Step-by-Step Ansible Tutorial for Windows Server 2022: Optimizing WinRM

LondonIAC / Dennis McCarthy / Automation Engineer

Подписаться 6 тыс.

Просмотров 24 тыс.

50% 1

Join us at ‪@LondonIAC‬ in this hands-on (semi-realtime) tutorial where we dive straight into using Ansible with Windows Server 2022 over WinRM.
Please like and let me know it worked for you (or what issues you faced) in the comments!
For SSH (port :22) connectivity between Ansible and Windows follow my other tutorial here: • Use Ansible to Manage ...
We start by creating a Windows Server 2022 on AWS. Then, we configure WinRM on the server using a set of efficient commands. Next, we establish an Ansible-to-Windows connection via WinRM.
We verify the setup's success with the win_ping module to confirm connectivity and authentication. Finally, we execute a simple Ansible playbook to create a directory and file that includes an Ansible fact.
This tutorial is a straightforward guide to setting up and running Ansible for Windows Server 2022 via WinRM. Whether you're an experienced IT expert or a beginner, this tutorial provides a clear roadmap to get you started.
Please Subscribe to my channel: bit.ly/lon_sub
------------------------------------------------------------------------
PowerShell commands (AWS specific but you can adjust to your own requirements):
Enable PowerShell remoting
Enable-PSRemoting -Force
Set WinRM service startup type to automatic
Set-Service WinRM -StartupType 'Automatic'
Configure WinRM Service
Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $true
Set-Item -Path 'WSMan:\localhost\Service\AllowUnencrypted' -Value $true
Set-Item -Path 'WSMan:\localhost\Service\Auth\Basic' -Value $true
Set-Item -Path 'WSMan:\localhost\Service\Auth\CredSSP' -Value $true
Create a self-signed certificate and set up an HTTPS listener
$cert = New-SelfSignedCertificate -DnsName $(Invoke-RestMethod -Uri 169.254.169.254/latest/meta-data/public-hostname) -CertStoreLocation "cert:\LocalMachine\My"
winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"$(Invoke-RestMethod -Uri 169.254.169.254/latest/meta-data/public-hostname)`";CertificateThumbprint=`"$($cert.Thumbprint)`"}"
Create a firewall rule to allow WinRM HTTPS inbound
New-NetFirewallRule -DisplayName "Allow WinRM HTTPS" -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow
Configure TrustedHosts
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
Set LocalAccountTokenFilterPolicy
New-ItemProperty -Name LocalAccountTokenFilterPolicy -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -PropertyType DWord -Value 1 -Force
Set Execution Policy to Unrestricted
Set-ExecutionPolicy Unrestricted -Force
Restart the WinRM service
Restart-Service WinRM
List the WinRM listeners
winrm enumerate winrm/config/Listener
------------------------------------------------------------------------
#ansible #windows #winrm

Опубликовано:

1 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 38

@yurmeposhe2512 29 дней назад

Hi. I have like 3 powershell script i want to run using ansible . How can i go about this. Thanks

@BigFourHead 4 месяца назад

sorry but this is for AWS windows server, which isnt really what the tittle says...

@jeverett0902 Год назад

Is Ansible for Windows really viable for real world use in your opinion? Last time I looked, the official documentation seemed outdated/neglected, Windows modules development was frozen, and trying to do more serious tasks (installing Windows features, various software, etc) often failed. There also wasn’t good guidance for securing thing with SSH access, Kerberos authentication, domain signed certificates, what’s the relationship between Ansible and DSC, or whatever supersedes DSC, etc. What kind of production uses is Ansible good for that you’ve found? Thanks for your thoughts.

@LondonIAC Год назад

Good question. I've used Anisble with Linux for years, and it's probably the best automation product out there for that use case. I first got into using Ansible on Windows when I worked for Red Hat, Consulting for a bank. Back then, it was OK, but there were nowhere near as many modules as there are today. You can check them yourself here: docs.ansible.com/ansible/2.9/modules/list_of_windows_modules.html (I think this list is probably out of date!). This tutorial is really only for a lab environment. In production, I use Kerberos and a domain certificate for the winRM service and use Ansible to get my kerberos ticket from a password secret (using vault). I have roles to install all sorts of services across different Windows server versions. It's really speeded up this part of the server customization. I also collect about 28 data points from all linux and Windows servers in the various environments using ansible, and this gives us a unified view of our estate (in a spreadsheet!) That enables us to answer lots of questions about our servers very quickly. Handy for management. I wouldn't say Ansible is perfect for Windows, but it's definitely viable. One thing I've learned is create a .bat file for the install/ uninstall of your application. Using win_shell: When Windows commands have spaces and quotes can make it very hard to run an installation command with all the required options. Just something I've learned that makes life a lot easier. I have a video on here for setting up SSH on Windows servers and setting up the Administrator ssh key, which I think could be the way to go in the future. Many Windows servers live on the save vlan as Linux servers and SSH is probably already open so you don't need to open up 5986 and get FW rules added across your network. I hope that helps.

