Cannot get Dell Remote Management Device object added to Association Object

Question

Have followed all the 'Integrating DRAC into AD' posts and had everything working correctly with two iDrac 8 devices in R630's.  Went to add a new iDrac 9 in a R650, set everything on the card up.  Went into Active Directory and created a new 'Dell remote Management Object Advanced' with a type 'iDrac Device Object'.  Open up the properties of the association object so I can add it in there but it can't find it.  Try a couple more times, still can't find it.  Sees the old DRAC objects just fine.  So I delete and recreate the association object.  Same thing, sees the old objects but not the new one.   At this point I open up the Dell Remote Access Configuration Tool.  Add in the two old DRAC cards and the one new one.  Verify the password.  Verification fails only on the new one, works on the two old ones.  Log out of the DRAC and back in with the same information without issue so it's not the user/password.  Saw some posts saying the DRAC doesn't like punctuation, which doesn't make sense since the old ones are fine, but I create a new user with a simple password.  Still fails verification.  At this point I figure maybe the Dell RACT hasn't been updated for the new iDrac9 so I move on. (Is this a bug?)   I have upgraded all my domain controllers to Server 2019 in the last year so I figure maybe the schema needs to be updated.  I download the latest DRAC schema from the OMSA disk and reran the extend from the PDC logged in as the domain admin.  Every line said 'failed' with a reason being 'property already exists' so that wasn't it.    Finally I create a dummy iDRAC and try adding that.  Not found but again the old objects are.  So no 'new' object I create can be found.  As a last ditch try I open up ADSIEdit to see if there was a different between the 'old' object that work and the 'new' objects I'm trying to add and sure enough there was:   Old Dell Remote Management Device (Working) primaryGroupID:  513 = (GROUP_RID_USERS) sAMAccountType:  805306368 = ( NORMAL_USER_ACCOUNT )   New Dell Remote Management Device (Not Working) primaryGroupID:  515 = (GROUP_RID_COMPUTERS) sAMAccountType:  805306369 = ( MACHINE_ACCOUNT )   The Association Object is searching for 'Users' so this makes perfect sense why I can't add the new ones.  Problem is if I try to change the properties I get a security error.  So the real question is why is AD creating the new Dell objects as a 'computer' and not a 'user'.  Second question is how do I fix this?

ADynes · Accepted Answer

After talking to support it turns out there is a "bug" that lies somewhere between the Dell extended schema and Server 2019/2022 domain controllers. My troubleshooting with the schema in my first post was correct, the new objects are being tagged in a way that the Association object cannot find them. The fix was to manually set a property on the newly created objects so the associating object can find them. However for me that DID NOT WORK at first. After doing tech supports fix I was able to find the devices but I still could not login. So I ended up wiping everything out and recreating which did work. Here is the step by step

Delete out all the Dell objects from AD. Each RAC object, each Association object, each Privilege object. I deleted the entire "Dell" OU from AD then waited 15 minutes for my changes to replicate to my other DCs
Uninstall any Dell DRAC programs from the DC. Mainly the DRAC AD Plugin. Reboot the DC.
Run the latest SchemaExtender.exe from the Open Manage DVD. It will recreate all the default Dell objects and the Dell OU
Run the latest ADSnapIn_x64.msi from the Open Manage DVD. Also do this if you are managing AD remotely (i.e. install on your own machine).
Recreate your DRAC's (Remote Management Device Advanced)
Give your newly created association objects the required permissions with ADSI edit (https://www.dell.com/support/manuals/en-us/oth-r340/idrac9_5.00.00.00_ug/providing-user-access-privileges-for-association-objects?guid=guid-6822be16-9c6f-4b4d-8c26-4d7985dcb8d2&lang=en-us)
Open up PowerShell on your DC and run the following:
- $iDRACobj = Get-ADObject -filter {name -eq "YOURDRACNAME"} -Properties userAccountControl
- $iDRACobj.userAccountControl = 546
- Set-ADObject -Instance $iDRACobj
You can now add the DRAC's to your association objects. Don't forget to add your users also.

It is now working for both my old iDRAC8's and the new idRAC9.

ADynes · Answer

As a side note to the above I also deleted the default "Dell" OU, re-ran the schema update which recreated the "Dell" OU with the default three Association objects and three Privilege objects and created both a "Dell Remote Management Object" and a "Dell Remote Management Object Advanced". Neither were found by the default admin Privilege object for the same reasons as above. So this seems to be a schema issue between the old schema and the "newer" version needed by the iDRAC 9. And I say that because in the guide for extending the schema ( https://www.dell.com/support/manuals/en-us/oth-r340/idrac9_5.00.00.00_ug/extending-active-directory-schema?guid=guid-af8706e4-6c57-4c7c-86b2-7ca265623acb&lang=en-us ) it says this:

NOTE The schema extension for this product is different from the previous generations. The earlier schema does not work with this product.
NOTE Extending the new schema has no impact on previous versions of the product.

So to me it sounds like I have a old schema but it won't update to a newer version because the attributes already exist? Also not that it matters but the DRAC is at the latest version which as of this post is 5.10.10.05. I also made sure to run the SchemaExtender program on the Schema Master DC using the program as called out in the iDRAC9 instruction manual ( SYSMGMT\ManagementStation\support\OMActiveDirectory_Tools\Remote_Management_Advanced\Schema_Extender64 )

DELL-Joey C · Answer

Hi @ADynes,

As much as I would like to help with you on the issue; we have limited support on configuration for servers and unable to go through as much detailed steps. I may need to suggest to contact support help line to check if they are able to help you.

Have you tried going through this document if it helps? https://dell.to/3OImxyN

ADynes · Answer

Yes, as posted I went through the manual for the AD integration.  All the steps were followed and things do work for the older iDRAC8's but do not work for the iDRAC9's.  I believe there is a schema difference between the older and newer that isn't being applied because the properties already exist.

DELL-Erman O · Answer

Hi, I've read the steps you've done, and you might be also looked at these below, but I'd like to share a short video for iDRAC directory service integration and a link about the extended schema configuration. So that it is not overlooked

iDRAC Directory Services Integration https://dell.to/38yyWET

Configuring Active Directory with Extended schema using iDRAC web interface https://dell.to/38yySoD

DELL-Erman O · Answer

I understand, I was wondering what will happen, if you update this post, it will be useful for the community, thank you.

ADynes · Answer

The video you posted is for using a standard schema with LDAP. I'm using the extended schema as called out in the iDrac9 manual that I already linked to in my original post. I've also, again as mentioned, gone through the "Configuring Active Directory with Extended schema using iDRAC web interface https://dell.to/38yySoD" multiple times.

Again everything is working with the extended AD schema with two iDRAC8 controllers but there is a issue with the schema update, it appears, with the iDRAC9. I've put in a support request for this issue as we have mission critical pro support on the server. We'll see what they say.

DELL-Erman O · Answer

Glad to hear it, thanks a lot for your feedback.   Have a good one!

Systems Management General

Cannot get Dell Remote Management Device object added to Association Object

Was this post helpful?