As IT professionals we are always looking for ways to be able to manage systems anytime, anyplace, and anywhere. Mobile Smartphones have completely changed the world in which we live and made possible things that were only dreamed of some years back. As a system administrator did you ever think you would be able to be in your car or in a restaurant and be able to login to your Active Directory environment and change someone’s password or account Description on your phone? Recently, I switched from my trusty Blackberry to a Samsung Infuse 4G and am loving the new found abilities granted by various software found in the App Marketplace.
There are a couple of great Apps that I want to detail here and also give you some idea as to backend setup which makes Active Directory administration possible and even enjoyable to do from your Android smartphone. First off as with any technology that makes things easier on the frontend, we have to make sure there is the appropriate infrastructure setup on the backend to allow us to manage and connect as we need to.
Before we highlight the apps used to connect to our environment, let us take a look at what we have in place to allow the connection to AD. Most if not all businesses and corporate environments have some sort of firewall in place with VPN access enabled. To connect our smartphone to an Active Directory domain controller, we need to be able to connect to this VPN connection to place us on the same network as our internal server. Also, we will need to open a port on our firewall to allow connection through the correct LDAPS TCP port of 636. We want to use the SSL LDAP port as this will allow us to not only browse Active Directory but also reset passwords which we cannot do via the standard LDAP 389. We will get into that a bit more later.
There is a really powerful tool to check a variety of things built into Windows 2008 servers with Domain Services role installed. It is the LDP.exe utility. You can simply launch this from a run menu. While this utility can do a wide variety of things for us, we will simply use it to check connection information to Active Directory via our configured ports.
After choosing to connect to a server you will see the connect dialog box:
The default port is port 389 for LDAP connections and this is enabled by default. However, for security and functionality reasons, we want to enable port 636 for a secure connection. Note the results of connecting via 389 and 636 on our test server.
Note that above the port is closed and our domain controller is not listening for LDAPS connections.
Installing a Certificate for your Domain Controller
For the purposes of documenting and installing a certificate for AD in our test server, we are simply going to install certificate services and import a self signed certificate to enable the LDAPS port. Take a look at our post here on installing Certificate Services on a domain controller. If you have a certificate for your organization from a trusted certificate authority, you can use it as well to enable the LDAPS port.
Once you have installed certificate services or imported a signed certificate from a trusted certificate authority, you will need to restart your domain controller according to Microsoft, although we have seen mixed reports about the need to do this. Once you have restarted the server, there isn’t anything special you have to do in Active Directory. It will simply enable the port by default once it knows there is a certificate installed to secure LDAP communication.
After making sure all your infrastructure changes are in place to allow communication through any firewalls or UTM devices, we can now install the apps needed to make managing Active Directory possible. Since everyone’s environment is different, we are not going to suggest a VPN app here as different environments may require different types of VPN software to allow communication and there are simply too many out there in the Android market to discuss all of them. However, the app you need for managing your AD infrastructure can be found at the following link or via your smartphone handset and the Android marketplace. It is called ActiveDir Manager.
Follow the documentation carefully to add your domain to manage users and computers.
While this may not become your main avenue to update or change user and computer accounts in Active Directory, it may very well be a useful tool in cases of being pulled away from the office or otherwise “disconnected” from your workstation. The ActiveDir Manager app is a great utility to accomplish an otherwise impossible task of managing your AD environment from your phone.