselect
Disable iDRAC local USER
Configuration Updates
to enable access.
3
Click
Apply
.
4
Click the appropriate button to continue.
Disabling Local Configuration Access
1
Click
System
Remote Access
iDRAC
Network/Security
Services
.
2
Under
Local Configuration
, click to check
Disable iDRAC local USER
Configuration Updates
to disable access.
Table 5-28. Active Directory CA Certificate Information
Field Description
Serial Number Certificate serial number.
Subject Information Certificate attributes entered by the subject.
Issuer Information Certificate attributes returned by the issuer.
Valid From Certificate issue date.
Valid To Certificate expiration date.
Table 5-29. View Active Directory CA Certificate Page Buttons
Button Description
Print Prints the Active Directory CA Certificate values that
appear on the screen.
Refresh Reloads the Active Directory CA Certificate page.
Go Back to Active
Directory Main Menu
Returns the user to the Active Directory Main Menu page.
Configuring the iDRAC Using the Web Interface 99
3
Click
Apply
.
4
Click the appropriate button to continue.
Configuring iDRAC Services
NOTE: To modify these settings, you must have Configure iDRAC permission.
NOTE: When you apply changes to services, the changes take effect immediately.
Existing connections may be terminated without warning.
NOTE: There is a known issue with the Telnet client supplied with Microsoft
Windows communicating with a BMU. Use another Telnet client such as
HyperTerminal or PuTTY.
1
Click
System Remote Access
iDRAC
, and then click the
Network/Security
tab.
2
Click
Services
to open the
Services
configuration page.
3
Configure the following services, as required:
Web server — see Table 5-30 for Web server settings
SSH — see Table 5-31 for SSH settings
Telnet — see Table 5-32 for telnet settings
Automated System Recovery Agent — see Table 5-33 for Automated
System Recovery Agent settings
4
Click
Apply
.
5
Click the appropriate button to continue. See Table 5-34.
Table 5-30. Web Server Settings
Setting Description
Enabled Enables or disables the iDRAC web server. When checked,
the checkbox indicates that the web server is enabled. The
default is enabled.
Max Sessions The maximum number of simultaneous sessions allowed
for this system. This field is not editable. There can be four
simultaneous sessions.
Active Sessions The number of current sessions on the system, less than or
equal to the Max Sessions. This field is not editable.
100 Configuring the iDRAC Using the Web Interface
Timeout The time, in seconds, that a connection is allowed to
remain idle. The session is cancelled when the timeout is
reached. Changes to the timeout setting take affect
immediately and will reset the web server. Timeout range is
60 to 10,800 seconds. The default is 1,800 seconds.
HTTP Port Number The port on which the iDRAC listens for a browser
connection. The default is 80.
HTTPS Port Number The port on which the iDRAC listens for a secure browser
connection. The default is 443.
Table 5-31. SSH Settings
Setting Description
Enabled Enables or disables SSH. When checked, the checkbox
indicates that SSH is enabled.
Max Sessions The maximum number of simultaneous sessions allowed
for this system. Only one session is supported.
Active Sessions The number of current sessions on the system.
Timeout The secure shell idle timeout, in seconds. Timeout range is
60 to 10,800 seconds. Enter 0 seconds to disable the
Timeout feature. The default is 1,800.
Port Number The port on which the iDRAC listens for an SSH
connection. The default is 22.
Table 5-32. Telnet Settings
Setting Description
Enabled Enables or disables telnet. When checked, telnet is
enabled.
Max Sessions The maximum number of simultaneous sessions allowed
for this system. Only one session is supported.
Active Sessions The number of current sessions on the system.
Table 5-30. Web Server Settings (continued)
Setting Description
Configuring the iDRAC Using the Web Interface 101
Timeout The telnet idle timeout, in seconds. Timeout range is 60 to
10,800 seconds. Enter 0 seconds to disable the Timeout
feature. The default is 1,800.
Port Number The port on which the iDRAC listens for a telnet
connection. The default is 23.
Table 5-33. Automated System Recovery Agent Setting
Setting Description
Enabled Enables the Automated System Recovery Agent.
Table 5-34. Services Page Buttons
Button Description
Print Prints the Services page.
Refresh Refreshes the Services page.
Apply Changes Applies the Services page settings.
Table 5-32. Telnet Settings (continued)
Setting Description
102 Configuring the iDRAC Using the Web Interface
Updating the iDRAC Firmware
NOTE: If the iDRAC firmware becomes corrupted, as could occur if the iDRAC
firmware update progress is interrupted before it completes, you can recover
the iDRAC using the CMC. See your Dell Chassis Management Controller User
Guide for instructions. The CMC Web interface (CMC 2.0 or later) also
provides a One-to-Many Out-of-Band iDRAC firmware update capacity that
can be used at any time.
