In this blog series, I will show you how to get started with Ansible and manage Windows machines that are domain-joined to Microsoft Active Directory infrastructure.
In the series
- Manage Windows Machines With Ansible – Basics and Active Directory Service Account – Part 1
- Manage Windows Machines With Ansible – Install WinRM – Part 2
- Manage Windows Machines With Ansible – Install and Configure Ansible – Part 3
About Ansible
Ansible is the market leader in IT and applications automation as a code without using agents.
It is also open-source software that is free to use and runs on Linux.
Ansible Components
Ansible has five main components that help us manage our Infrastructure, and they are listed below.
Control Node
This is the brain of Ansible, and it can only run on a Linux machine (not Windows).
The control node has all the configuration files and list of machines that are under management.
All jobs are running from the control node, and you can run this role from a macOS machine.
Managed Node
Any machine that is under the Ansible Control node falls under the definition of a managed node.
This can be a Linux, macOS or a Windows machine.
Host Inventory
Any managed node that Ansible manages needs to be listed inside an inventory file.
The default inventory file /etc/ansible/hosts
Ad-hoc commands
These commands are commands we run against managed nodes directly from the Bash shell environment.
Playbooks
Ansible playbooks are YAML files that contain commands, configurations, variables and tasks that we need to run against our managed hosts.
Module
All Ansible commands and playbooks use modules which translate into Linux commands like yum, PowerShell (Windows).
Without modules, Ansible cannot manage, deploy and deploy services and configurations on machines.
WinRM
When it comes to Windows machines, Ansible is using WinRM to communicate and manage Windows machine.
In the end, if this post, I have included a link to a WinRM configuration script that configure WinRM on a Windows machines.
On the Ansible control host, we are going to install the WinRM client for Linux which will happen in the next post.
A few months are, I covered the topic of managing Windows machines with Ansible in a non-domain environment with Centos as the control host.
This series will be different in the sense that the machines will be AD joined, and the Ansible control host will run Ubuntu.
I will also use Powershell if possible for any Windows task and will avoid using the GUI.
The first step in setting up the environment will be setting up the Ansible Active Directory user and adding him to the domain admins group in AD.
In my environment, I have a Windows Server 2019 Domain Controller, and I will also manage Windows Server 2019 servers.
Create a Service Account
I will start with the following code, which will create an Ansible service account, called Ansible Service, and I will add it to the Domain Admins group.
The first line will ask you for a username and password, the second line will create the account, the third line will add the account to the group, and the last line will display all the users that are members of the Domain Admins group.
$pass = Read-Host "Enter password" -AsSecureString New-ADUser -Name "Ansible Service" -AccountPassword $pass -UserPrincipalName ansible -DisplayName "Ansible Service Account" -SamAccountName ansible Add-ADGroupMember -Identity "Domain admins" -Members ansible Get-ADGroupMember -Identity "domain admins" | Select-Object name Configure WinRM
As an optional step, you can use the following PowerShell cmdlet to download the WinRM configuration script which was released by Ansible.
wget -uri "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" -OutFile C:\DevOps\EnableWinRM.ps1