Windows Server - Déployer ADDS avec Vagrant et Ansible

Deploy an Active Directory domain with Vagrant and Ansible

I. Presentation

In this tutorial, you will discover how to automatically create and configure a test environment under Windows Server since we are going to deploy a Windows Server VM under VirtualBox and set up an Active Directory domain. All automatically. In terms of tools, Vagrant will be used for provisioning while Ansible will be used for role setup.

Before getting to the heart of the matter, a brief introduction to Vagrant and Ansible is in order.

Tool for working with virtual environments (VM, containers). Vagrant provides a simple and easy to use command line client to manage these environments, as well as an interpreter to “code” (pardon me the expression) your VMs with code instead of chaining them together. clicks on a graphical interface.

The primary use of Vagrant is to interface with type 2 hypervisors such as VirtualBox, VMware or Hyper-V. However it is possible to use Vagrant with a type 1 hypervisor like VMware ESXi. These are plugins developed by the open source community which allows it, so not necessarily very stable.

More info here for VMware ESXi and Vagrant: GitHub – Vagrant + ESXi

Software to provision the underlying infrastructure of your environment (hypervisors, VMs, containers, etc.) through .yml files. Ansible intervenes for the “software configuration” part in order to install services and configure them afterwards, but does not allow to instantiate (in the true sense of the term virtual environments).

First of all, I’m going to have a little rant against the Ansible doc. Notwithstanding that this tool is really practical and very powerful for automation tasks, I find that the doc remains far too wordy and vague in certain places. Personally, it made me waste an impossible amount of time writing my playbook. My review is only for if you are using Ansible to provision machines Windows. Nevertheless, with a Linux environment, I clearly struggled less, because there were many more resources online (articles, forum, etc.). Basically depending on what you want to do, whether it’s common or not, you are very quickly thrown into the unknown with Ansible. This is the essence of this article :-). This is unfortunate given the power of the tool and I hope that in the future this will change.

On the other hand, Vagrant’s documentation is very well structured and clear. You will see for yourself. Congratulations once again to the editor Hashicorp!

Let’s talk about serious things.

Remark : to follow this tutorial, it is preferable to know a minimum of Vagrant and Active Directory.

II. Description of my lab

You need a machine on which we will install VirtualBox, Vagrant, and Ansible, in order to deploy the Windows Server VM. In my case, I’m going to use a physical host under Linux: Ubuntu 20.04 or 22.04 (tested on both).

Remark : Vagrant and Ansible are tools that are more easily used from Linux, although they are able to manage Windows and Linux hosts.

If you want to do this tutorial from a physical host under Windows, you can do it, but your PC must either:

  • Support “nested virtualization” (it is the fact of creating a virtual machine from a machine which is itself virtualized) also called “nested virtualization” in English, to create a Linux VM in which you will install the tools.
    • Which implies that you must use a hypervisor which is able to manage this function like VMware Workstation or VirtualBox. To do this, access the settings of your VM, then check the box “Virtualize Intel VT-x/EPT or AMD-V/RVI“.

  • The alternative is to install Vagrant and Ansible directly on your Windows host. But hey, personally, I don’t recommend it, because almost all the documentation you’ll find on these two technologies is written from a Linux environment.

III. Installation of prerequisites

Relax, it’s going to be fine…

First, start by installing VirtualBox and Ansible as well as the Pip manager for Python if you don’t already have it:

sudo apt update && sudo apt install virtualbox ansible python3-pip

Next, you need to install Vagrant using the instructions provided on the official website:

For Ubuntu/Debian, here are the instructions provided:

wget -O-  | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vagrant

Prefer installing Vagrant via Hashicorp’s official APT repository (Vagrant editor) rather as above thatwith official rest dUbuntu 22.04. In effect, jai meet problems strange with underlying Vagrant plugins who it is wanted not sinstall. This happened when Iai do mes tests in passant by official repositories dUbuntu 22.04 pour installer Vagrant.

Following this, install the python dependency”pywinrm“who is one of”bricks” which will allow you to communicate your Windows machine with Vagrant then Ansible via the WinRM protocol.

python3 -m pip install pywinrm

Let’s continue with the installation of WinRM plugins for Vagrant:

vagrant plugin install winrm 
vagrant plugin install winrm-elevated
vagrant plugin install winrm-fs

These will allow Vagrant to be able to connect to the Windows machine via the WinRM protocol.

Why is this necessary?

In the case of this article, this will allow Vagrant to be able to communicate with the VM in order to prepare its “foundations” (current setup, installation of “core” dependencies for ADDS, etc.), to then Ansible can take over the configuration.

Check that the plugins have been installed correctly using the command:

vagrant plugin list

You should see the following plugins:

Finally, we’ll install the Ansible plugins we need:

ansible-galaxy collection install community.windows 
ansible-galaxy collection install ansible.windows

Phew… I hope everything went well for you. Believe me, I struggled to understand and put all the elements in order for you, so that you have an article that is easy to understand and test on your side…

IV. Vagrant: creating the Windows Server VM

Create a configuration file named “Vagrantfile” on your machine:

touch Vagrantfile

Edit the file to insert the code block below. Here, we are clearly on theInfrastructure as Code.