NOTE: The firmware update, by default, retains the current iDRAC settings.
During the update process, you have the option to reset the iDRAC
configuration to the factory defaults. If you set the configuration to the factory
defaults external network access will be disabled when the update
completes. You must enable and configure the network using the iDRAC
Configuration Utility or the CMC Web interface.
1
Start the iDRAC Web interface.
2
Click
System
Remote Access
iDRAC
, then click the
Update
tab.
3
On the
Firmware Update
page, click
Next
to start the update process.
NOTE: To update the firmware, the iDRAC must be placed in an update mode.
Once in this mode, the iDRAC will automatically reset, even if you cancel the
update process.
4
In the
Firmware Update - Upload (page 1 of 4)
window, click
Browse
, or
type the path to the firmware image that you downloaded.
For example:
C:\Updates\V1.0\<
image_name
>
.
The default firmware image name is
firmimg.imc
.
5
Click
Next
.
The file will be uploaded to the iDRAC. This may take several
minutes to complete.
OR
You can click
Cancel
at this time, if you would like to end the
firmware upgrade process. Clicking
Cancel
will reset the iDRAC to
normal operating mode.
Configuring the iDRAC Using the Web Interface 103
6
In the
Firmware Update - Validation (page 2 of 4)
window, you will see
the results of the validation performed on the image file you uploaded.
If the image file uploaded successfully and passed all verification
checks, a message will appear indicating that the firmware image has
been verified.
OR
If the image did not upload successfully, or it did not pass the
verification checks, the firmware update will return to the
Firmware
Update - Upload (page 1 of 4)
window. You can attempt to upgrade
the iDRAC again or click
Cancel
to reset the iDRAC to normal
operating mode.
NOTE: If you deselect the Preserve Configuration check box, the iDRAC will
be reset to its default settings. In the default settings, the LAN is disabled. You
will not be able to log in to the iDRAC Web interface. You will have to
reconfigure the LAN settings using the CMC Web interface or iKVM using the
iDRAC Configuration Utility during BIOS POST.
7
By default the
Preserve Configuration
checkbox is checked, to preserve
the current settings on the iDRAC after an upgrade. If you do not want the
settings to be preserved, deselect the
Preserve Configuration
checkbox.
8
Click
Begin Update
to start the upgrade process. Do not interrupt the
upgrade process.
9
In the
Firmware Update - Updating (page 3 of 4)
window, you will see the
status of the upgrade. The progress of the firmware upgrade operation,
measured in percentages, will appear in the
Progress
column.
10
Once the firmware update is complete, the
Firmware Update - Update
Results (page 4 of 4)
window will appear and the iDRAC will reset
automatically. You must close the current browser window and reconnect
to the iDRAC using a new browser window.
Recovering iDRAC Firmware Using the CMC
Typically, the iDRAC firmware is updated using iDRAC facilities such as the
iDRAC Web interface, or operating system specific update packages
downloaded from support.dell.com.
104 Configuring the iDRAC Using the Web Interface
If the iDRAC firmware becomes corrupted, as could occur if the iDRAC
firmware update progress is interrupted before it completes, you can use the
CMC Web interface to update its firmware.
If the CMC detects the corrupted iDRAC firmware, the iDRAC is listed on
the Updatable Components page in the CMC Web interface.
NOTE: See the Dell Chassis Management Controller User Guide for instructions for
using the CMC Web interface.
To update the iDRAC firmware, perform the following steps:
1
Download the latest iDRAC firmware to your management computer from
support.dell.com
.
2
Log in to the CMC Web-based interface.
3
Click
Chassis
in the system tree.
4
Click the
Update
tab. The
Firmware Update
page appears. The server
with the recoverable iDRAC is included in the list if it can be recovered
from the CMC.
5
Select the
Update Targets
option and click
Apply iDRAC Update
to begin
the firmware update.
After the firmware image file has been uploaded to the CMC, the iDRAC will
update itself with the image.
Using the iDRAC with Microsoft Active Directory 105
Using the iDRAC with Microsoft
Active Directory
A directory service maintains a common database of all information needed
for controlling users, computers, printers, and other devices on a network. If
your company uses the Microsoft® Active Directory® service software, you
can configure the software to provide access to the iDRAC, allowing you to
add and control iDRAC user privileges to your existing users in your Active
Directory software.
NOTE: Using Active Directory to recognize iDRAC users is supported on the
Microsoft Windows® 2000 and Windows Server® 2003 operating systems.
You can use Active Directory to define user access on iDRAC through an
extended schema solution which uses Dell-defined Active Directory objects
or a standard schema solution which uses Active Directory group objects only.
Advantages and Disadvantages of Extended
Schema and Standard Schema
When using Active Directory to configure access to the iDRAC, you must
choose either the extended schema or the standard schema solution.
The advantages of using the extended schema solution are:
All of the access control objects are maintained in Active Directory.
Maximum flexibility in configuring user access on different iDRACs with
different privilege levels.
The advantages of using the standard schema solution are:
No schema extension is required because standard schema uses Active
Directory objects only.
Configuration on the Active Directory side is simple.
106 Using the iDRAC with Microsoft Active Directory
Extended Schema Active Directory Overview
There are three ways to enable Active Directory with the extended schema:
With the iDRAC Web interface (see "Configuring the iDRAC With
Extended Schema Active Directory Using the Web Interface" on
page 121).
With the RACADM CLI tool (see "Configuring the iDRAC With
Extended Schema Active Directory Using RACADM" on page 122).
With the SM-CLP command line (see "Configuring the iDRAC With
Extended Schema Active Directory and SM-CLP" on page 123).
Active Directory Schema Extensions
The Active Directory data is a distributed database of Attributes and Classes.
The Active Directory schema includes the rules that determine the type of
data that can be added or included in the database. The user class is one
example of a Class that is stored in the database. Some example user class
attributes can include the user’s first name, last name, phone number, and so
on. Companies can extend the Active Directory database by adding their own
unique Attributes and Classes to solve environment-specific needs. Dell has
extended the schema to include the Attributes and Classes to support remote
management Authentication and Authorization.
Each Attribute or Class that is added to an existing Active Directory Schema
must be defined with a unique ID. To maintain unique IDs across the
industry, Microsoft maintains a database of Active Directory Object
Identifiers (OIDs) so that when companies add extensions to the schema,
they can be guaranteed to be unique and not to conflict with each other. To
extend the schema in Microsoft Active Directory, Dell received unique OIDs,
unique name extensions, and uniquely linked attribute IDs for the attributes
and classes we added to the directory service, as shown in Table 6-1.
Table 6-1. Dell Active Directory Object Identifiers
Active Directory Service Class Active Directory OID
Dell extension dell
Dell base OID 1.2.840.113556.1.8000.1280
RAC LinkID range 12070 to 12079
Using the iDRAC with Microsoft Active Directory 107
Overview of the RAC Schema Extensions
To provide the greatest flexibility in the multitude of customer environments,
Dell provides a group of properties that can be configured by the user
depending on the desired results. Dell has extended the schema to include an
Association, Device, and Privilege property. The Association property is used
to link together the users or groups with a specific set of privileges to one or
more RAC devices. This model provides an Administrator maximum
flexibility over the different combinations of users, RAC privileges, and RAC
devices on the network without adding too much complexity.
Active Directory Object Overview
For each of the physical RACs on the network that you want to integrate with
Active Directory for Authentication and Authorization, create at least one
Association Object and one RAC Device Object. You can create multiple
Association Objects, and each Association Object can be linked to as many
users, groups of users, or RAC Device Objects as required. The users and RAC
Device Objects can be members of any domain in the enterprise.
However, each Association Object can be linked (or, may link users, groups of
users, or RAC Device Objects) to only one Privilege Object. This example
allows an Administrator to control each user’s privileges on specific RACs.
The RAC Device object is the link to the RAC firmware for querying Active
Directory for authentication and authorization. When a RAC is added to the
network, the Administrator must configure the RAC and its device object
with its Active Directory name so users can perform authentication and
authorization with Active Directory. The Administrator must add the RAC to
at least one Association Object in order for users to authenticate.
Figure 6-1 illustrates that the Association Object provides the connection
that is needed for all of the Authentication and Authorization.
108 Using the iDRAC with Microsoft Active Directory
Figure 6-1. Typical Setup for Active Directory Objects
NOTE: The RAC privilege object applies to both DRAC 4 and iDRAC.
You can create as many or as few association objects as required. However, you
must create at least one Association Object, and you must have one RAC
Device Object for each RAC (iDRAC) on the network that you want to
integrate with Active Directory for Authentication and Authorization with
the RAC (iDRAC).
The Association Object allows for as many or as few users and/or groups as
well as RAC Device Objects. However, the Association Object only includes
one Privilege Object per Association Object. The Association Object
connects the "Users" who have "Privileges" on the RACs.
You can configure Active Directory objects in a single domain or in multiple
domains. For example, you have two iDRACs (RAC1 and RAC2) and three
existing Active Directory users (user1, user2, and user3). You want to give
user1 and user2 an Administrator privilege to both iDRACs and give user3 a
login privilege to the RAC2. Figure 6-2 shows how you set up the Active
Directory objects in this scenario.
