In the last section I went over how to do some basic steps in Ansible to manage Windows. Now lets up the ante a bit. In this post I have modified things around a bit to make it more like a real environment. The certificate part however is still a self-signed generated certificate.
The changes that I have done are:
- Modified the default hosts file to contain the systems we are working with (/etc/ansible/hosts)
- Created a /var folder on the ansible host with a setup of windows variables and windows credentials.
The above changes makes it a bit more structured for the tasks ahead and should actually make it easier to write the yml files and it should add some security as we can use ansible-vault to encrypt the passwords we are using. Probably, you do not want to have all the passwords in a single vault file but ok, we are still in a test environment and adding files per section are easy to accomplish one the examples are there. I will not go too much into the vault part because I documented this in a previous post as well as how to modify the Ansible hosts file.
In the end though instead of working with one file and a custom host file we will work with 4 files. The default hosts file, the workbook file, and the two variable files of which one will be encrypted via vault. I know it doesn’t sound simple but once you start working with it, it becomes a lot simpler.
Setting up a new AD forrest
In this part I want to go over how easy it really is to setup a new domain controller via ansible. As mentioned in the previous post for managing windows, all you need is to assign an IP address, a service user (though not really required for the domain controller) and enable WinRM.
So here is an overview of what I changed around to get the domain join to work for a start.
First the /etc/ansible/hosts file. Here I added a new section for the domain controller called [dc]
I also added the [win] section that I had in my custom hosts file before. Thus making that redundant now.
Next I created the two variable files for the installation. The winvar.yml and the creds.yml. The creds.yml will obviously be encrypted to keep people from finding passwords.
Next I created the file for promoting a machine to domain controller. It is still quite simple to work with.
As you can see it may be more files to work with but everything is quite clear and easy to work with without having to scroll around too much to find things.
Now let us run the file and let things happen.
As evidence at the end you can see that the promotion was successful:
As you can see, this makes it really easy to stand up a domain controller for a test setup.
Adding a second DC
So what is better than one DC…. 2 obviously. So lets see if we can easily add a second DC to the setup.
It should be easy now since the files above are already in place. In the hosts files I added a new section for a second Domain controller, called [dc2]. this was then added to the installation file of the second domain controller as seen here:
Next I setup the file for the second DC. Here we needed to use one new module, win_dns_client, to set the dns server correctly. Otherwise the file looks like this. Note the variable section is already defined for the files we have for vars to it is minimum what is required otherwise.
Lets run it:
Once it is rebooted, logging in and checking we see that there are two domain controllers in the AD users and computers and also that the ntds and sysvol folders are created where we wanted them. The only thing here that isn’t pretty is the hostnames. This can be changed with an added line during the run or setup before running the domain promotions.
That was kind of all for this section, no doubt more to come later…. since deploying Windows services this way is (almost) a joy.
This should be fairly easy to do. We need to make use of the module win_hostname.
It would be one line, but for the reboot of the host after changing the name, but with the win_reboot module you can reboot and set a timeout and then the ansible script waits for the machine to come back and continues the setup. I used it above already to force a reboot after the dcpromo but we use it a second time here:
As you can see the first tas now is to change the hostname. This can easily be added to the first dc also along with the win_reboot module mentioned above.
Next is the adjustment of the dns server and then the domain join takes place.
At the end we see in ADUC that we have much nicer looking hostnames:
I guess that covers it for now at least. Below is a copy of the files for your benefit. These files are delivered AS-IS and I take no responsibility for running these files: