Enterprises typically use the Microsoft Active Directory

directory service to centrally manage physical

resources across a LAN or wide area network (WAN).

Active Directory provides a highly scalable distributed repos-

itory for information about objects in a network environ-

ment, such as users, computers, printers, applications,

and appliances.

Authorizing and authenticating users on an enterprise

network to allow access to switches can be complex, requir-

ing multiple local administrators to manage user privileges.

The multiuser Dell 2161DS-2 and 4161DS remote console

switches combine digital KVM (keyboard, video, mouse)

technology with advanced management features, allowing

users to manage switches as objects in an Active Directory

infrastructure. These switches provide access for both local

users and remote Active Directory users through Lightweight

Directory Access Protocol (LDAP) using Dell Remote Console

Software (RCS). RCS is a management application that allows

users to view and control Dell remote console switches and

their attached servers. It includes secure switch-based

authentication, data transfers, and username and password

storage, and its cross-platform design enables compatibility

with many popular operating systems and hardware plat-

forms. Each switch handles its local access and authentica-

tion control to provide decentralized system control, and can

also be part of a centralized Active Directory infrastructure.

Based on the X.500 directory service model, LDAP pro-

vides an industry-standard global directory structure for

accessing, querying, and updating a directory using TCP/IP,

and supports strong security features, including authenti-

cation, privacy, and data integrity. LDAP v3 is specified in

RFC 2251. Although LDAP is a computer communication

protocol, the term often denotes more than just the

protocol standard: it is inextricably tied to a default schema

for the Active Directory database (RFC 2256) and other

essential aspects of protocol interoperability (RFCs 2252,

2255, and 2829).

Understanding hardware and software requirementsFigure 1 illustrates a basic configuration integrating a Dell

remote console switch with an Active Directory infrastructure.

Authorizing and authenticating remote users in this type of

configuration requires the following components:

• Hardware: At least one Active Directory server running

the Microsoft Windows® 2000 or Windows Server®

2003 OS, a management station (desktop, worksta-

tion, or server) running RCS, and a Dell 2161DS-2 or

4161DS switch

• Software: The Dell Schema Extender utility, the Dell

Microsoft Management Console (MMC) Active Directory

snap-in, and RCS

Figure 2 shows the hardware and software requirements

for the management station running RCS.

Related Categories:

Application servers

Asset management

Dell PowerEdge servers

Keyboard, video, mouse (KVM)

Lightweight DirectoryAccess Protocol (LDAP)

Microsoft Active Directory

Remote management

Visit www.dell.com/powersolutions

for the complete category index.

IntegratingDellRemoteConsoleSwitches with Microsoft Active DirectoryThe multiuser Dell™ 2161DS-2 and 4161DS remote console switches are designed to integrate with the Microsoft® Active Directory® directory service by using Lightweight Directory Access Protocol to authorize and authenticate Active Directory users for switch access.

By Rayan Ghosal

Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved.

systems management

DELL POWER SOLUTIONS | May 20071

Integrating Dell remote console switches with Microsoft Active Directory Dell 2161DS-2 and 4161DS switches can authorize and authenticate Active

Directory users through their local database or an external centralized server

using LDAP. This approach can increase data center efficiency by helping

eliminate the need to update access permissions in individual switches,

and can increase remote access security by utilizing a single network authen-

tication source. The 2161DS-2 and 4161DS switches can authenticate with

both the standard Active Directory schema and the Dell extended Active

Directory schema to help maximize hardware compatibility.

Configuring the active Directory infrastructureBefore the Dell 2161DS-2 and 4161DS switches can use Active Directory for

authentication, administrators must configure some basic settings in the

Active Directory architecture to associate users with switches and provide

them with the appropriate privileges:

1. Log in to the domain controller with administrative privileges.

2. Extend the Active Directory schema using the Dell Schema Extender

utility or the LDAP Data Interchange Format (LDIF) files available on the

Dell OpenManage™ Management Station CD, which allows Active

Directory to include Appliance, Privilege, and Association objects for

the digital KVM switch. Association objects link together users or groups

with a specific set of privileges to access servers using Server Interface

Pods (SIPs), which connect servers and switches; these objects help

increase management flexibility for different privilege combinations.