Vagrant.configure("2") do |config|
config.vm.box = "peru/windows-server-2019-standard-x64-eval"
config.vm.provider "virtualbox" do |hv|
hv.cpus = "2"
hv.memory = "2048"
hv.linked_clone = true
end

config.vm.provision "ansible" do |ansible|
ansible.playbook = "playbook-ansible.yml"
end
end

The instructions are clear enough if you know a little about Vagrant.

Note, however, that Vagrant will create a VirtualBox VM with 2 GB of RAM, 2 vCPUs and that after setting up the virtual machine, it will run the Ansible playbook (“playbook-ansible.yml”).

Note: you can also use Vagrant to execute commands on the server, but prefer using Ansible if possible, as this will allow you to separate the responsibilities of each of your two tools.

  • Vagrant : used most from temps for hardware provisioning
  • Ansible : used pour the provisioning software (execution of orders, installation of services, etc.)

V. Ansible – Configuring ADDS role for our machine

Now we will take care of the “software” configuration of our server. We create a file for our Ansible playbook:

touch playbook-ansible.yml

Here is what we are going to do on this server:

  • Installation of basic features for the installation of the ADDS role
  • Time update (Europe/Paris time zone)
  • Changing the host name
  • Restarting the machine
  • Change of the IP address of this one, so that the machine can have a fixed IP address (in the NAT network of VirtualBox)
  • Installation and configuration of the ADDS role using most of the time the default options
  • Restarting the server to finish configuring the ADDS role (and therefore promoting it as a domain controller)

Then, insert the block of code below:

- name: Configure role(s) on a Windows server instance
  hosts: all
  tasks: 

  - name: Run powershell commands to prepare the DC 
    ansible.windows.win_powershell:
      script: |
- name: Configure role(s) on a Windows server instance
  hosts: all
  tasks: 

  - name: Run powershell commands to prepare the DC 
    ansible.windows.win_powershell:
      script: |        Add-WindowsFeature AD-Domain-Services
        Set-TimeZone -Name "Romance Standard Time"

  - name: Change the hostname 
    ansible.windows.win_hostname:
      name: dc
    register: hostname
  
  - name: Reboot
    ansible.windows.win_reboot:
    when: hostname.reboot_required

  - name: Set up static IP address
    win_shell: "Get-NetIpAddress -InterfaceAlias 'Ethernet*' | New-NetIpAddress -IpAddress 10.0.2.100 -PrefixLength 24 -DefaultGateway 10.0.2.2"
    async: 100 # Using "fire-and-forget" asynchronous execution for this task, otherwise it will always fail and timeout
    poll: 0

  - name: Wait for the hosts network interface to come back up
    local_action:
      module: wait_for
      host: "{{ ansible_host }}"
      port: 5985
      delay: 10
      state: started
    register: wait_result

  - name: Install ADDS role and configure it with minimal option
    ansible.windows.win_domain:
      dns_domain_name: itconnect.local
      safe_mode_password: password123!
    register: domain_install
  
  - name: Reboot after promotion
    ansible.windows.win_reboot:
    when: domain_install.reboot_required

This playbook covers the classic steps for configuring a domain controller with fundamental steps (fixed IP address, setting the ADDS role). Here are some details on the deployed configuration (you can adapt the playbook as you wish):

  • hostname : dc
  • Active Directory domain name : itconnect.local
  • Active Directory Recovery Password : password123!
  • VM IP address : 10.0.2.100/24
  • Time zone : Romance Standard Time

If you want more granularity for the configuration of the role, I invite you to consult the following link (good luck, it’s the Ansible doc) :

VI. Deployment of our Windows Server machine

Now that all prerequisites are met, and our deployment configuration files are ready, you can use the “vagrant up” in order to start the process of instantiating and configuring the VM.

At first, Vagrant will download the image”peru/windows-server-2019-standard-x64-eval” from the Vagrant “store”. In general, a Windows Server image is between 7 and 10 GB, so you can go and have a coffee while the download is done…

Then, once the VM import is complete, it will start. It is from this moment that Vagrant will attempt to communicate with the VM using the WinRM administration protocol, so that it (Vagrant) can hand over control to Ansible. In other words, Vagrant is running the Ansible playbook!

From then on, Ansible takes over for the software configuration by running the set of actions defined in the playbook.

To authenticate on the new Windows Server machine, you will need to use the following information:

  • User : Administrator
  • Password : vagrant (Qwerty keyboard by default)

This information is taken from the Vagrant image used. Of course, you need to change the password, because it is the Domain Administrator account.

VII. Conclusion

I hope everything went well for you on your side! Your Windows Server VM is deployed on VirtualBox and it is already preconfigured with an Active Directory domain!

If you want to switch images in the future to use a different version of Windows Server, try to find one where WinRM is already active and allowed in Windows Firewall.

Autres,Linux,Ansible,Vagrant,Windows Server,

#Deploy #Active #Directory #domain #Vagrant #Ansible

Leave a Comment

Your email address will not be published. Required fields are marked *