Association Object
User(s) Group(s) Privilege Object RAC Device Object(s)
RAC Privilege Object
Using the iDRAC with Microsoft Active Directory 109
When adding Universal Groups from separate domains, create an Association
Object with Universal Scope. The Default Association objects created by the
Dell Schema Extender Utility are Domain Local Groups and will not work
with Universal Groups from other domains.
Figure 6-2. Setting Up Active Directory Objects in a Single Domain
To configure the objects for the single domain scenario, perform the following
tasks:
1
Create two Association Objects.
2
Create two RAC Device Objects, RAC1 and RAC2, to represent the two
iDRACs.
3
Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all
privileges (Administrator) and Priv2 has login privileges.
4
Group user1 and user2 into Group1.
5
Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege
Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.
6
Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege
Objects in AO2, and RAC2 as RAC Devices in AO2.
AO1 AO2
Priv2Priv1Group1
RAC2RAC1User3User2User1
110 Using the iDRAC with Microsoft Active Directory
See "Adding iDRAC Users and Privileges to Active Directory" on page 118 for
detailed instructions.
Figure 6-3 provides an example of Active Directory objects in multiple
domains. In this scenario, you have two iDRACs (RAC1 and RAC2) and three
existing Active Directory users (user1, user2, and user3). User1 is in
Domain1, and user2 and user 3 are in Domain2. In this scenario, configure
user1 and user2 with Administrator privileges to both iDRACs and configure
user3 with login privileges to the RAC2.
Figure 6-3. Setting Up Active Directory Objects in Multiple Domains
To configure the objects for the multiple domain scenario, perform the
following tasks:
1
Ensure that the domain forest function is in Native or Windows 2003
mode.
2
Create two Association Objects, AO1 (of Universal scope) and AO2, in any
domain.
Figure 6-3 shows the objects in Domain2.
AO1 AO2
Priv2Priv1Group1
RAC2RAC1User3User2User1
Domain2Domain1
Using the iDRAC with Microsoft Active Directory 111
3
Create two RAC Device Objects, RAC1 and RAC2, to represent the two
iDRACs.
4
Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all
privileges (Administrator) and Priv2 has login privileges.
5
Group user1 and user2 into Group1. The group scope of Group1 must be
Universal.
6
Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege
Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.
7
Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege
Objects in AO2, and RAC2 as RAC Devices in AO2.
Configuring Extended Schema Active Directory to Access Your iDRAC
Before using Active Directory to access your iDRAC, configure the Active
Directory software and the iDRAC by performing the following steps in order:
1
Extend the Active Directory schema (see "Extending the Active Directory
Schema" on page 111).
2
Extend the Active Directory Users and Computers Snap-in (see "Installing
the Dell Extension to the Active Directory Users and Computers Snap-In"
on page 117).
3
Add iDRAC users and their privileges to Active Directory (see "Adding
iDRAC Users and Privileges to Active Directory" on page 118).
4
Enable SSL on each of your domain controllers (see "Enabling SSL on a
Domain Controller" on page 131).
5
Configure the iDRAC Active Directory properties using either the iDRAC
Web interface or the RACADM (see "Configuring the iDRAC With
Extended Schema Active Directory Using the Web Interface" on page 121
or "Configuring the iDRAC With Extended Schema Active Directory
Using RACADM" on page 122).
Extending the Active Directory Schema
Extending your Active Directory schema adds a Dell organizational unit,
schema classes and attributes, and example privileges and association objects
to the Active Directory schema. Before you extend the schema, ensure that
you have Schema Admin privileges on the Schema Master Flexible Single
Master Operation (FSMO) Role Owner of the domain forest.
112 Using the iDRAC with Microsoft Active Directory
You can extend your schema using one of the following:
Dell Schema Extender utility
LDIF script file
If you use the LDIF script file, the Dell organizational unit will not be added
to the schema.
The LDIF files and Dell Schema Extender are located on your
Dell Systems
Management Tools and Documentation
DVD
in the following respective
directories:
DVD drive
:\support\OMActiveDirectory Tools\RAC4-5\LDIF_Files
DVD drive
:\support\OMActiveDirectory Tools\RAC4-
5\Schema_Extender
To use the LDIF files, see the instructions in the readme included in the
LDIF_Files directory. To use the Dell Schema Extender to extend the Active
Directory Schema, see "Using the Dell Schema Extender" on page 112.
You can copy and run the Schema Extender or LDIF files from any location.
Using the Dell Schema Extender
NOTE: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure
that the Dell Schema Extender utility functions properly, do not modify the name of
this file.
1
In the
Welcome
screen, click
Next.
2
Read and understand the warning and click
Next
.
3
Select
Use Current Log In Credentials
or enter a user name and password
with schema Administrator rights.
4
Click
Next
to run the Dell Schema Extender.
5
Click
Finish
.
