Microsoft Active Directory; The ghetto rigged LDAP server.

Android Active Directory Management

Presenting, ActiveDiroid:

Android App: ActiveDiroid on Android Market

Download: PHP Gateway Application Script. After extracting the files to the webserver you want to run the application on, you may rename the server.php file to anything you want plus the .php extension. You will be typing in the full URL to the script in the Android client anyway.

It is highly recommended that you get the free version and setup the script. The free version allows you to unlock accounts and view all information as the full version. Allowing you to test your SSL setup as well. Just set the SSL to enabled after doing the steps below and if you can connect then you should be good.

There is no longer a free limited version. Only full version is available and it is free as well as source code which will be available on this page.

You must completely uninstall the limited free version to use the full version.

My first Android application. Available on the market soon for 10″ tablet devices. This app is not developed to work on a phone or smaller tablet. There is just too much information to show cleanly.

I built this app to manage Active Directory users on my tablet while at work and away from the management console.

ActiveDiroid

ActiveDiroid

Current Features: Browse all users, browse users per group, unlock account, force password change, disable/enable account, change account display name, change full name, last name, account description, change password**, change office desc, company desc, telephone number, email (not exchange addresses), title, and department, change user group memberships (add and remove users from groups), create user accounts, exchange information.

It is an Active Directory via LDAP issue pulling the account locked status. If an account has not been logged into for a very long time, the locked account switch will be set to True. You can ‘unlock’ the account and it will do no harm.

The client connects to a PHP enabled webserver inside your network, the PHP script runs with all the information you provide inside the application. I choose this way because it’s easier to manage security and to lock down a single entry point into the Active Directory then many administrators with devices connecting to it from anywhere.

The application works on your internal wireless network, or over a VPN connection to your workplace. As long as you can hit the webserver with the tablet, this app will work. This also allows you to lock things down with a firewall, and all that good stuff.

In a multi-user setup, a single webserver is used (new or existing) that can run PHP applications. This server is allowed to connect to the Active Directory servers either by allowing through firewalls or security permissions in some setups. The Android application will ask for a few things that you can setup on the script.

Android Application Config
————————–
ScriptURL; The complete url to the hosted the php file. HTTP and HTTPS are supported. HTTPS is recommended, self-signed or other certificates are supported.

ScriptKey; The script key is a shared password that all of the admins use to connect to the script. It is necessary.

Username; A username in active directory to bind with, and do admin functions.

Password; The password of the active directory account username above.

PHP Script Config
—————–
The top of the PHP file contains the configuration variables you will need to set. They are pretty self explanatory. The Script Key and Domain Controller connection information.

The LDAP PHP module must be enabled for the script to work. It is required.

The SSL flag must be enabled (set to true) to change a users password. This is an active directory requirement and the php script will establish an LDAPS connection to Active Directory.

To enable LDAPS your PHP configuration must have SSL support (openssl in Linux) and a working ldap.conf file so that PHP knows how to connect.

/etc/openldap/ldap.conf

HOST mercury.archaicbinary.home
PORT 636
TLS_CACERT /etc/httpd/conf/archaicbinary.cer
TLS_REQCERT allow

HOST is your domain controller.
TLS_CACERT is the .cer file you export from the certificate services server in your AD domain. It must be in Base64 format. You can get this by visiting your certificate services website (http://ca-server/certsrv) and exporting the CA certificate by clicking on ‘Download a CA certificate, certificate chain, or CRL’ -> Encoding method: Base64 -> Download CA Certificate.

Installing and setting up Certificate Services is beyond this article. You can read up on Microsoft or other sites for this information.

If you do not enable SSL, or cannot. You can use all the functions of ActiveDiroid, except changing passwords and creating users, as you need to set a password to create a user.

ActiveDiroid Explain

ActiveDiroid Explain

By |May 20th, 2012|0 Comments

Setting Up Certificate Services

Starting with this virtual machine that I previously installed Active Directory on, next I am going to setup a simple Certificate Services service. This should usually be installed on a very secure machine in your organization as it will hold all of the private keys and be able to generate the public keys used in your network and possibly used on external services if you so wish.

Start by going to Control Panel, and Add or Remove Programs.

Click Add/Remove Windows Components, check the box next to Certificate Services. A dialog will appear with a warning as per the photo below.

Be sure you read this warning, and click Yes to continue. Then click Next.

Select ‘Enterprise root CA’ and click Next.

You will be asked for the ‘Common name for this CA:’ type in the computers name. In our case from the last walk through this was “default-fm878pv” which I did not change. If you did not change the name to something more meaningful, you can cancel out now and change it.

