integrating dell remote console switches with microsoft ... · pdf fileusers and remote active...
TRANSCRIPT
Enterprises typically use the Microsoft Active Directory
directory service to centrally manage physical
resources across a LAN or wide area network (WAN).
Active Directory provides a highly scalable distributed repos-
itory for information about objects in a network environ-
ment, such as users, computers, printers, applications,
and appliances.
Authorizing and authenticating users on an enterprise
network to allow access to switches can be complex, requir-
ing multiple local administrators to manage user privileges.
The multiuser Dell 2161DS-2 and 4161DS remote console
switches combine digital KVM (keyboard, video, mouse)
technology with advanced management features, allowing
users to manage switches as objects in an Active Directory
infrastructure. These switches provide access for both local
users and remote Active Directory users through Lightweight
Directory Access Protocol (LDAP) using Dell Remote Console
Software (RCS). RCS is a management application that allows
users to view and control Dell remote console switches and
their attached servers. It includes secure switch-based
authentication, data transfers, and username and password
storage, and its cross-platform design enables compatibility
with many popular operating systems and hardware plat-
forms. Each switch handles its local access and authentica-
tion control to provide decentralized system control, and can
also be part of a centralized Active Directory infrastructure.
Based on the X.500 directory service model, LDAP pro-
vides an industry-standard global directory structure for
accessing, querying, and updating a directory using TCP/IP,
and supports strong security features, including authenti-
cation, privacy, and data integrity. LDAP v3 is specified in
RFC 2251. Although LDAP is a computer communication
protocol, the term often denotes more than just the
protocol standard: it is inextricably tied to a default schema
for the Active Directory database (RFC 2256) and other
essential aspects of protocol interoperability (RFCs 2252,
2255, and 2829).
Understanding hardware and software requirementsFigure 1 illustrates a basic configuration integrating a Dell
remote console switch with an Active Directory infrastructure.
Authorizing and authenticating remote users in this type of
configuration requires the following components:
• Hardware: At least one Active Directory server running
the Microsoft Windows® 2000 or Windows Server®
2003 OS, a management station (desktop, worksta-
tion, or server) running RCS, and a Dell 2161DS-2 or
4161DS switch
• Software: The Dell Schema Extender utility, the Dell
Microsoft Management Console (MMC) Active Directory
snap-in, and RCS
Figure 2 shows the hardware and software requirements
for the management station running RCS.
Related Categories:
Application servers
Asset management
Dell PowerEdge servers
Keyboard, video, mouse (KVM)
Lightweight DirectoryAccess Protocol (LDAP)
Microsoft Active Directory
Remote management
Visit www.dell.com/powersolutions
for the complete category index.
IntegratingDellRemoteConsoleSwitches with Microsoft Active DirectoryThe multiuser Dell™ 2161DS-2 and 4161DS remote console switches are designed to integrate with the Microsoft® Active Directory® directory service by using Lightweight Directory Access Protocol to authorize and authenticate Active Directory users for switch access.
By Rayan Ghosal
Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved.
systems management
DELL POWER SOLUTIONS | May 20071
Integrating Dell remote console switches with Microsoft Active Directory Dell 2161DS-2 and 4161DS switches can authorize and authenticate Active
Directory users through their local database or an external centralized server
using LDAP. This approach can increase data center efficiency by helping
eliminate the need to update access permissions in individual switches,
and can increase remote access security by utilizing a single network authen-
tication source. The 2161DS-2 and 4161DS switches can authenticate with
both the standard Active Directory schema and the Dell extended Active
Directory schema to help maximize hardware compatibility.
Configuring the active Directory infrastructureBefore the Dell 2161DS-2 and 4161DS switches can use Active Directory for
authentication, administrators must configure some basic settings in the
Active Directory architecture to associate users with switches and provide
them with the appropriate privileges:
1. Log in to the domain controller with administrative privileges.
2. Extend the Active Directory schema using the Dell Schema Extender
utility or the LDAP Data Interchange Format (LDIF) files available on the
Dell OpenManage™ Management Station CD, which allows Active
Directory to include Appliance, Privilege, and Association objects for
the digital KVM switch. Association objects link together users or groups
with a specific set of privileges to access servers using Server Interface
Pods (SIPs), which connect servers and switches; these objects help
increase management flexibility for different privilege combinations.
