What are the details on extending the schema for Active Directory integration into Out of Band Management?
Taken from Intel's documentation:
As a brief explanation, Active Directory allows dividing a domain into substructures called organizational units (OUs). OUs are container objects that can be nested within other OUs. An OU can contain users, groups, and other OUs. OUs are part of the Active Directory scheme for managing privileges and accesses. One of the parameters that must be specified for each Intel AMT device before it can be set up in an AD environment is the OU where it will be installed.
The OU created for holding AMT objects does not need special privileges. However, if the SCS user does not have sufficient permissions to add users to Active Directory, the SCS will not be able to add new entries to the OU. The SCS user needs “Create/Delete Intel-Management-Engine objects” permission in the OU as well as full control over Intel-Management-Engine object.
Schema extension operation creates a new class, Intel-Management-Engine, based on the AD computer object, with the following new attributes:
- Intel-Management-Engine-Version (received in the “Hello” message from the Intel AMT device)
- Intel-Management-Engine-Host-Computer (a link to the platform computer object created when the host joins the domain)
- Intel-Management-Engine-Platform-UUID (received in the “Hello” message)
- Intel-Management-Engine-Host-Computer-BL (added to the computer object class as a back link to an AMT object)
- “Intel-Management-Engine-Host-computer-BL” (added to the top computer object class)
When the SCS performs setup for an Intel AMT device, the SCS service:
- Creates an AMT Object with the first three attributes listed above
- Creates a link between the attribute “Intel-Management-Engine-Host-Computer” in the AMT Object and the AMT Host object
- Creates a link between the attribute “Intel-Management-Engine-Host-Computer-BL” found on the AMT Host and the AMT Object.
- Active Directory will display the AMT Object as the representation of the Intel AMT device itself and show it as having the type Intel-Management-Engine.
here is some preparation that should be done before the integration with AD can be used.
Here the simple configuration (without SSL authentication for AMT devices)
- Verify that NS server joined into Domain.
- Verify that user, that is used for SCS have as minimum “Domain admin” rights.
- Open (User.jpeg).
- Verify that this “SCS enterprise Administrator” have the “Domain Admin” privilege in AD.
- Now open the “OOB Configuration -> General Page” and check “Integrate with Active Directory” check box.
- Run “Extend AD schema”. Dialog appears. In this dialog you should specify the user (DOMAIN\USER format) that have not only the “Domain Admins” privileges, but he also should have the privileges to modify AD schema. i.e it should be in group “Schema Admins” (Shema1.jpeg). (Restart “netlogon” at ns after you add the user in “Schema admins” group)
- If user have correct rights then “Schema extension” should passed correctly.
- After schema extension passed you should go in “AD Users and Computers” snap-in at domain controller, and create the “Organization Unit” (do not use spaces in Unit name) for future AMT clients (Shema2.jpeg).
Seems that is all preparation that is necessary for use the simple AD integration Mode.Associated screenshots: