HP Ilo 2 User Guide

							NOTE:InstallingDirectoryServicesforiLO2requiresextendingtheActiveDirectoryschema.
ExtendingtheschemamustbecompletedbyanActiveDirectorySchemaAdministrator.
•ExtendingtheSchemaintheMicrosoftWindows2000ServerResourceKit,availableonthe
Microsoftwebsiteathttp://msdn.microsoft.com).
•InstallingActiveDirectoryintheMicrosoftWindows2000ServerResourceKit
•MicrosoftKnowledgeBaseArticles
ThesearticlesareaccessedusingtheKnowledgeBaseArticleIDNumberSearchoptionon
theMicrosoftwebsiteathttp://support.microsoft.com/.
—216999InstallingtheRemoteServerAdministrationToolsinWindows2000
—314978UsingtheAdminpak.msitoInstallaServerAdministrationToolinWindows
2000
—247078EnablingSSLCommunicationoverLDAPforWindows2000DomainControllers
—321051EnablingLDAPoverSSLwithaThird-PartyCertificateAuthority
—299687MS01-036:FunctionExposedByUsingLDAPoverSSLCouldEnablePasswords
toBeChanged
TheiLO2firmwarerequiresasecureconnectiontocommunicatewiththedirectoryservice.This
requirestheinstallationoftheMicrosoftCA.RefertotheMicrosofttechnicalreferenceKnowledge
BaseArticle321051:HowtoEnableLDAPoverSSLwithaThird-PartyCertificationAuthority.
InstallingActiveDirectoryonWindowsServer2008
FortheDefaultSchema:
1.DisableIPV6,andinstallActiveDirectory,DNS,androotCAtoWindowsServer2008.
2.LogintoiLO,andaccesstheDirectorySettingspage.ClickAdministration>Security>Directory.
3.InDirectorySettings,enterthesettingsforyourdirectory.
4.InDirectoryUserContext,enterthesettingsforyoudirectory.
5.CreatetheAdministerGroupsforyouriLOusers.
6.ClickAdministration>Network>DHCP/DNSandinDomainName,andPrimaryDNSserver,
modifythesettingsforyourenvironment.
FortheExtendedSchema:
1.DisableIPV6,andinstallActiveDirectory,DNS,androotCAtoWindowsServer2008.
2.TheiLOLDAPComponentrequires.NetFramework1.1_4322.Install.NetFramework.
3.InstallthelatestiLOLDAPComponent(sp31581orlater.)
4.ExtendtheschemausingtheHPManagementDevicesSchemaExtender.
5.InstalltheHPtheLDAPcomponentsnap-in.
6.CreatetheHPDevice,andHPRole.
7.LogintoiLO,andaccesstheDirectorySettingspage.ClickAdministration>Security>Directory.
8.EntertheDirectorySettingsforyourdirectory.
9.EntertheDirectoryUserContext.
10.ClickAdministration>Network>DHCP/DNSandinDomainName,andPrimaryDNSserver
modify,thesettingsforyourenvironment.
TheLDAPcomponentdoesnotworkwithaWindowsServer2008coreinstallation.
DirectoryservicespreparationforActiveDirectory
TosetupdirectoryservicesforusewithiLO2managementprocessors:
SettingupHPschemadirectoryintegration141 
						