3. Install the Dell MMC Active Directory snap-in, which extends the Active

Directory Users and Administrators snap-in so that administrators can

manage Dell remote console switches, associations, privileges, users,

and groups. Administrators can choose to install the Dell MMC Active

Directory snap-in when installing the systems management software

from the Dell Systems Management Consoles CD.

4. Add remote console users and privileges to Active Directory. The Dell

extended Active Directory Users and Computers snap-in allows Active

Directory administrators to add remote console users and privileges

by creating SIP, Privilege, and Association objects.

For each physical remote console switch administra-

tors integrate with Active Directory for authorization and

authentication, they must create at least one Appliance

object for the switch and one Association object. They

can link each Association object to as many users,

groups, or Appliance objects as they want. The users

and Appliance objects can be members of any domain;

however, each Association object can be linked (or can

link users, groups, or Appliance objects) to only one

Privilege object, which allows administrators to control

privilege types for each user on specific SIPs.

The Appliance object provides the link to the remote

console switch for querying Active Directory for autho-

rization and authentication. When a remote console

switch is added to a network, administrators must con-

figure it and its Appliance object with its Active Directory

name so that users can perform authorization and

authentication with Active Directory. Administrators

must also add the switch’s Appliance object to at least

one Association object to allow users to authenticate.

IntegratingDellRemoteConsoleSwitches with Microsoft Active Directory

Figure 2. Hardware and software requirements for a management station running Dell RCS

supported servers

Dell PowerEdge™ server models 650, 700, 750, 850, 1650, 1655, 1750, 1800, 1850, 1900, 1950, 2400, 2500, 2600, 2650, 2800, 2850, 2950, 4600, 6600, 6650, 6800, 6850, 7150, 7250, 8450, sC430, sC1425, and sC2500

minimum hardware requirements

Intel® Pentium® III processor at 500 Mhz 256 MB of RaM 10BaseT or 100BaseT network interface card (100BaseT recommended)

XGa video card with graphics accelerator 800 × 600 video resolution 16-bit color palette with 65,536 colors

•••

•••

supported operating systems

Microsoft Windows 2000 Workstation with service Pack 4 (sP4), Windows 2000 server with sP4, Windows XP home Edition or Professional with sP2, or Windows server 2003 with sP1

Red hat® Enterprise linux® Ws 3 or 4 novell® sUsE® linux Enterprise server 8, 9, 9.2, or 9.3

•

••

supported Web browsers

Microsoft Internet Explorer® 5.0 or later netscape 6.0 or later Mozilla 1.4 or later Firefox 1.0 or later

••••

Figure 1. Basic configuration integrating a Dell remote console switch with a Microsoft Active Directory infrastructure

Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved. 2www.dell.com/powersolutions

www.dell.com/powersolutions

Power cord

Network

Microsoft ActiveDirectory domain

Certificationserver

Organizationunit

Users

Groups

USB devices

Servers 2–16

SIP

Server 1

Analog RackInterface (ARI)

Analog user

Administrators can add Appliance objects

as follows:

1. From the administrative tools, click “Active

Directory Users and Computers.”

2. Right-click on the Computers container and

select New > KVM Object from the menu.

3. In the KVM object window, select the

Appliance object option button, then enter

the name of the switch that appears in the

RCS window and click OK.

4. If desired, associate the Active Directory

users with the switch using the default privi-

leges created when the Dell MMC Active

Directory snap-in is installed.

They can then create Privilege and

Association objects as follows:

1. Right-click on the Dell container and select

New > Dell KVM Object from the menu.

2. To create a Privilege object, select the Privilege object button in the

Dell KVM Object window, then enter the object name and click OK.

Similarly, to create an Association object, select the Association

object button, then enter the object name and click OK.

3. To associate the Appliance object with users and privilege levels, in

the object properties menu for the Association object, add the User,

Privilege, and Appliance objects.

Configuring the Dell remote console switchAdministrators must also configure a Dell remote console switch to

authorize and authenticate Active Directory users that are accessing

servers connected to the switch through SIPs. To do so, they can per-

form the following steps in the RCS console:

1. Click the switch icon in the list of discovered network switches and

log in to it with administrative privileges.