Click Next. Click Next again to accept the database paths. You will be asked for the Windows 2003 CD now. Insert it and click OK. After the file copy, you may be presented with this.

Click OK.

In this walk through we will enable Web Enrollment. As we might use it later for smart cards and such.

Back at the Add or Remove programs screen, click Add/Remove Windows Components again click ‘Application Server’ but do not check it, then click Details.

Click on ‘Internet Information Services (IIS)’ but do not check it and click Details.

Scroll down and check the box next to ‘World Wide Web Service’ and click OK. Click OK again. Then click Next. If you removed the 2003 CD, you will need it again.

Reboot the server.

Open a Command Prompt and type ‘certutil -vroot’ as shown in the photo below and hit Enter.

Open Internet Explorer on the server, or another workstation on the network, and connect to the server via name or IP address and browse to /certsrv like shown below in the photo.

If you see this, your web enrollment is working.

You can administrate your Certificate Services install, through Administrative Tools.

You can now use EFS with certificates on your Active Directory client machines. You will now want to look up how to issue administrator certificates to decrypt files encrypted by employees or users that you need access to as the network admin and such.

By |March 9th, 2011|0 Comments

Installing Active Directory

I will try to include as many screen shots as possible, to help those that are learning, or are new to installing Active Directory.

This install was performed on a virtual machine running Windows 2003 R2 Standard. The install will be similar to the install on Windows 2000.

We start off with a fresh install. Close the configure your server wizard. We are going to do this manually.

Assign a static IP address to this server, and then for the machines DNS servers primary, type in it’s own IP address. I did this while installing Windows.

Next we need to give this machine a DNS suffix. Choose the same one that you will name the domain. I’m going to use testdomain.home because this is an example setup, and I choose the .home TLD because it is not valid on the internet and will never conflict with a real domain and cause internal network problems like browsing around websites.

If you were to choose say, yahoo.com for your domain name, your clients would not be able to get to the real yahoo.com because your DNS server will resolve it to your Active Directory server and not to the Yahoo servers.

To do this, right click My Computer from the Start Menu, and choose Properties. Select the Computer Name tab at the top, and then click Change. On the Computer Name Changes dialog, click the More button and type in your suffix and click OK.

Restart the server.

Login to the server and start off by making this a DNS server for Active Directory and clients.

Go to Start Menu, Control Panel, Add/Remove Programs. Click on Add/Remove Windows Components on your left. Scroll down to Networking Services and highlight it, don’t check the box next to it, and click Details. Check the box next to Domain Name System (DNS) and then click OK then click Next. Insert the CD if asked, and click OK.

After the files copy, click Finish and close the Add/Remove Programs window.

Go to Start Menu, Administrative Tools, DNS. Right click on Forward Lookup Zones and choose New Zone. Click Next, choose Primary Zone, click Next. When asked for the Zone Name you must type the same one you did for the Computer Name Suffix in the previous steps.

Click Next and then Next again to accept the filename. When asked for the Dynamic Update, choose ‘Allow both nonsecure and secure dynamic updates’. (We will secure this later). Click Next. Then Finish.

Right click on the Reverse Lookup Zones and choose New Zone. Click Next, then Primary zone, then click Next.

Type in the first portions of your networks IP space and click Next, then Next for the filename, and then click ‘Allow both nonsecure and secure updates’. (We will secure this later). Click Next. Then Finish.

Restart the server.

Open a Command Console and type in ‘nslookup’. You should get something similar to the following:

If you get an error, your DNS server is not working correctly yet, and it has to be working to proceed.

Click Start Menu, Run. Type in ‘dcpromo’ and click OK.

Click Next, Next, and Next again for new domain, Next for new forest. When asked for the Full DNS name type in the same you have been for the above steps.

Click Next after typing your DNS name. It will then test your DNS server. You can change the NetBIOS name or leave default and click Next. Default NTDS paths and click Next. Accept defautl SYSVOL and click Next. Click Next again and then Permissions for 2003 and Higher only and click Next. Choose a password for recovery mode, and click Next. Next again and the process starts.

When it’s all done, click Finish, and Restart.

Click Start Menu, Administrative Tools, DNS. Click and then Right click on your domain under Forward Lookup Zones and choose Properties. To the right of Type click Change. Click the check box, Store the zone in Active Directory click OK and then Yes then change the dynamic updates drop down box to Secure Only and then click OK.

Do the same for the Reverse Lookup Zone. Click and then Right click your network subnet, and click Properties. Change the type to Store in Active Directory. And then dynamic updates to Secure only and click OK.

You now have a domain controller to join clients to. Make sure the clients are using the domain controller as their DNS server.

By |March 4th, 2011|0 Comments