							1.InstallActiveDirectory.Formoreinformation,refertoInstallingActiveDirectoryintheMicrosoft
Windows2000ServerResourceKit.
2.InstalltheMicrosoftAdminPack(theADMINPAK.MSIfile,whichislocatedinthei386
subdirectoryoftheWindows2000ServerorAdvanceServerCD).Formoreinformation,
refertotheMicrosoftKnowledgeBaseArticle216999.
3.InWindows2000,thesafetyinterlockthatpreventsaccidentalwritestotheschemamustbe
temporarilydisabled.Theschemaextenderutilitycandothisiftheremoteregistryserviceis
runningandtheuserhassufficientrights.Thiscanalsobedonebysetting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesParameters\Schema
Update Allowedintheregistrytoanon-zerovalue(seethe"OrderofProcessingWhen
ExtendingtheSchema"sectionofInstallationofSchemaExtensionsintheWindows2000
ServerResourceKit)orbythefollowingsteps.Thisstepisnotnecessaryifyouareusing
WindowsServer2003.
NOTE:Incorrectlyeditingtheregistrycanseverelydamageyoursystem.HPrecommends
creatingabackupofanyvalueddataonthecomputerbeforemakingchangestotheregistry.
a.StartMMC.
b.InstalltheActiveDirectorySchemasnap-ininMMC.
c.Right-clickActiveDirectorySchemaandselectOperationsMaster.
d.SelectTheSchemamaybemodifiedonthisDomainController.
e.ClickOK.
TheActiveDirectorySchemafoldermightneedtobeexpandedforthecheckboxtobe
available.
4.CreateacertificateorinstallCertificateServices.Thisstepisnecessarytocreateacertificate
orinstallCertificateServicesbecauseiLO2communicateswithActiveDirectoryusingSSL.
ActiveDirectorymustbeinstalledbeforeinstallingCertificateServices.
5.Tospecifythatacertificatebeissuedtotheserverrunningactivedirectory:
a.LaunchMicrosoftManagementConsoleontheserverandaddthedefaultdomainpolicy
snap-in(GroupPolicy,thenbrowsetoDefaultdomainpolicyobject).
b.ClickComputerConfiguration>WindowsSettings>SecuritySettings>PublicKeyPolicies.
c.Right-clickAutomaticCertificateRequestsSettings,andselectnew>automaticcertificate
request.
d.Usingthewizard,selectthedomaincontrollertemplate,andthecertificateauthorityyou
wanttouse.
6.DownloadtheSmartComponent,whichcontainstheinstallersfortheschemaextenderand
thesnap-ins.TheSmartComponentcanbedownloadedfromtheHPwebsiteathttp://
www.hp.com/servers/lights-out.
7.Runtheschemainstallerapplicationtoextendtheschema,whichextendsthedirectoryschema
withtheproperHPobjects.
TheschemainstallerassociatestheActiveDirectorysnap-inswiththenewschema.Thesnap-in
installationsetuputilityisaWindowsMSIsetupscriptandwillrunanywhereMSIissupported
(WindowsXP,Windows2000,Windows98).However,somepartsoftheschemaextension
applicationrequirethe.NETFramework,whichcanbedownloadedfromtheMicrosoftwebsite
athttp://www.microsoft.com.
Snap-ininstallationandinitializationforActiveDirectory
1.Runthesnap-ininstallationapplicationtoinstallthesnap-ins.
2.ConfigurethedirectoryservicetohavetheappropriateobjectsandrelationshipsforiLO2
management.
142Directoryservices 
						

							a.Usethemanagementsnap-insfromHPtocreateiLO2,Policy,Admin,andUserRole
objects.
b.Usethemanagementsnap-insfromHPtobuildassociationsbetweentheiLO2object,
thepolicyobject,andtheroleobject.
c.PointtheiLO2objecttotheAdminandUserroleobjects(AdminandUserroles
automaticallypointbacktotheiLO2object).
FormoreinformationoniLO2objects,see“Directoryservicesobjects”(page145).
Ataminimum,youmustcreate:
•OneRoleobjectthatcontainsoneormoreusersandoneormoreiLO2objects.
•OneiLO2objectcorrespondingtoeachiLO2managementprocessorthatwillbeusingthe
directory.
Example:CreatingandconfiguringdirectoryobjectsforusewithiLO2inActiveDirectory
ThefollowingexampleshowshowtosetuprolesandHPdevicesinanenterprisedirectorywith
thedomaintestdomain.local,whichconsistsoftwoorganizationalunits,Roles,andRILOES.
Assumethatacompanyhasanenterprisedirectoryincludingthedomaintestdomain.local,
arrangedasshowninthefollowingscreen.
Createanorganizationalunit,whichwillcontaintheLights-OutDevicesmanagedbythedomain.
Inthisexample,twoorganizationalunitsarecreatedcalledRolesandRILOES.
1.UsetheHPprovidedActiveDirectoryUsersandComputerssnap-instocreateLights-Out
ManagementobjectsintheRILOESorganizationalunitforseveraliLO2devices.
a.Right-clicktheRILOESorganizationalunitfoundinthetestdomain.localdomain,
andselectNewHPObject.
b.SelectDeviceintheCreateNewHPManagementObjectdialogbox.
c.EnteranappropriatenameintheNamefieldofthedialogbox.Inthisexample,theDNS
hostnameoftheiLO2device,rib-email-server,isusedasthenameofthe
Lights-OutManagementobject,andthesurnameisRILOEII.
EnterandconfirmapasswordintheDeviceLDAPPasswordandConfirmfields.The
deviceusesthispasswordtoauthenticatetothedirectory,andmustbeuniquetothe
device.ThispasswordisthepasswordthatisusedintheDirectorySettingsscreenofthe
iLO2.
d.ClickOK.
SettingupHPschemadirectoryintegration143 
						