The schema is extended. To verify the schema extension, use the
Microsoft Management Console (MMC) and the Active Directory
Schema snap-in to verify that the following exist:
Classes (see Table 6-2 through Table 6-7)
Attributes (Table 6-8)
See your Microsoft documentation for more information on how to enable
and use the Active Directory Schema snap-in in the MMC.
Using the iDRAC with Microsoft Active Directory 113
Table 6-2. Class Definitions for Classes Added to the Active Directory Schema
Class Name Assigned Object Identification Number (OID)
dellRacDevice 1.2.840.113556.1.8000.1280.1.1.1.1
dellAssociationObject 1.2.840.113556.1.8000.1280.1.1.1.2
dellRACPrivileges 1.2.840.113556.1.8000.1280.1.1.1.3
dellPrivileges 1.2.840.113556.1.8000.1280.1.1.1.4
dellProduct 1.2.840.113556.1.8000.1280.1.1.1.5
Table 6-3. dellRacDevice Class
OID 1.2.840.113556.1.8000.1280.1.1.1.1
Description Represents the Dell RAC device. The RAC device must be
configured as dellRacDevice in Active Directory. This
configuration enables the iDRAC to send Lightweight Directory
Access Protocol (LDAP) queries to Active Directory.
Class Type Structural Class
SuperClasses dellProduct
Attributes dellSchemaVersion
dellRacType
Table 6-4. dellAssociationObject Class
OID 1.2.840.113556.1.8000.1280.1.1.1.2
Description Represents the Dell Association Object. The Association
Object provides the connection between the users and the
devices.
Class Type Structural Class
SuperClasses Group
Attributes dellProductMembers
dellPrivilegeMember
114 Using the iDRAC with Microsoft Active Directory
Table 6-5. dellRAC4Privileges Class
OID 1.2.840.113556.1.8000.1280.1.1.1.3
Description Used to define the privileges (Authorization Rights) for the iDRAC
device.
Class Type Auxiliary Class
SuperClasses None
Attributes dellIsLoginUser
dellIsCardConfigAdmin
dellIsUserConfigAdmin
dellIsLogClearAdmin
dellIsServerResetUser
dellIsConsoleRedirectUser
dellIsVirtualMediaUser
dellIsTestAlertUser
dellIsDebugCommandAdmin
Table 6-6. dellPrivileges Class
OID 1.2.840.113556.1.8000.1280.1.1.1.4
Description Used as a container Class for the Dell Privileges (Authorization
Rights).
Class Type Structural Class
SuperClasses User
Attributes dellRAC4Privileges
Table 6-7. dellProduct Class
OID 1.2.840.113556.1.8000.1280.1.1.1.5
Description The main class from which all Dell products are derived.
Class Type Structural Class
Using the iDRAC with Microsoft Active Directory 115
SuperClasses Computer
Attributes dellAssociationMembers
Table 6-8. List of Attributes Added to the Active Directory Schema
Attribute Name/Description Assigned OID/Syntax Object
Identifier
Single Valued
dellPrivilegeMember
List of dellPrivilege Objects
that belong to this Attribute.
1.2.840.113556.1.8000.1280.1.1.2.1
Distinguished Name
(LDAPTYPE_DN
1.3.6.1.4.1.1466.115.121.1.12)
FALSE
dellProductMembers
List of dellRacDevices Objects
that belong to this role. This
attribute is the forward link to
the dellAssociationMembers
backward link.
Link ID: 12070
1.2.840.113556.1.8000.1280.1.1.2.2
Distinguished Name
(LDAPTYPE_DN
1.3.6.1.4.1.1466.115.121.1.12)
FALSE
dellIsLoginUser
TRUE if the user has Login
rights on the device.
1.2.840.113556.1.8000.1280.1.1.2.3
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
dellIsCardConfigAdmin
TRUE if the user has Card
Configuration rights on the
device.
1.2.840.113556.1.8000.1280.1.1.2.4
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
dellIsUserConfigAdmin
TRUE if the user has User
Configuration rights on the
device.
1.2.840.113556.1.8000.1280.1.1.2.5
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
delIsLogClearAdmin
TRUE if the user has Log
Clearing rights on the device.
1.2.840.113556.1.8000.1280.1.1.2.6
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
Table 6-7. dellProduct Class (continued)
OID 1.2.840.113556.1.8000.1280.1.1.1.5
116 Using the iDRAC with Microsoft Active Directory
dellIsServerResetUser
TRUE if the user has Server
Reset rights on the device.
1.2.840.113556.1.8000.1280.1.1.2.7
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
dellIsConsoleRedirectUser
TRUE if the user has Console
Redirection rights on the
device.
1.2.840.113556.1.8000.1280.1.1.2.8
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
dellIsVirtualMediaUser
TRUE if the user has Virtual
Media rights on the device.