3. Install the Dell MMC Active Directory snap-in, which extends the Active
Directory Users and Administrators snap-in so that administrators can
manage Dell remote console switches, associations, privileges, users,
and groups. Administrators can choose to install the Dell MMC Active
Directory snap-in when installing the systems management software
from the Dell Systems Management Consoles CD.
4. Add remote console users and privileges to Active Directory. The Dell
extended Active Directory Users and Computers snap-in allows Active
Directory administrators to add remote console users and privileges
by creating SIP, Privilege, and Association objects.
For each physical remote console switch administra-
tors integrate with Active Directory for authorization and
authentication, they must create at least one Appliance
object for the switch and one Association object. They
can link each Association object to as many users,
groups, or Appliance objects as they want. The users
and Appliance objects can be members of any domain;
however, each Association object can be linked (or can
link users, groups, or Appliance objects) to only one
Privilege object, which allows administrators to control
privilege types for each user on specific SIPs.
The Appliance object provides the link to the remote
console switch for querying Active Directory for autho-
rization and authentication. When a remote console
switch is added to a network, administrators must con-
figure it and its Appliance object with its Active Directory
name so that users can perform authorization and
authentication with Active Directory. Administrators
must also add the switch’s Appliance object to at least
one Association object to allow users to authenticate.
IntegratingDellRemoteConsoleSwitches with Microsoft Active Directory
Figure 2. Hardware and software requirements for a management station running Dell RCS
supported servers
Dell PowerEdge™ server models 650, 700, 750, 850, 1650, 1655, 1750, 1800, 1850, 1900, 1950, 2400, 2500, 2600, 2650, 2800, 2850, 2950, 4600, 6600, 6650, 6800, 6850, 7150, 7250, 8450, sC430, sC1425, and sC2500
minimum hardware requirements
Intel® Pentium® III processor at 500 Mhz 256 MB of RaM 10BaseT or 100BaseT network interface card (100BaseT recommended)
XGa video card with graphics accelerator 800 × 600 video resolution 16-bit color palette with 65,536 colors
•••
•••
supported operating systems
Microsoft Windows 2000 Workstation with service Pack 4 (sP4), Windows 2000 server with sP4, Windows XP home Edition or Professional with sP2, or Windows server 2003 with sP1
Red hat® Enterprise linux® Ws 3 or 4 novell® sUsE® linux Enterprise server 8, 9, 9.2, or 9.3
•
••
supported Web browsers
Microsoft Internet Explorer® 5.0 or later netscape 6.0 or later Mozilla 1.4 or later Firefox 1.0 or later
••••
Figure 1. Basic configuration integrating a Dell remote console switch with a Microsoft Active Directory infrastructure
Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved. 2www.dell.com/powersolutions
www.dell.com/powersolutions
Power cord
Network
Microsoft ActiveDirectory domain
Certificationserver
Organizationunit
Users
Groups
USB devices
Servers 2–16
SIP
Server 1
Analog RackInterface (ARI)
Analog user
Administrators can add Appliance objects
as follows:
1. From the administrative tools, click “Active
Directory Users and Computers.”
2. Right-click on the Computers container and
select New > KVM Object from the menu.
3. In the KVM object window, select the
Appliance object option button, then enter
the name of the switch that appears in the
RCS window and click OK.
4. If desired, associate the Active Directory
users with the switch using the default privi-
leges created when the Dell MMC Active
Directory snap-in is installed.
They can then create Privilege and
Association objects as follows:
1. Right-click on the Dell container and select
New > Dell KVM Object from the menu.
2. To create a Privilege object, select the Privilege object button in the
Dell KVM Object window, then enter the object name and click OK.
Similarly, to create an Association object, select the Association
object button, then enter the object name and click OK.
3. To associate the Appliance object with users and privilege levels, in
the object properties menu for the Association object, add the User,
Privilege, and Appliance objects.
Configuring the Dell remote console switchAdministrators must also configure a Dell remote console switch to
authorize and authenticate Active Directory users that are accessing
servers connected to the switch through SIPs. To do so, they can per-
form the following steps in the RCS console:
1. Click the switch icon in the list of discovered network switches and
log in to it with administrative privileges.