							2.UsetheHPprovidedActiveDirectoryUsersandComputerssnap-instocreateHPRoleobjects
intheRolesorganizationalunit.
a.Right-clicktheRolesorganizationalunit,selectNewthenObject.
b.SelectRoleforthefieldtypeintheCreateNewHPManagementObjectdialogbox.
c.EnteranappropriatenameintheNamefieldoftheNewHPManagementObjectdialog
box.Inthisexample,therolecontainsuserstrustedforremoteserveradministrationand
iscalledremoteAdmins.ClickOK.
d.Repeattheprocess,creatingaroleforremoteservermonitorscalledremoteMonitors.
3.UsetheHPprovidedActiveDirectoryUsersandComputerssnap-instoassigntherolesrights,
andassociatetheroleswithusersanddevices.
a.Right-clicktheremoteAdminsroleintheRolesorganizationalunitinthe
testdomain.localdomain,andselectProperties.
b.SelecttheHPDevicestab,thenclickAdd.
c.UsingtheSelectUsersdialogbox,selecttheLights-OutManagementobjectcreatedin
step2,rib-email-serverinfoldertestdomain.local/RILOES.ClickOKtoclosethe
dialog,thenclickApplytosavethelist.
d.Adduserstotherole.ClicktheMemberstab,andaddusersusingtheAddbuttonand
theSelectUsersdialogbox.Thedevicesandusersarenowassociated.
144Directoryservices 
						

							4.UsetheLightsOutManagementtabtosettherightsfortherole.Allusersandgroupswithin
arolewillhavetherightsassignedtotheroleonalloftheiLO2devicesmanagedbythe
role.Inthisexample,theusersintheremoteAdminsroleisgivenfullaccesstotheiLO2
functionality.Selecttheboxesnexttoeachright,andthenclickApply.ClickOKtoclosethe
propertysheet.
5.Usingthesameprocedureasinstep4,editthepropertiesoftheremoteMonitorsrole,
addtherib-email-serverdevicetotheManagedDeviceslistontheHPDevicestab,
andadduserstotheremoteMonitorsroleusingtheMemberstab.Then,ontheLightsOut
Managementtab,selecttheboxnexttotheLogin.ClickApplyandOK.Membersofthe
remoteMonitorsrolearenowabletoauthenticateandviewtheserverstatus.
UserrightstoanyiLO2arecalculatedasthesumofalltherightsassignedbyalltherolesinwhich
theuserisamember,andinwhichtheiLO2isaManagedDevice.Followingthepreceding
examples,ifauserisinboththeremoteAdminsandremoteMonitorsroles,theyhaveallthe
rights,becausetheremoteAdminsrolehasthoserights.
ToconfigureiLO2andassociateitwithaLights-OutManagementobjectusedinthisexample,
usesettingssimilartothefollowingontheDirectorySettingsscreen.
RIB Object DN = cn=rib-email-server,ou=RILOES,dc=testdomain,dc=local
Directory User Context 1 = cn=Users,dc=testdomain,dc=local
Forexample,togainaccess,userMelMoore,withtheuniqueIDMooreM,locatedintheusers
organizationalunitwithinthetestdomain.localdomain,whoisalsoamemberofoneofthe
remoteAdminsorremoteMonitorsroles,wouldbeallowedtologintotheiLO2.Melwould
entertestdomain\moorem,[email protected],orMel Moore,intheLogin
NamefieldoftheiLO2loginscreen,andusetheActiveDirectorypasswordinthePasswordfield
ofthatscreen.
Directoryservicesobjects
Oneofthekeystodirectory-basedmanagementispropervirtualizationofthemanageddevices
inthedirectoryservice.Thisvirtualizationallowstheadministratortobuildrelationshipsbetween
themanageddeviceanduserorgroupsalreadycontainedwithinthedirectoryservice.User
managementofiLO2requiresthreebasicobjectsinthedirectoryservice:
•Lights-OutManagementobject
•Roleobject
•Userobjects
SettingupHPschemadirectoryintegration145 
						

