Skip to main content
Start a Conversation

Solved!

Go to Solution

mc1903

1 Rookie

 • 

67 Posts

69

May 20th, 2025 09:57

iDRAC Scripted (RACADM / Redfish) Active Directory services configuration.

Has anyone scripted configuring iDRAC Active Directory services configuration?

PowerShell preferably, but will take any functioning example to get me started.

I have iDRAC 9 with firmware 7.0.x and I am really struggling to get my head around it.

Screenshots of the configuration steps I need to script:

1) Enable 'Microsoft Active Directory' in "iDRAC Settings | Users | Directory Services"

2) Enable 'Certificate Validation' and upload my CA Chain cert as Base64.

3) Configure 'Common Settings'

4) Configure 'Schema Selection'

5) Configure 'Standard Schema Settings and Role Groups'

I have already reviewed the RACADM and Redfish user guides and I am still stuck.

Any help or pointers will be appreciated.

Thanks

M

DELL-Chris H

Moderator

 • 

9.4K Posts

May 20th, 2025 14:19

Mc1903,

 

Normally we don't support initial configuration, but I can give it my best shot, but you may need to call in for help with it. 

 

This is a step by step Powershell and racadm script outline;

 

# Define iDRAC credentials and IP
$idracIP = "192.168.1.100"
$username = "root"
$password = "yourpassword"

 

# Enable Active Directory
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.Enable 1

racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.DomainController1 "dc1.yourdomain.com"

racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.DomainController2 "dc2.yourdomain.com"

racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.DomainName "yourdomain.com"

 

 

# Enable Certificate Validation
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.CertValidationEnable 1

 

 

# Upload CA Certificate
$certPath = "C:\path\to\your\ca_chain.pem"
racadm -r $idracIP -u $username -p $password sslcertupload -t 2 -f $certPath

 

 

# Configure Common Settings
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.UserDomain "yourdomain.com"
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.UserName "youradminuser"
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.UserPassword "youradminpassword"

 

 

# Schema Selection (Standard Schema)
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.Schema 0

 

# Configure Role Groups (example for Domain Admins)
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.RoleGroup1 "CN=Domain Admins,CN=Users,DC=yourdomain,DC=com"
racadm -r $idracIP -u $username -p $password set idrac.ActiveDirectory.RoleGroup1Privilege 4  # 4 = Administrator

 

 

After that then you would want to log into iDRAC using an AD user from the configured group, then use racadm get idrac.ActiveDirectory to verify settings.

 

Let me know if this helps.

 

mc1903

1 Rookie

 • 

67 Posts

May 20th, 2025 16:34

Thank you @DELL-Chris H  very much appreciated. Just what I needed.

RACADM isn't very efficient; I had hoped I could send multiple settings per invocation. I.e. as json or similar. Thankfully I only have a few servers I need to remediate this time.

This is what worked for me in the end. I will wrap this in a ForEach to execute on multiple iDRAC's

$idracAddr = "10.1.1.245"
$idracUser = "root"
$idracPw = "calvin"
$ntpServer1 = "10.1.1.13"
$ntpServer2 = "10.1.1.14"
$dnsDomain = "momusconsulting.com"
$caCertFile = "P:\Certificates\_Latest Momus Root & Inter CA Certs\MomusCAChain_05-03-2021.cer"
$sslKeyFile = "P:\Certificates\mc-esxi-p-105-idrac.momusconsulting.com-private.key"
$sslCertFile = "P:\Certificates\mc-esxi-p-105-idrac.momusconsulting.com-chain.cer"

#Disable SNMP
write-output "Disabling SNMP"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.SNMP.AgentEnable Disabled --nocertwarn

#Disable IPV6
write-output "Disabling IPV6"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.IPv6.Enable Disabled --nocertwarn

#Configuring Timezone and NTP
write-output "Configuring NTP & TimeZone Settings"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.NTPConfigGroup.NTPEnable Enabled --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.NTPConfigGroup.NTP1 $ntpServer1 --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.NTPConfigGroup.NTP2 $ntpServer2 --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.Time.Timezone "Europe/London" --nocertwarn

#Configuring WebServer Encryption
write-output "Configuring WebServer SSL/TLS Settings"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.WebServer.SSLEncryptionBitLength "256-Bit or higher" --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.WebServer.TLSProtocol "TLS 1.2 and Higher" --nocertwarn

#Configuring VirtualConsole
write-output "Configuring VirtualConsole Settings"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.VirtualConsole.PluginType 2 --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.VirtualConsole.WebRedirect Enabled --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.VirtualConsole.CloseUnusedPort Enabled --nocertwarn

# Upload Root CA Cert Chain (Base64)
write-output "Uploading Root CA Cert Chain"
racadm -r $idracAddr -u $idracUser -p $idracPw sslcertupload -f $caCertFile -t 2 --nocertwarn

# Configuring MS AD services (Step 1/4)
write-output "Configuring Microsoft Active Directory services"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.Enable Enabled --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.CertValidationEnable Enabled --nocertwarn

# Configuring Common Settings (Step 2/4)
write-output "Configuring Common Settings"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.SSOEnable Disabled --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.UserDomain.1.Name $dnsDomain --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.AuthTimeout "60" --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.DCLookupEnable Enabled --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.DCLookupDomainName $dnsDomain --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.DCLookupByUserDomain Disabled --nocertwarn

# Configuring Standard Schema (Step 3/4)
write-output "Configuring Standard Schema"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.Schema "Standard Schema" --nocertwarn

# Configuring Standard Schema Settings (Step 4/4)
write-output "Configuring Standard Schema Settings"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.GCLookupEnable Enabled --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ActiveDirectory.GCRootDomain $dnsDomain --nocertwarn

# Configuring Role Group #1 (Admin)
write-output "Configuring Role Group #1 (Admin)"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.1.Name "iDRAC Admins" --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.1.Domain $dnsDomain --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.1.Privilege "511" --nocertwarn

# Configuring Role Group #2 (Operator)
write-output "Configuring Role Group #2 (Operator)"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.2.Name "iDRAC Operators" --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.2.Domain $dnsDomain --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.2.Privilege "97" --nocertwarn

# Configuring Role Group #3 (Read Only)
write-output "Configuring Role Group #3 (Read Only)"
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.3.Name "iDRAC Read Only" --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.3.Domain $dnsDomain --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw set iDRAC.ADGroup.3.Privilege "1" --nocertwarn

# Configuring Enterprise CA Signed Cert (Base64)
write-output "Configuring Enterprise CA Signed Cert"
racadm -r $idracAddr -u $idracUser -p $idracPw sslkeyupload -t 1 -f $sslKeyFile --nocertwarn
racadm -r $idracAddr -u $idracUser -p $idracPw sslcertupload -t 1 -f $sslCertFile --nocertwarn

Was this post helpful?

View All

No Events found!

Top