1.2.840.113556.1.8000.1280.1.1.2.9
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
dellIsTestAlertUser
TRUE if the user has Test Alert
User rights on the device.
1.2.840.113556.1.8000.1280.1.1.2.10
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
dellIsDebugCommandAdmin
TRUE if the user has Debug
Command Admin rights on the
device.
1.2.840.113556.1.8000.1280.1.1.2.11
Boolean (LDAPTYPE_BOOLEAN
1.3.6.1.4.1.1466.115.121.1.7)
TRUE
dellSchemaVersion
The Current Schema Version is
used to update the schema.
1.2.840.113556.1.8000.1280.1.1.2.12
Case Ignore String
(LDAPTYPE_CASEIGNORESTRI
NG
1.2.840.113556.1.4.905)
TRUE
dellRacType
This attribute is the Current
Rac Type for the dellRacDevice
object and the backward link to
the
dellAssociationObjectMembers
forward link.
1.2.840.113556.1.8000.1280.1.1.2.13
Case Ignore String
(LDAPTYPE_CASEIGNORESTRI
NG
1.2.840.113556.1.4.905)
TRUE
Table 6-8. List of Attributes Added to the Active Directory Schema (continued)
Attribute Name/Description Assigned OID/Syntax Object
Identifier
Single Valued
Using the iDRAC with Microsoft Active Directory 117
Installing the Dell Extension to the Active Directory Users and
Computers Snap-In
When you extend the schema in Active Directory, you must also extend the
Active Directory Users and Computers snap-in so the administrator can
manage RAC (iDRAC) devices, Users and User Groups, RAC Associations,
and RAC Privileges.
When you install your systems management software using the
Dell Systems
Management Tools and Documentation
DVD
, you can extend the snap-in by
selecting the Dell Extension to the Active Directory User’s and Computers
Snap-In option during the installation procedure. See the Dell OpenManage
Software Quick Installation Guide for additional instructions about installing
systems management software.
For more information about the Active Directory User’s and Computers
snap-in, see your Microsoft documentation.
Installing the Administrator Pack
You must install the Administrator Pack on each system that is managing the
Active Directory iDRAC Objects. If you do not install the Administrator Pack,
you cannot view the Dell RAC Object in the container.
See "Opening the Active Directory Users and Computers Snap-In" on
page 118 for more information.
dellAssociationMembers
List of
dellAssociationObjectMembers
that belong to this Product.
This attribute is the backward
link to the
dellProductMembers Linked
attribute.
Link ID: 12071
1.2.840.113556.1.8000.1280.1.1.2.14
Distinguished Name
(LDAPTYPE_DN
1.3.6.1.4.1.1466.115.121.1.12)
FALSE
Table 6-8. List of Attributes Added to the Active Directory Schema (continued)
Attribute Name/Description Assigned OID/Syntax Object
Identifier
Single Valued
118 Using the iDRAC with Microsoft Active Directory
Opening the Active Directory Users and Computers Snap-In
To open the Active Directory Users and Computers snap-in, perform the
following steps:
1
If you are logged into the domain controller, click
Start
Admin Tools
Active Directory Users and Computers
.
If you are not logged into the domain controller, you must have the
appropriate Microsoft Administrator Pack installed on your local system.
To install this Administrator Pack, click
Start
Run
, type
MMC
, and press
Enter
.
The Microsoft Management Console (MMC) appears.
2
In the
Console 1
window, click
File
(or
Console
on systems running
Windows 2000).
3
Click
Add/Remove Snap-in
.
4
Select the
Active Directory Users and Computers
snap-in and click
Add
.
5
Click
Close
and click
OK
.
Adding iDRAC Users and Privileges to Active Directory
Using the Dell-extended Active Directory Users and Computers snap-in, you
can add iDRAC users and privileges by creating RAC, Association, and
Privilege objects. To add each object type, perform the following procedures:
Create a RAC device Object
Create a Privilege Object
Create an Association Object
Add objects to an Association Object
Creating a RAC Device Object
1
In the MMC
Console Root
window, right-click a container.
2
Select
New
Dell RAC Object
.
The
New Object
window appears.
3
Type a name for the new object. The name must be identical to the
iDRAC Name that you will type in step a of "Configuring the iDRAC With
Extended Schema Active Directory Using the Web Interface" on page 121.
Using the iDRAC with Microsoft Active Directory 119
4
Select
RAC Device Object
.
5
Click
OK
.
Creating a Privilege Object
NOTE: A Privilege Object must be created in the same domain as the related
Association Object.
1
In the
Console Root
(MMC) window, right-click a container.
2
Select
New
Dell RAC Object
.
The
New Object
window appears.
3
Type a name for the new object.
4
Select
Privilege Object
.