							Eachobjectrepresentsadevice,user,orrelationshipthatisrequiredfordirectory-based
management.
NOTE:Afterthesnap-insareinstalled,ConsoleOneandMMCmustberestartedtoshowthe
newentries.
Afterthesnap-inisinstalled,iLO2objectsandiLO2rolescanbecreatedinthedirectory.Using
theUsersandComputerstool,theuserwill:
•CreateiLO2androleobjects.
•Adduserstotheroleobjects.
•Settherightsandrestrictionsoftheroleobjects.
ActiveDirectorysnap-ins
ThefollowingsectionsdiscusstheadditionalmanagementoptionsavailablewithinActiveDirectory
UsersandComputersaftertheHPsnap-inshavebeeninstalled.
HPDevices
TheHPDevicestabisusedtoaddtheHPdevicestobemanagedwithinarole.ClickingAdd
enablesyoutobrowsetoaspecificHPdeviceandaddittothelistofmemberdevices.Clicking
RemoveenablesyoutobrowsetoaspecificHPdeviceandremoveitfromthelistofmember
devices.
Members
Afteruserobjectsarecreated,theMemberstabenablesyoutomanagetheuserswithintherole.
ClickingAddenablesyoutobrowsetothespecificuseryouwanttoadd.Highlightinganexisting
userandclickingRemoveremovestheuserfromthelistofvalidmembers.
146Directoryservices 
						

							ActiveDirectoryrolerestrictions
TheRoleRestrictionssubtaballowsyoutosetloginrestrictionsfortherole.Theserestrictionsinclude:
•Timerestrictions
•IPnetworkaddressrestrictions
IP/mask◦
◦IPrange
◦DNSname
Timerestrictions
YoucanmanagethehoursavailableforlogonbymembersoftherolebyclickingEffectiveHours
intheRoleRestrictionstab.IntheLogonHourspop-upwindow,youcanselectthetimesavailable
forlogonforeachdayoftheweekinhalf-hourincrements.Youcanchangeasinglesquareby
clickingit,oryoucanchangeasectionofsquaresbyclickingandholdingthemousebutton,
draggingthecursoracrossthesquarestobechanged,andreleasingthemousebutton.Thedefault
settingistoallowaccessatalltimes.
SettingupHPschemadirectoryintegration147 
						

							EnforcedclientIPaddressorDNSnameaccess
AccesscanbegrantedordeniedtoanIPaddress,IPaddressrange,orDNSnames.
1.IntheByDefaultdropdownmenu,selectwhethertoGrantorDenyaccessfromalladdresses
exceptthespecifiedIPaddresses,IPaddressranges,andDNSnames.
2.Selecttheaddressestobeadded,selectthetypeofrestriction,andclickAdd.
3.Inthenewrestrictionpop-upwindow,entertheinformationandclickOK.Thenewrestriction
pop-upwindowdisplays.
TheDNSNameoptionallowsyoutorestrictaccessbasedonasingleDNSnameora
subdomain,enteredintheformofhost.company.comor*.domain.company.com.
4.ClickOKtosavethechanges.
Toremoveanyoftheentries,highlighttheentryinthedisplaylistandclickRemove.
ActiveDirectoryLights-Outmanagement
Afteraroleiscreated,rightsfortherolecanbeselected.Usersandgroupobjectscannowbe
mademembersoftherole,givingtheusersorgroupofuserstherightsgrantedbytherole.Rights
aremanagedontheLightsOutManagementtab.
148Directoryservices 
						

