Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

ILO design questions

Occasional Visitor

ILO design questions

We are using ILO/ILO2 with AD auth and HP extended schema. This is working in general. But some problems/questions still appear. Maybe a HP engineer is using this forum too.

1. I provide a domain name and not a domain contoller name or ip address as a directory server in the ILO direcotry configuration. This was done to provide redundancy in case of a DC failure. When I try to log on with domain\user to the ILO the IP addresses are looked up by the ILO using DNS. DNS returns a list of IP addresses of our Dcs in the domain. The ILO server selects one address (randomly, I assume) and the authentication process is started. If this directory server is not available the authentication process fails and no attempt is done to repeat authentication with another DC. If I log on again and another DC gets selected then I can access the ILO.
If I use the ILO of a domain contoller where both, ILO and DC, are in the same IP subnet I cannot logon with AD credentials at all if this DC is down. It looks like that the ILO selects always this DC for authentication because the subnet of DC and ILO are identical. Because here always this DC is used I can not log on to the ILO at all, which would have been very useful in case of DC breakdown.
Why can the ILO not use the directory authentication in the same manner as a Windows client, with AD site lookup and so on?

2. Why can I access a ILO when I have read access to the AD role group the ILO object is assigned to? Even when I am not a member of the role at all. Why has this strange behavior been implemented? Would it not be more effectiv just to check the membership instead of ignoring it?

3. Where is the "LOM Object Password" used for? And if it not used yet, what will be the future use? Why does the test of dircetory atuthenticatian always display an error message with the "LOM Object Password"?

4. Why is the ILO ignoring the lease time configuration of the DHCP server. Lease time is always 3 days no matter which leases time has been defined in DHCP.

Thank you.

2 REPLIES
Honored Contributor

Re: ILO design questions

I cannot answer all the questions.
I direct to the problem of ILO and DC being in the same subnet.

You can create a seperate "management-vlan" on your network, where the ILO's are connected. Then use (fixed) ip-adresses in a a separate subnet. This subnet may be configured in AD to belong to a specific "site".

Maybe this improves the logon process?
Pieter
Honored Contributor

Re: ILO design questions

1. DNS failover

Much of this is governed by the DNS response when iLO looks up a directory server IP. If the name has multiple IP address assocations, iLO will attempt to contact the first IP, suffer a lengthy timeout, and move to the next. If the DNS response rotates host IP address order, this mitigates the delay.

2. Why can I access a ILO when I have read access to the AD role group the ILO object is assigned to?

HP Directory Services whitepaper talks about this.
Essentially, iLO gains rights via the directory by adding the roles that can be read by the user. All users that are made a member of the role gain the rights, but the creator of the role has implicit read capability, even if they are not listed as a member.


3. Where is the "LOM Object Password" used for? And if it not used yet, what will be the future use? Why does the test of dircetory atuthenticatian always display an error message with the "LOM Object Password"?

This field is not currently used.

The future use idea is along the lines of putting iLO profiles "in the directory" and iLO will get updates from there. Because there is an iLO object, the object has a password, even if it is not used.

The LOM object password test fails because the directory does not allow the iLO object to authenticate using the password.

4. Why is the ILO ignoring the lease time configuration of the DHCP server.

iLO will request a fixed lease time, but honors the configuration received from the DHCP server. What causes your concern?