5
Click
OK
.
6
Right-click the privilege object that you created, and select
Properties
.
7
Click the
RAC Privileges
tab and select the privileges that you want the
user to have (for more information, see "iDRAC User Privileges" on
page 85).
Creating an Association Object
The Association Object is derived from a Group and must contain a Group
Type. The Association Scope specifies the Security Group Type for the
Association Object. When you create an Association Object, choose the
Association Scope that applies to the type of objects you intend to add.
For example, if you select Universal, the association objects are only available
when the Active Directory Domain is functioning in Native Mode or above.
1
In the
Console Root
(MMC) window, right-click a container.
2
Select
New
Dell RAC Object
.
This opens the
New Object
window.
3
Type a name for the new object.
4
Select
Association Object
.
5
Select the scope for the
Association Object
.
6
Click
OK
.
120 Using the iDRAC with Microsoft Active Directory
Adding Objects to an Association Object
Using the Association Object Properties window, you can associate users or
user groups, privilege objects, and RAC devices or RAC device groups. If your
system is running Windows 2000 mode or higher, use Universal Groups to
span domains with your user or RAC objects.
You can add groups of Users and RAC devices. The procedure for creating
Dell-related groups and non-Dell-related groups is identical.
Adding Users or User Groups
1
Right-click the
Association Object
and select
Properties
.
2
Select the
Users
tab and click
Add
.
3
Type the user or User Group name and click
OK
.
Click the Privilege Object tab to add the privilege object to the association
that defines the user’s or user group’s privileges when authenticating to a
RAC device. Only one privilege object can be added to an Association Object.
Adding Privileges
1
Select the
Privileges Object
tab and click
Add
.
2
Type the Privilege Object name and click
OK
.
Click the Products tab to add one or more RAC devices to the association.
The associated devices specify the RAC devices connected to the network
that are available for the defined users or user groups. Multiple RAC devices
can be added to an Association Object.
Adding RAC Devices or RAC Device Groups
To add RAC devices or RAC device groups:
1
Select the
Products
tab and click
Add.
2
Type the RAC device or RAC device group name and click
OK
.
3
In the
Properties
window, click
Apply
and click
OK
.
Using the iDRAC with Microsoft Active Directory 121
Configuring the iDRAC With Extended Schema Active Directory Using
the Web Interface
1
Open a supported Web browser window.
2
Log in to the iDRAC Web interface.
3
Click
System
Remote Access
.
4
Click the
Configuration
tab and select
Active Directory
.
5
On the
Active Directory Main Menu
page, select
Configure Active
Directory
and click
Next
.
6
In the Common Settings section:
a
Select the
Enable Active Directory
check box.
b
Ty p e t h e
Root Domain Name
. The
Root Domain Name
is the fully
qualified root domain name for the forest.
c
Ty p e t h e
Timeout
time in seconds.
7
Click
Use Extended Schema
in the Active Directory Schema Selection
section.
8
In the
Extended Schema Settings
section:
a
Ty p e t h e
iDRAC Name
. This name must be the same as the common
name of the new RAC object you created in your Domain Controller
(see step 3 of "Creating a RAC Device Object").
b
Ty p e t h e
iDRAC Domain Name
(for example,
iDRAC.com
). Do not
use the NetBIOS name. The
iDRAC Domain Name
is the fully
qualified domain name of the sub-domain where the RAC Device
Object is located.
9
Click
Apply
to save the Active Directory settings.
10
Click
Go Back To Active Directory Main Menu
.
11
Upload your domain forest Root CA certificate into the iDRAC.
a
Select the
Upload Active Directory CA Certificat
e radio button and
then click
Next
.
b
In the
Certificate Upload
page, type the file path of the certificate or
browse to the certificate file.
122 Using the iDRAC with Microsoft Active Directory
NOTE: The File Path value displays the relative file path of the certificate you
are uploading. You must type the absolute file path, which includes the full
path and the complete file name and file extension.
The domain controllers’ SSL certificates should have been signed by
the root CA. Have the root CA certificate available on your
management station accessing the iDRAC (see "Exporting the
Domain Controller Root CA Certificate" on page 132).
c
Click
Apply
.
The iDRAC Web server automatically restarts after you click
Apply
.
12
Log out and then log in to the iDRAC to complete the iDRAC Active
Directory feature configuration.
13
Click
System
Remote Access
iDRAC
Network/Security
Network
.
14
If
Use DHCP (For NIC IP Address)
is selected under
Network Settings
,
then select
Use DHCP to obtain DNS server address
.
To manually input a DNS server IP address, deselect
Use DHCP to obtain
DNS server addresses
and type your preferred and alternate DNS server IP
addresses.
15
Click
Apply
.
The iDRAC Extended Schema Active Directory feature configuration is
complete.