2. In the Settings tab of the Manage Remote Console Switch window,

select Global > Authentication.

3. Select the Use LDAP Authentication option button in the

Authentication Settings and the Extended option button in the

Authentication Parameters. Add the remote console switch’s domain

name and root domain name, which should be the Active Directory

Domain Name System (DNS) name.

4. Select the Tools tab and use the Send Security Certification to

Remote Console Switch tool to load a Certificate Authority (CA) cer-

tificate generated by the domain controller onto the switch.

Using the Dell RCs consoleAfter configuring the Active Directory infrastructure and the remote

console switch, administrators can log in to RCS with the username

associated with the Active Directory Appliance object for the switch.

Depending on the privilege level associated with this username (see

Figure 3), administrators can then use the RCS console to perform dif-

ferent management operations on the servers connected to the switch

through the SIPs.

Implementing deployment best practices The environment described in the preceding section can provide seamless

user authorization and authentication, but should include well-defined

responsibilities for Active Directory administrators and switch users in

enterprise data centers. The Active Directory administrator must first set

up Active Directory for authentication as follows:

1. Install the server OS, Active Directory, DNS, and the Dell MMC Active

Directory snap-in on the Active Directory server, and register the

snap-in.

2. Run the Dell Schema Extender utility from the KVM folder on the Dell

Systems Management Consoles CD.

3. Configure Network Time Protocol (NTP) on the server as described at

support.microsoft.com/kb/816042.

4. Install Certificate Services and create a CA certificate for the root.

5. Create the users in Active Directory.

6. Create the KVM object in the Computers container; the name of this

object should match the name of the switch in RCS.

Figure 3. Microsoft Active Directory access privilege levels

Operation User administrator Remote console switch administrator

Preempt Can preempt other users with user- or administrator-

level privilege

Can preempt other users with any privilege level

Configure network and global settings 4

Reboot 4

Flash upgrade 4

Administer user accounts 4 4

Monitor server status 4 4

Access target devices Can access devices only if assigned by administrator 4 4

Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved.

systems management

DELL POWER SOLUTIONS | May 20073

7. Create Privilege and Association objects in the Dell container.

8. Associate Appliance, User, and Privilege objects using the Association

object.

9. Create KVM SIP objects for any servers that might later be connected

to the switch.

The Active Directory administrator must also set up the switch by

connecting the switch console (serial cable) to a server and running

HyperTerminal to flash the switch firmware. Then the administrator can

use HyperTerminal to configure the switch IP settings.

Switch users must configure RCS as follows:

1. Before installing RCS on the management station used to access the

switch, enable Data Execution Prevention by right-clicking on My

Computer and selecting Properties, selecting the Advanced tab, click-

ing the Settings button in the Performance section, selecting the Data

Execution Prevention tab, and checking the top option button. Then

restart the computer and install RCS.

2. Search for the switch on the network by entering its IP address in

the RCS console, then log in to the switch with administrator

privileges.

3. In the Settings tab of the Manage Remote Console Switch window in

the RCS console, select Global > Network, then provide the DNS server

IP address.

4. Under Global > Authentication, enable LDAP authentication and pro-

vide the switch’s domain name and root domain name.

5. In the Tools tab, use the Send Security Certificate to Remote Console

Switch tool to send the root CA certificate created by the Active

Directory administrator.

6. Close the RCS console.

7. Relaunch the RCS console and log in using the Active Directory user-

name and password created in the Active Directory database for

accessing the switch.

Simplifying Dell remote console switch authorization and authenticationIntegrating Dell 2161DS-2 and 4161DS remote console switches with an

Active Directory infrastructure can help provide seamless remote manage-

ment of the switch user database from a central remote location. By elimi-

nating the need for multiple local administrators and using a single

network authentication source, enterprises can simplify the management

of switch authorization and authentication while strengthening security

in their IT data centers.

Rayan Ghosal is a test engineer senior analyst in the Dell Product Group.

He is currently part of the Enterprise Systems Test team at the Dell

Bangalore Development Center.

Reprinted from Dell Power Solutions, May 2007. Copyright © 2007 Dell Inc. all rights reserved. 4www.dell.com/powersolutions

www.dell.com/powersolutions