							Theavailablerightsare:
•Login–Thisoptioncontrolswhetheruserscanlogintotheassociateddevices.
•RemoteConsole–ThisoptionenablestheuseraccesstotheRemoteConsole.
•VirtualMedia–ThisoptionenablestheuseraccesstotheiLO2virtualmediafunctionality.
•ServerResetandPower–ThisoptionenablestheuseraccesstotheiLO2VirtualPowerbutton
toremotelyresettheserverorpoweritdown.
•AdministerLocalUserAccounts–Thisoptionenablestheusertoadministeraccounts.Theuser
canmodifytheiraccountsettings,modifyotheruseraccountsettings,addusers,anddelete
users.
•AdministerLocalDeviceSettings–ThisoptionenablestheusertoconfiguretheiLO2
managementprocessorsettings.ThesesettingsincludetheoptionsavailableontheGlobal
Settings,NetworkSettings,SNMPSettings,andDirectorySettingsscreensoftheiLO2Web
browser.
DirectoryservicesforeDirectory
Thefollowingsectionsprovideinstallationprerequisites,preparation,andaworkingexampleof
DirectoryServicesforeDirectory.
eDirectoryinstallationprerequisites
DirectoryServicesforiLO2usesLDAPoverSSLtocommunicatewiththedirectoryservers.iLO2
softwareisdesignedtoinstallinaneDirectoryversion8.6.1(andabove)tree.HPdoesnot
recommendinstallingthisproductifyouhaveeDirectoryserverswithaversionlessthaneDirectory
8.6.1.Beforeinstallingsnap-insandschemaextensionsforeDirectory,youmustreadandhave
availablethefollowingtechnicalinformationdocuments,availableontheNovellSupportwebsite
athttp://support.novell.com.
InstallingDirectoryServicesforiLO2requiresextendingtheeDirectoryschema.Extendingthe
schemamustbecompletedbyanAdministrator.
•TID10066591NovelleDirectory8.6NDScompatibility
•TID10057565Unknownobjectsinamixedenvironment
•TID10059954HowtotestwhetherLDAPisworkingcorrectly
•TID10023209HowtoconfigureLDAPforSSL(secure)connections
•TID10075010HowtotestLDAPauthentication
SettingupHPschemadirectoryintegration149 
						

							Snap-ininstallationandinitializationforeDirectory
Forstep-by-stepinstructionsonusingthesnap-ininstallationapplication,see“Snap-ininstallation
andinitializationforActiveDirectory”(page142).
NOTE:Afterthesnap-insareinstalled,ConsoleOneandMMCmustberestartedtoshowthe
newentries.
CreatingandconfiguringdirectoryobjectsforusewithLOMdevicesineDirectory
ThefollowingexampleshowshowtosetuprolesandHPdevicesinacompanycalled
samplecorp,whichconsistoftworegions,region1 and region2.
Assumesamplecorphasanenterprisedirectoryarrangedaccordingtothefollowingscreen.
1.Createorganizationalunitsineachregion.EachorganizationalunitmustcontaintheLOM
devicesandrolesspecifictothatregion.Inthisexample,twoorganizationalunitsarecreated,
calledrolesandhp devices,ineachorganizationalunit,region1 andregion2
2.CreateLOMobjectsinthehpdevicesorganizationalunitsforseveraliLO2devicesusingthe
HPprovidedConsoleOnesnap-instool.
a.Right-clickthehpdevicesorganizationalunitfoundintheregion1organizationalunit,
andselectNew>Object.
b.SelecthpqTargetfromthelistofclasses,andclickOK.
c.EnteranappropriatenameandsurnameintheNewhpqTargetpage.Inthisexample,
theDNShostnameoftheiLO2device,rib-email-serverisusedasthenameof
theLOMobject,andthesurnameisRILOEII.ClickOK.TheSelectObjectSubtype
pageappears.
d.SelectLightsOutManagementDevice,andclickOK.
e.RepeattheprocessforseveralmoreiLO2deviceswithDNSnamesrib-nntp-server
andrib-file-server-users1inhp devicesunderregion1,and
rib-file-server-users2andrib-app-serverinhp devicesunderregion2.
150Directoryservices