Scripted Dell Remote Access Controller (DRAC) Configuration

Posted on April 3, 2011 by brian.wuchner

Recently I had an opportunity to work with several new Dell PowerEdge R810 physical servers. I needed to remotely connect to the console of these servers and found out they were equipped with Integrated Dell Remote Access Controller 6 – Enterprise (iDRAC) cards. Since I had several of these to configure — and as a scripter am fundamentally opposed to doing things manually — I started researching how to script this.

After a bit of Googling, I found out that Dell has a RACADM command that can be used to configure the iDRAC. You can get the Dell RAC configuration utility from Dell. After installing the utility, I opened a command prompt and retreived the configuration from an existing R810 using the following syntax:

racadm -r 192.168.252.108 -u root -p calvin getconfig -f C:\252-108_config.cfg

Looking through the exported configuration, I found several groups and objects that I wanted to specify in my scripted configuration. Command line switches exist so that you can import an entire configuration file, but I wanted to prompt for certain values and only update the items I wanted to specifically change. Not wanting to dwell on the script for too long, I put something together rather quick using a simple batch file. Here is that code…please feel free to offer suggestions or better solutions in the comments!


@echo off

set /P dracIP="Please enter the IP address of the DRAC: "
set /P dracName="Please enter the name of the server to configure: "
set /P dracDomain="Please enter the DNS domain name to use: "


echo These commands need issued individually as the pass arguments from the environment to the server
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSRacName %dracName%rac
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSDomainName %dracDomain%
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSRegisterRac 1
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSServer1 192.168.8.8
racadm -r %dracIP% -u root -p calvin config -g cfgLanNetworking -o cfgDNSServer2 10.168.8.4

REM pause
echo These commands are going to enable Active Directory Standard Schema configs
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADType 2
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADCertValidationEnable 0
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADDcSRVLookupEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADDcSRVLookupbyUserdomain 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADGcSRVLookupEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgActiveDirectory -o cfgADGcRootDomain test.local

REM echo Configure domains to login with
racadm -r %dracIP% -u root -p calvin config -g cfgUserDomain -i 1 -o cfgUserDomainName test.local
racadm -r %dracIP% -u root -p calvin config -g cfgUserDomain -i 2 -o cfgUserDomainName admin.test.local

echo Make the DRACAdmin an Administrator
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 1 -o cfgSSADRoleGroupName DRACAdmin
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 1 -o cfgSSADRoleGroupDomain admin.test.local
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 1 -o cfgSSADRoleGroupPrivilege 0x000001ff

echo Make the DRACUser an Operator
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 2 -o cfgSSADRoleGroupName DRACUser
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 2 -o cfgSSADRoleGroupDomain admin.test.local
racadm -r %dracIP% -u root -p calvin config -g cfgStandardSchema -i 2 -o cfgSSADRoleGroupPrivilege 0x000001f3

REM pause
echo Make/update the local account
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminUserName MyAdminUser
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminPassword MyAdminP@ss
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminEnable 1
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminPrivilege 0x000001ff
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminIpmiLanPrivilege 4
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminIpmiSerialPrivilege 4
racadm -r %dracIP% -u root -p calvin config -g cfgUserAdmin -i 3 -o cfgUserAdminSolEnable 0


Echo Please verify settings and disable/change password on root if everything is in order
Echo Thanks!
pause
Posted in Scripting | 4 Comments

Minor Update to vCheck 5.31 — beta testers required

Posted on March 30, 2011 by brian.wuchner

I typically do not view my vCheck report as an email message…I have a link to the report on the home screen of my vSphere Client (if you’d like to see how to do that, please check out this post: http://enterpriseadmins.org/blog/scripting/vcheck-as-a-vsphere-client-solution-and-application/). However, I’ve noticed many comments requesting better email support. From my research, it appears that the problem is likely with Outlook 2007 — since it does not properly support all cascading style sheets (CSS) properties. After a little bit of testing, I believe I have found a rather simple way to work around this. The change adjusts the e-mail output and leaves the standard HTML output file alone.

This is a very minor change and I plan to include it in a future release. If you get a chance please test it out and report back if it works for you too.

Change line #2158 from

send-SMTPmail $EmailTo $EmailFrom "$VISRV vCheck Report" $SMTPSRV $MyReport

to

send-SMTPmail $EmailTo $EmailFrom "$VISRV vCheck Report" $SMTPSRV $MyReport.Replace("class=`"dsp ","class=`"")

This simply removes one of the CSS tags from the email message body, making the report easier to read from email clients (at this point the format has only been tested with Outlook 2007).

If you need a copy of the vCheck 5.31 version, you can get it here: http://enterpriseadmins.org/blog/wp-content/uploads/2011/02/vCheck5.31.ps1_.txt

Posted in Scripting, Virtualization | 3 Comments

vCenter Mobile Access (vCMA) and custom SSL certificates

Posted on March 18, 2011 by brian.wuchner

If you haven’t heard of the vCMA Fling, you should stop reading this article and check out http://labs.vmware.com/flings. It is by far my favorite application available.

