topic Re: Script for AD Groups? in Server Management - Remote Server Management

Script for AD Groups?

John J DiMack — Wed, 07 Nov 2007 14:56:13 GMT

We are integrating iLO into AD, and have been successful in testing it. Now we want to deploy it to multiple servers and use Groups in AD. The “HP iLO Management Processor Scripting and Command Line Resource Guide” does not have any reference to adding groups. We would like to script this so we can deploy it without manually configuring each server.

Does anyone have any info/experience in doing this?

Thanks,
Joh

Re: Script for AD Groups?

acartes — Wed, 07 Nov 2007 16:18:58 GMT

There are a few ways to rollout iLO using scripting. Note that directory integration requires an iLO license. The scripting principle applies to most iLO settings.

You can use RIBCL scripts to configure iLO from within the host (i.e. from Windows to iLO in the box) and across the network (from Windows or Linux to a target iLO on the network).

Documentaton here:
http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual〈=en&cc=us&docIndexId=179111&taskId=101&prodTypeId=18964&prodSeriesId=397989
Linux samples here:
http://h18004.www1.hp.com/support/files/lights-out/us/revision/8645.html
Windows samples here:
http://h18004.www1.hp.com/support/files/lights-out/us/revision/8238.html

Probably the fastest way to get the script to use is to retrieve the settings from one of your configured devices. A script like this (get_directory.xml) will retrieve them:

used like this:
C:\iLO>cpqlocfg -s iloname -f get_directory.xml -u Administrator -p topsecret

Extract mod_schemaless_directory.xml, apply the desired changes, and save (set_dir_parms.xml)

Then push it out to a new iLO:

c:\ilo_cpqlocfg -s ilo-new -f set_dir_params.xml -u Administrator -p topsecret

Re: Script for AD Groups?

acartes — Wed, 07 Nov 2007 16:21:06 GMT

Attached is a possible sample script you can examine.

Re: Script for AD Groups?

acartes — Mon, 12 Nov 2007 13:44:20 GMT

>> I did copy down Microsoft's XML Notepad and cobbled a file together from several of the samples. I get an error on the very first line, which I can't figure out.

RIBCL is a little special and the output from regular XML editors usually has problems like that.

The good thing is that the XML files are ASCII text (like HTML), so you can edit them using a standard editor (vi, notepad, etc).

Clean-out the XML lines so the script starts with and ends with .

Re: Script for AD Groups?

John J DiMack — Tue, 13 Nov 2007 07:23:33 GMT

Thanks, again.

It all worked, just as advertised! Using Notepad, the text editor, made it much easier, at least for me.

Now, that you've helped me "walk", can you take me to the next level and show me how to "run"? I would like to use a script to deploy to multiple servers, preferrably at the same time with the same script. And, be able to deploy the same script/settings to a single machine over the network.

I really appreciate your time and help.

Thanks,
John

Re: Script for AD Groups?

acartes — Tue, 13 Nov 2007 10:24:41 GMT

Now that you have a script with the desired settings, deploying it over the network will be straight-forward.
(There is a way to deploy the script from the local server to iLO without using the network, but I'll skip that for now).

The nice thing is that for the directory settings script, the same configuration can be used for all iLO processors, so you do not have to alter the content per-node. There is a way to do this using some variable substitution capabilities. In fact, username and password override values are used below.

You will need the following information for each iLO beforehand:
- iLO network name or IP address
- valid credentials for an iLO account with "configure iLO" rights

You can use a batch file or the command-line to push the settings out, like this:
c:\iLO>cpqlocfg -s ilo-new -f set_dir_params.xml -u Admin -p topsecret
c:\iLO>cpqlocfg -s 192.168.1.1 -f set_dir_params.xml -u Admin -p topsecret
c:\iLO>cpqlocfg -s 192.168.1.2 -f set_dir_params.xml -u Admin -p opensesame
c:\iLO>cpqlocfg -s 192.168.1.3 -f set_dir_params.xml -u Admin -p knockknock
c:\iLO>cpqlocfg -s 192.168.1.4 -f set_dir_params.xml -u Admin -p H4x0rD00dZ
c:\iLO>cpqlocfg -s 192.168.1.5 -f set_dir_params.xml -u Admin -p UR2good4Me
c:\iLO>cpqlocfg -s 192.168.1.6 -f set_dir_params.xml -u Admin -p FXR1stR8
c:\iLO>cpqlocfg -s 192.168.1.7 -f set_dir_params.xml -u Admin -p puT863MoX
c:\iLO>cpqlocfg -s 192.168.1.8 -f set_dir_params.xml -u Admin -p No50WaY2
c:\iLO>cpqlocfg -s 192.168.1.9 -f set_dir_params.xml -u Admin -p GUessTHis
c:\iLO>cpqlocfg -s 192.168.1.10 -f set_dir_params.xml -u Admin -p 9fiNgeRS

(I'll admit, I got the passwords from googling "password")

If you do not know the iLO network addresses in advance, this can be a hassle!
HP provides a free utility (Windows only), in the Directories Support for Management Processors, that can scan the network for possible iLO candidates and save the results to a comma-delimited file.
HP-Systems Insight Manager can also do this (network discovery).

Once you have the list of nodes and credentials, it is a matter of massaging the data into the batch file. I recommend trying it out on a node and being comfortable with the results before unleashing it on the network!

-> Hiccups and problems along the way
You will probably discover that not all your iLOs have the same version of firmware. You can use the same technique to push out the latest firmware version using the example script update_firmware.xml

You may also discover that not all your iLOs have license keys installed (a requirement for directory integration support). You can push out license keys by modifying the License.xml example.

-> Miscellaneous
The CPQLOCFG utility returns an errorcode that I believe is 0 on successful execution and non-zero if there is a hiccup. You can test this to see if an error occurred.

The CPQLOCFG utility also records the output for a script in a text file with the name following the "-s" parameter. Again, useful if you are troubleshooting.

-> No access
If you find yourself in a situation where you cannot login to an iLO, you have a few possibilities
- you can read the sticker on the server that records the default Administrator password
- you can manually set the security override switch which opens all access (do not leave it this way!)
- you can use the HPONCFG utility that runs in the host OS to push the settings to iLO. iLO assumes host Administrators have script access, so "in target" scripts are accepted, to assist deployment.

-> Downloads
Utilities and samples can be downloaded starting here:
http://h18004.www1.hp.com/support/files/lights-out/us/index.html

Documentation can be downloaded here:
http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual〈=en&cc=us&docIndexId=179111&taskId=101&prodTypeId=18964&prodSeriesId=397989

Re: Script for AD Groups?

John J DiMack — Wed, 14 Nov 2007 11:00:50 GMT

Wahoo!

Yes, it works and works great!

Thank you, thank you, thank you!

I appreaciate that you stayed with me. Again, many thanks.
John