Dell iDRAC8 Registering iDRAC as a Computer in Active Directory Root Domain, Generating Kerberos Keytab File

To register iDRAC in Active Directory root domain:

1. Click Overview → iDRAC Settings → Network → Network.

The Network page is displayed.

2. Provide a valid Preferred/Alternate DNS Server IP address. This value is a valid DNS server IP address

that is part of the root domain.

3. Select Register iDRAC on DNS.

4. Provide a valid DNS Domain Name.

5. Verify that network DNS configuration matches with the Active Directory DNS information.

The ktpass tool (available from Microsoft as part of the server installation CD/DVD) is used to create the

Service Principal Name (SPN) bindings to a user account and export the trust information into a MIT–style

Kerberos keytab file, which enables a trust relation between an external user or system and the Key

Distribution Centre (KDC). The keytab file contains a cryptographic key, which is used to encrypt the

information between the server and the KDC. The ktpass tool allows UNIX–based services that support

Kerberos authentication to use the interoperability features provided by a Windows Server Kerberos KDC

service. For more information on the ktpass utility, see the Microsoft website at:

Before generating a keytab file, you must create an Active Directory user account for use with the -

mapuser option of the ktpass command. Also, you must have the same name as iDRAC DNS name to

mapuser DOMAINNAME\username -mapOp set -crypto AES256-SHA1 -ptype

KRB5_NT_PRINCIPAL -pass [password] -out c:\krbkeytab

The encryption type is AES256-SHA1. The principal type is KRB5_NT_PRINCIPAL. The properties of

the user account to which the Service Principal Name is mapped to must have Use AES 256

encryption types for this account property enabled.

NOTE: Use lowercase letters for the iDRACname and Service Principal Name. Use uppercase

letters for the domain name as shown in the example.

3. Run the following command:

C:\>setspn -a HTTP/iDRACname.domainname.com username