2. In the Settings tab of the Manage Remote Console Switch window,
select Global > Authentication.
3. Select the Use LDAP Authentication option button in the
Authentication Settings and the Extended option button in the
Authentication Parameters. Add the remote console switch’s domain
name and root domain name, which should be the Active Directory
Domain Name System (DNS) name.
4. Select the Tools tab and use the Send Security Certification to
Remote Console Switch tool to load a Certificate Authority (CA) cer-
tificate generated by the domain controller onto the switch.
Using the Dell RCs consoleAfter configuring the Active Directory infrastructure and the remote
console switch, administrators can log in to RCS with the username
associated with the Active Directory Appliance object for the switch.
Depending on the privilege level associated with this username (see
Figure 3), administrators can then use the RCS console to perform dif-
ferent management operations on the servers connected to the switch
through the SIPs.
Implementing deployment best practices The environment described in the preceding section can provide seamless
user authorization and authentication, but should include well-defined
responsibilities for Active Directory administrators and switch users in
enterprise data centers. The Active Directory administrator must first set
up Active Directory for authentication as follows:
1. Install the server OS, Active Directory, DNS, and the Dell MMC Active
Directory snap-in on the Active Directory server, and register the
snap-in.
2. Run the Dell Schema Extender utility from the KVM folder on the Dell
Systems Management Consoles CD.
3. Configure Network Time Protocol (NTP) on the server as described at
support.microsoft.com/kb/816042.
4. Install Certificate Services and create a CA certificate for the root.
5. Create the users in Active Directory.
6. Create the KVM object in the Computers container; the name of this
object should match the name of the switch in RCS.
Figure 3. Microsoft Active Directory access privilege levels
Operation User administrator Remote console switch administrator
Preempt Can preempt other users with user- or administrator-
level privilege
Can preempt other users with any privilege level
Configure network and global settings 4
Reboot 4
Flash upgrade 4
Administer user accounts 4 4
Monitor server status 4 4
Access target devices Can access devices only if assigned by administrator 4 4
Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved.
systems management
DELL POWER SOLUTIONS | May 20073
7. Create Privilege and Association objects in the Dell container.
8. Associate Appliance, User, and Privilege objects using the Association
object.
9. Create KVM SIP objects for any servers that might later be connected
to the switch.
The Active Directory administrator must also set up the switch by
connecting the switch console (serial cable) to a server and running
HyperTerminal to flash the switch firmware. Then the administrator can
use HyperTerminal to configure the switch IP settings.
Switch users must configure RCS as follows:
1. Before installing RCS on the management station used to access the
switch, enable Data Execution Prevention by right-clicking on My
Computer and selecting Properties, selecting the Advanced tab, click-
ing the Settings button in the Performance section, selecting the Data
Execution Prevention tab, and checking the top option button. Then
restart the computer and install RCS.
2. Search for the switch on the network by entering its IP address in
the RCS console, then log in to the switch with administrator
privileges.
3. In the Settings tab of the Manage Remote Console Switch window in
the RCS console, select Global > Network, then provide the DNS server
IP address.
4. Under Global > Authentication, enable LDAP authentication and pro-
vide the switch’s domain name and root domain name.
5. In the Tools tab, use the Send Security Certificate to Remote Console
Switch tool to send the root CA certificate created by the Active
Directory administrator.
6. Close the RCS console.
7. Relaunch the RCS console and log in using the Active Directory user-
name and password created in the Active Directory database for
accessing the switch.
Simplifying Dell remote console switch authorization and authenticationIntegrating Dell 2161DS-2 and 4161DS remote console switches with an
Active Directory infrastructure can help provide seamless remote manage-
ment of the switch user database from a central remote location. By elimi-
nating the need for multiple local administrators and using a single
network authentication source, enterprises can simplify the management
of switch authorization and authentication while strengthening security
in their IT data centers.
Rayan Ghosal is a test engineer senior analyst in the Dell Product Group.
He is currently part of the Enterprise Systems Test team at the Dell
Bangalore Development Center.
Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved. 4www.dell.com/powersolutions
www.dell.com/powersolutions