I like to use valid certificates on all VMware products. I’ve replaced certificates used by vCenter, Update Manager, View and individual ESX/ESXi hosts. Today I started using the newest version of vCMA (vCenter Mobile Access) that has built in SSL support — but uses a generic certificate. I decided to find out how much effort would be required to replace this cert with a valid certificate issued from a certificate authority.

I found the following article that helped a lot. You’ll need everything on page 2 and 3 of the document: http://www.informit.com/articles/article.aspx?p=407886&seqNum=2

The first step was to find the keytool required. A simple “find /|grep keytool” showed me right where the command was, so I changed to that directory:

cd /usr/lib/vmware/mobile/java/jre1.6.0_11/bin

Once in the proper directory, I decided to create a new key file (using the steps in the above article)

./keytool -genkey -alias mobile-vmware -keyalg RSA -keysize 2048 -dname "CN=vcma.domain.test,OU=Organization Name,O=Parent Organization,L=City,ST=State,C=US,emailAddress=vmware-admin@domain.test" -keypass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

Easy enough. Now we need to create a certificate request

./keytool -certreq -v -alias mobile-vmware -file /etc/mobile/ssl/csr-mobile-vmware.pem -keypass mypass -storepass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks

The command returns the following information if successful
Certification request stored in file
Submit this to your CA

Take the contents of the generated file and submit them to your certificate authority. Once the file is returned, copy it to /etc/mobile/ssl (I used WinSCP for this task). Another file you’ll need to transfer at this time is the CA certificate (Verisign/internal/etc).

Once you have the two files copied over to the vCMA appliance, you’ll want to prepare your keystore to accept the certificate by importing the CA’s certificate. You can do that with this command:

./keytool -import -v -noprompt -trustcacerts -alias rootcacert -file /etc/mobile/ssl/rootca-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

The following results should be returned from that command:
Certificate was added to keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Now we are ready to import our actual certificate:

./keytool -import -v -alias mobile-vmware -file /etc/mobile/ssl/mobile-vmware-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -keypass mypass -storepass mypass

The following results should be returned from that command:
Certificate reply was installed in keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Almost at the end now…

We need a text editor, so I went the easy way and installed one I know how to use. You can do the same with “yum install nano”.

nano /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.28/conf/server.xml

Look through the code for a line that starts 

<Connector port="443" protocol="HTTP/1.1"

  In that section you’ll want to change the keystore file to “/etc/mobile/ssl/mobile-vmware.jks” and the keystorepass to “mypass”.

Once the code is modified, save the file and exit nano. Now type the following:

service mobile restart

This restarts the vCMA application to read in the certificate changes we made. Now when you access vCMA you should check the certificate — it should be the valid one you created.

Posted in Virtualization | 6 Comments

Get ActiveSync Users

Posted on March 3, 2011 by Steve Kremer

When you have almost 30,000 mailboxes, managing ActiveSync can become a nightmare.  The nice thing about ActiveSync is that is just works.  There is not too much configuration to get it setup, but if you do not plan ahead, you can find yourself in the same predicament as us and have 1500 people connecting through some sort of mobile device without any sort of security policy.  This is a huge security risk, and to combat it we are slowy implementing security policies by agency. So the first step in my process was to get a list of all users that have connected in the last 30 days.

So this way takes a long time if you have lots of mailboxes. For example, this takes over 55 minutes to complete in our environment. But if you do not have a lot of mailboxes, then this method should work fine for you. This report will create a CSV, and list the users name, and type of device.

Get-Mailbox -ResultSize:Unlimited | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity -ErrorAction SilentlyContinue}| Where{$_.LastSuccessSync -gt '01/01/11'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType | Export-Csv -Path:"c:\MobileDevices.csv"

One of the bad things about the above script is it will more than likely return some dupilcates. So to combat that, I added a where statement just so I can get the devices that have synced in the last 30 days.

get-mailbox -ResultSize unlimited -Filter {EmailAddresses -like "*@email.com" } | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity  -ErrorAction SilentlyContinue}| where {$_.lastsuccesssync -gt '02/01/2011'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType

Ok, now here is a quick way of doing the same thing but by using a filter. I recommend always using a filter to get your results. In this example we are filtering on EmailAddresses and only listing those people that have synced a device in the last 30 days. I spent a few hours trying to figure out how to best do this, and this is the best I could come up with. Please leave a comment if you know of a better way.

get-mailbox -ResultSize unlimited -Filter {EmailAddresses -like "*@email.com" } | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity  -ErrorAction SilentlyContinue}| where {$_.lastsuccesssync -gt '02/01/2011'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType | Export-Csv -Path:"c:\MobileDevices_email.com.csv"
Posted in Messaging, Scripting | 1 Comment

Guest bloggers

Posted on February 17, 2011 by brian.wuchner

Good evening, I have been speaking with co-workers about this blog and a few expressed interest in blogging about their day-to-day systems administration duties. In the near future you may see some posts from Steve Kremer. Steve is a co-worker of mine who deals with Active Directory, Citrix and Enterprise Messaging. Steve brings years of experience and a wide array of knowledge.

Posted in Messaging | Leave a comment