Configuring the iDRAC With Extended Schema Active Directory Using
RACADM
Use the following commands to configure the iDRAC Active Directory
feature with the extended schema using the RACADM CLI tool instead of
the Web interface.
1
Open a command prompt and type the following RACADM commands:
racadm config -g cfgActiveDirectory -o cfgADEnable
1
racadm config -g cfgActiveDirectory -o cfgADType 1
racadm config -g cfgActiveDirectory -o
cfgADRacDomain <
rac-FQDN
>
Using the iDRAC with Microsoft Active Directory 123
racadm config -g cfgActiveDirectory -o
cfgADRootDomain <
root-FQDN
>
racadm config -g cfgActiveDirectory -o
cfgADRacName <
RAC-common-name
>
racadm sslcertupload -t 0x2 -f <
root-CA-
certificate-TFTP-URI
>
racadm sslcertdownload -t 0x1 -f <
RAC-SSL-
certificate
>
2
If DHCP is enabled on the iDRAC and you want to use the DNS provided
by the DHCP server, type the following RACADM command:
racadm config -g cfgLanNetworking -o
cfgDNSServersFromDHCP 1
3
If DHCP is disabled on the iDRAC or you want to manually input your
DNS IP addresses, type the following RACADM commands:
racadm config -g cfgLanNetworking -o
cfgDNSServersFromDHCP 0
racadm config -g cfgLanNetworking -o cfgDNSServer1
<primary-DNS-IP-address>
racadm config -g cfgLanNetworking -o cfgDNSServer2
<secondary-DNS-IP-address>
4
Press
Enter
to complete the iDRAC Active Directory feature configuration.
Configuring the iDRAC With Extended Schema Active Directory and
SM-CLP
NOTE: You must have a TFTP server running from which you can retrieve the root
CA certificate and to which you can save the iDRAC server certificate.
Use the following commands to configure the iDRAC Active Directory
feature with the extended schema using SM-CLP.
1
Log in to the iDRAC using telnet or SSH and enter the following SM-CLP
commands:
cd /system/sp1/oemdell_adservice1
set enablestate=1
124 Using the iDRAC with Microsoft Active Directory
set oemdell_schematype=1
set oemdell_adracdomain=<
rac-FQDN
>
set oemdell_adrootdomain=<
root-FQDN
>
set oemdell_adracname=<
RAC-common-name
>
set /system1/sp1/oemdell_ssl1 oemdell_certtype=AD
load -source <ActiveDirectory-certificate-TFTP-
URI> /system1/sp1/oemdell_ssl1
set /system1/sp1/oemdell_ssl1 oemdell_certtype=SSL
dump -destination <
DRAC-server-certificate-TFTP-
URI
> /system1/sp1/oemdell_ssl1
2
If DHCP is enabled on the iDRAC and you want to use the DNS provided
by the DHCP server, type the following SM-CLP command:
set /system1/sp1/enetport1/lanendpt1/ipendpt1/\
dnsendpt1 oemdell_serversfromdhcp=1
3
If DHCP is disabled on the iDRAC or you want to manually enter your
DNS IP address, type the following SM-CLP commands:
set /system1/sp1/enetport1/lanendpt1/\
ipendpt1/dnsendpt1 oemdell_serversfromdhcp=0
set /system1/sp1/enetport1/lanendpt1/ipendpt1/\
dnsendpt1/remotesap1 dnsserveraddress=<
primary-
DNS-IP-address
>
set /system1/sp1/enetport1/lanendpt1/ipendpt1/\
dnsendpt1/remotesap1 dnsserveraddress=<
secondary-
DNS-IP-address
>
Using the iDRAC with Microsoft Active Directory 125
Active Directory Standard Schema Overview
As shown in Figure 6-4, using standard schema for Active Directory
integration requires configuration on both Active Directory and the iDRAC.
On the Active Directory side, a standard group object is used as a role group.
A user who has iDRAC access will be a member of the role group. To give this
user access to a specific iDRAC, the role group name and its domain name
need to be configured on the specific iDRAC. Unlike the extended schema
solution, the role and the privilege level is defined on each iDRAC, not in the
Active Directory. Up to five role groups can be configured and defined in each
iDRAC. Table 5-12 on page 85 shows the privileges level of the role groups
and Table 6-9 shows the default role group settings.
Figure 6-4. Configuration of iDRAC with Microsoft Active Directory and the Standard
Schema
Role
Group
Role
Group Name
and Domain
Name
Role
Definition
User
Configuration on Active
Directory Side
Configuration on
iDRAC Side
126 Using the iDRAC with Microsoft Active Directory
NOTE: The Bit Mask values are used only when setting up the standard schema
with the RACADM.
There are two ways to enable the standard schema in Active Directory<