@Shadowmansas 11 месяцев назад

this isn't tied to ansible in anyway right? after that I should PSSession into the windows server with powershell correct? I made a powershell script to restart a server but I guess I missed the Certification part, I could make it work without it.

@omprakash-f1i7p 4 месяца назад

can we use public ip address of win vm instead of private dns name in inventory file?

@coreysmall7488 Год назад

The ps1 from ansible documentation is now gone and I have been searching for some solution to get this to work. You instructions seems promising but your self signed cert code soesn't work for the IP is specific to your setup. I tried changing it to localhost but with no luck. Can you help with that for I'm really bad with dealing with certs.

@gerardosubrizio2142 11 месяцев назад

Same issue here. Where that IP address is coming from? Is it the local address or an external source?

@tom4794 Месяц назад

What mic / audio setup are you using? Sounds great (which goes a long way making it easy to follow)

@SandhyaJha2003 7 месяцев назад

Is there a way to configure wiinrm with ansible raw mode? So that we don't have to rdp to Windows server for running those ConfigureRemoting commands in powershell.

@abcdxyz3255 7 месяцев назад

sadly everyone uses script which is created for lab, not body is showing manul configuration for windows WINRM on windows server

@wanderer.1993 6 месяцев назад

excelente tutorial! life saver for sure. i just want to share a quick observation: if anyone got errors like: "FAILED! => {"msg": "winrm or requests is not installed: No module named 'winrm'"}" verify if you installed the python module called pywinrm for user ansible: pip install --user ansible pywinrm

@batressc 5 месяцев назад

A huge helpful video for create the HTTPS listener! The only point to review maybe in the future is the authentication using other method distinct of Basic authentication (maybe kerberos or CredSSP). Thank you for sharing!

@carlosrodrigo9842 8 месяцев назад

Waht if whe use a Domain Admin? I've been trying to set the user connection with Domain admin user,sadly I cannot

@ARadicalCut 9 месяцев назад

I did the setup exactly the same for several servers, seems the "ping" only works on domain controllers not on domain servers, after some searching i found in the eventviewer that the logon attempt happens with the domain set to that of the local machine and not the actual domain which is why it only works on domain controllers apparently. How can i force ansible to authenticate with domain\ansible_usr instead of localserver\ansible_usr?

@brunomartins824 11 месяцев назад

Hi, thanks for the video. i'm working with monitoring and need a tool to send/receive files and scripts over internet, because the hosts are spread across the country, is that possible with ansible ?

@paweenpongsomboon844 11 месяцев назад

Thanks for your super useful tutorial, I really appreciate your video. I can't express how much I appreciate your channel. I just have a question about when we configure Firewall. In production, is it the best practice to do so? It doesn't seem the most secure like you said. If I want to do it the right way, what should I do?

@HarishNelapati 5 месяцев назад

hi sir dont we need service account for authentication windows and ansible?

@someshsinghisfeelingalive Год назад

I want to perform oracle db installs and update them when needed. Would any command on the script ran on powershell create any issues or conflicts with the database? Also it would really be great if you can start a series for Ansible on production servers, using Active directory authentication for performing windows updates etc etc. And yes, this video really helped me clear my doubts. Thanks a lot :)

@danielmann9982 7 месяцев назад

Great walk-through. Very clear and concise. Thank you very much.

@pankajsuryavanshi8332 Год назад

last 3 days i was stuck in ansible windows installation. this video rescued me. please make series on ansible windows

@LondonIAC Год назад

No problem. I'm glad it helped! What topics would you like me to cover for Ansible & Windows?

@kealbo80 5 месяцев назад

Setup and manage iis, etc services

@kealbo80 5 месяцев назад

Build and manage dc, ca, dns, wsus etc

@ontheskyblue 7 месяцев назад

Thanks for the video

@sureshbatta7047 6 месяцев назад

Very helpful

@alecjoshuaslaton296 10 месяцев назад

Very helpful. Thank you

@ramankhanna9526 Год назад

Thankyou so much !!!

@LondonIAC Год назад

You're welcome!

@bagaserlangga9716 11 месяцев назад

thank you!!!!!!

@thalesfranca4331 9 месяцев назад

Extremely useful!

@ada-j9s Год назад

I ran the ps1 script from ansible, and followed your instructions, but I'm getting this error "msg": "ssl: auth method ssl requires a password"

@LondonIAC Год назад

It sounds like the password is the issue. Can you remote desktop into the windows server using the password you have in the inventory file?

@LondonIAC Год назад

If you're still getting issues create a gist In github with your ansible code, inventory and the error when you run ansible and send the url to me. I may be able to see the issue. One other option is to run that error through Google. There may be a stackoverflow post with the fix or what to check/correct. Good luck.

@ada-j9s Год назад

@@LondonIAC hello, I got it to work. I had a typo in ansible_password on the host file. Thanks!

@LondonIAC Год назад

@@ada-j9s it's great you got it working!

@ada-j9s Год назад

@@LondonIAC Could you make a video on how to hide the password in the host file? Thanks in advance!