In this article, we will guide you through the process of using Ansible to manage Windows hosts, focusing on two common tasks: joining a Windows host to a domain and setting a workgroup configuration. These tasks will be automated using Ansible Playbooks to ensure efficiency, consistency, and scalability in your infrastructure.
An Overview of the Ansible Playbook
We will demonstrate how to use two playbooks to automate the following processes:
- Joining a Host to a Domain: This playbook will ensure that the Windows client is part of the
ansible.vagrantdomain. If the host isn’t already a member of the domain, it will join using the provided credentials. - Setting a Workgroup: This playbook will unjoin the Windows host from the domain and add it to a specific workgroup (
mywg), based on provided credentials.
Let’s break down the two playbooks in detail.
Playbook 1: Joining a Host to a Domain
The first playbook is designed to join a Windows host to the domain ansible.vagrant. The win_domain_membership module will handle domain membership, and it will use the passed credentials to ensure that the host is properly joined to the domain. If a reboot is required after the domain join, the win_reboot module will trigger the reboot and wait until the host is available.
Playbook Details
- name: Play to join the hosts to a domain
hosts: winclient
gather_facts: false
tasks:
- name: Join host to the ansible.vagrant domain
ansible.windows.win_domain_membership:
dns_domain_name: ansible.vagrant
hostname: mydomainclient
domain_admin_user: testguy@ansible.vagrant
domain_admin_password: password123!
domain_ou_path: "OU=Windows,OU=Servers,DC=ansible,DC=vagrant"
state: domain
register: domain_state
- name: Reboot host after domain join
ansible.windows.win_reboot:
when: domain_state.reboot_required
Breakdown of the Playbook
- dns_domain_name: This is the Fully Qualified Domain Name (FQDN) of the domain (
ansible.vagrantin our case) that the host will be joined to. - hostname: Specifies the hostname of the Windows client that will be joined to the domain. In this case, it is set to
mydomainclient. - domain_admin_user and domain_admin_password: These are the credentials for the domain administrator account required to join the domain. It is important to use secure methods to handle credentials, like Ansible Vault for encryption.
- domain_ou_path: This defines the Organizational Unit (OU) where the host will be placed once it joins the domain. In our example, it’s set to
OU=Windows,OU=Servers,DC=ansible,DC=vagrant. - state: domain: This ensures that the machine will join the domain.
- register: domain_state: This registers the result of the domain join action, which will be used to determine if a reboot is needed.
- win_reboot: If a reboot is required after the domain join, this task will handle the reboot. The
whencondition checks if thedomain_state.reboot_requiredvariable is true.
Playbook 2: Setting a Workgroup
The second playbook is designed to remove a Windows host from a domain and place it into a workgroup. The win_domain_membership module is also used here, but instead of specifying domain information, we will define the workgroup name.
Playbook Details
- name: Play to set the hosts workgroup
hosts: winclient
gather_facts: false
tasks:
- name: Set workgroup to mywg
ansible.windows.win_domain_membership:
workgroup_name: mywg
domain_admin_user: '{{ win_domain_admin_user }}'
domain_admin_password: '{{ win_domain_admin_password }}'
state: workgroup
Breakdown of the Playbook
- workgroup_name: Specifies the workgroup to which the machine will be assigned. In this case, it’s set to
mywg. - domain_admin_user and domain_admin_password: These credentials are used to unjoin the machine from the domain and place it in the workgroup. These values should be stored securely, often in an Ansible Vault.
- state: workgroup: This ensures that the machine will join the specified workgroup. If the machine is part of a domain, it will first be unjoined from the domain and then moved to the specified workgroup.
Why Use Ansible for Domain and Workgroup Management?
Ansible provides several key benefits when automating domain and workgroup management:
- Consistency: Ensures that all Windows machines are configured consistently with the correct domain or workgroup settings.
- Scalability: Enables the automation of domain and workgroup configurations across multiple machines, making it scalable for larger environments.
- Security: Ansible can manage sensitive data such as domain credentials securely by using Ansible Vault to encrypt passwords.
- Ease of Use: The syntax of Ansible Playbooks is human-readable and simple to understand, reducing the complexity of automation tasks.
- Idempotence: Ansible ensures that if a task has already been applied to a system, it won’t be repeated unnecessarily, saving time and resources.
Best Practices for Using Ansible in Domain and Workgroup Management
Use Ansible Vault: Always use Ansible Vault to encrypt sensitive information, such as domain administrator credentials. This ensures that passwords are not exposed in the playbook or in version control.
Example of using Ansible Vault for credentials:
ansible-vault encrypt_string 'password123!' --name 'win_domain_admin_password'
Test Playbooks on a Single Host: Before applying changes across your entire infrastructure, test the playbook on a single host to ensure that it works as expected.
Ensure Proper DNS Configuration: Make sure that the DNS settings are correctly configured on your Windows clients for domain communication.
Handling Reboots: When joining a Windows server to a domain, a reboot is often required. Ensure that your playbooks handle reboots gracefully, waiting for the server to come back online before proceeding.
Monitor Playbook Execution: Always monitor the output of your Ansible playbook executions to ensure that tasks complete successfully, especially when making domain changes.
Automating the process of joining Windows servers to a domain or configuring them in a workgroup can save significant time and reduce errors, especially in large-scale environments. By using Ansible Playbooks, you can ensure that your systems are consistently configured according to your organizational policies, while also benefiting from the security and scalability that Ansible provides.
