This guide assumes you have already installed Dell iDRAC Tools with the RACADM utility on your system. Here are the minimum commands required to successfully configure Directory Authentication on Dell iDRAC.
Configuration for one server
In this section, we’ll walk through the step-by-step process of enabling Active Directory authentication on a single Dell iDRAC.
Step 1. Run the following commands for your target server iDRAC IP address
For all the commands below, replace domain.local with your own domain.
# Enable Global Catalog lookup (so iDRAC can query AD via GC)
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.GCLookupEnable Enabled
# Set the root domain for Global Catalog
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.GCRootDomain domain.local
# Enable Domain Controller (DC) lookup
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.DCLookupEnable Enabled
# Allow DC lookup by user domain
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.DCLookupByUserDomain Enabled
# Specify the AD domain name for DC lookup
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.DCLookupDomainName domain.local
# Disable certificate validation (useful if your DC uses self-signed certs)
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.CertValidationEnable Disabled
# Define the first user domain entry
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.UserDomain.1.Name domain.local
# Map AD group "iDRAC-ReadOnly" to the domain and assign minimal privileges (0x1 = login only)
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ADGroup.1.Domain domain.local
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ADGroup.1.Name iDRAC-ReadOnly
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ADGroup.1.Privilege 0x1
# Map AD group "iDRAC-Administrator" to the domain and assign full privileges (0x1ff = administrator)
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ADGroup.2.Domain domain.local
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ADGroup.2.Name iDRAC-Administrator
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ADGroup.2.Privilege 0x1ff
# Enable Active Directory authentication on iDRAC
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.Enable Enabled
# Set schema type: 2 = Standard Schema (no AD schema extensions)
racadm --nocertwarn -r 192.168.10.1 -u root -p 'pass' set iDRAC.ActiveDirectory.Schema 2
What all those commands do? First of all, let’s explain the parameters used.
- — nocertwarn – suppresses security warnings about invalid/self-signed certificates.
- -r <ip_address> – target iDRAC IP address
- -u <username> -p <password> – credentials for the remote iDRAC.
- To avoid passing credentials in clear text, replace these with -i to enter them interactively after each command.
Step 2. Create Active Directory Groups
In your active directory, create the groups we used in the commands above: iDRAC-ReadOnly and iDRAC-Administrator. Then, add desired users to their corresponding group.
Automating configuration for multiple servers
We now know how to configure Active Directory Authentication on a single Dell iDRAC. But what if you need to configure 20, 30, or even 100 servers? Running the same commands repeatedly would be tedious. The fastest and simplest way is to automate the process with a bash script.
Step 1. Create a the .sh file
Create idrac_config_ad.sh file, either by using command touch, or by editing it with your favorite text editor. I’ll go in this example with vi.
[root@adi-rocky-a01 ~]# vi idrac_config_ad.sh
#!/usr/bin/env bash
# Set credentials and domain
USER="root"
PASS='pass'
DOMAIN="domain.local"
# Loop through IPs listed in idrac_list.txt
while read -r ip; do
[[ -z "$ip" ]] && continue
echo "[$ip] configuring AD"
# Configure Global Catalog
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.GCLookupEnable Enabled || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.GCRootDomain "$DOMAIN" || true
# Configure Domain Controllers
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.DCLookupEnable Enabled || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.DCLookupByUserDomain Enabled || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.DCLookupDomainName "$DOMAIN" || true
# Disable certificate validation (for self-signed certs)
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.CertValidationEnable Disabled || true
# Configure user domain
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.UserDomain.1.Name "$DOMAIN" || true
# Map AD groups and privileges
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ADGroup.1.Domain "$DOMAIN" || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ADGroup.1.Name iDRAC-ReadOnly || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ADGroup.1.Privilege 0x1 || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ADGroup.2.Domain "$DOMAIN" || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ADGroup.2.Name iDRAC-Administrator || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ADGroup.2.Privilege 0x1ff || true
# Enable AD authentication and set schema
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.Enable Enabled || true
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" set iDRAC.ActiveDirectory.Schema 2 || true
# Verify configuration
racadm --nocertwarn -r "$ip" -u "$USER" -p "$PASS" get iDRAC.ActiveDirectory | egrep 'Enable=|Schema=|GCRootDomain=|DCLookup|GCLookup' || true
echo "+---------------------------------------------------------+"
done < idrac_list.txt
Replace credentials and domain name with your own.
As you can see, there is a while loop, that reads the IP addresses from the idrac_list.txt file and performs all the required commands. This points us to the next step.
The last command is used just for verifying if the values were set correctly.
Step 2. Create a file containing all iDAC IP addresses
This is a simple step. Just create idrac_list.txt file and fill all your IP addresses, one per line.
[root@adi-rocky-a01 ~]# vi idrac_list.txt
192.168.10.11
192.168.10.12
192.168.10.13
192.168.10.14
192.168.10.15
172.16.15.101
172.16.15.102
172.16.15.103
172.16.15.104
172.16.15.105
Step 3. Change the .sh file to executable
[root@adi-rocky-a01 ~]# chmod +x idrac_config_ad.sh
Step 4. Run the script
Run the script and let the magic happen!
[root@adi-rocky-a01 ~]# ./idrac_config_ad.sh
[192.168.10.11] configuring AD
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#UserDomain.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.2]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.2]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.2]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
CertValidationEnable=Disabled
DCLookupByUserDomain=Enabled
DCLookupDomainName=domain.local
DCLookupEnable=Enabled
Enable=Enabled
GCLookupEnable=Enabled
GCRootDomain=domain.local
Schema=2
SSOEnable=Disabled
+---------------------------------------------------------+
[192.168.10.11] configuring AD
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#UserDomain.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.2]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.2]
Object value modified successfully
[Key=iDRAC.Embedded.1#ADGroup.2]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
[Key=iDRAC.Embedded.1#ActiveDirectory.1]
Object value modified successfully
CertValidationEnable=Disabled
DCLookupByUserDomain=Enabled
DCLookupDomainName=domain.local
DCLookupEnable=Enabled
Enable=Enabled
GCLookupEnable=Enabled
GCRootDomain=domain.local
Schema=2
SSOEnable=Disabled
+---------------------------------------------------------+
[root@adi-rocky-a01 ~]#
💡 Bonus tip! If you are running the script over SSH and expect it to take time, use screen to keep it running even if your session disconnects.
# Start a new screen session
[root@adi-rocky-a01 ~]# screen -S idrac-configure
# You can verify that you are attached to that session
[root@adi-rocky-a01 ~]# screen -ls
There are screens on:
109261.idrac-configure (Attached)
109224.pts-1.adi-rocky-a01 (Detached)
2 Sockets in /run/screen/S-root.
[root@adi-rocky-a01 ~]#
# Now you can run the script. If the session interrupts, the script will continue to run until it finishes.
[root@adi-rocky-a01 ~]# ./idrac_config_ad.sh
