Using Ansible to Setup New Windows Servers
In the past at Jungle Disk, setting up a new Windows server had been very time consuming for us as the most effective method for building a machine quickly was doing it once manually and taking an image of it. Doing things that way isn’t inherently wrong, however, when you’re using a cloud provider like Amazon Web Services (AWS), images can’t be accessed cross-region. This means that in an highly available environment, or with servers in multiple regions, you would not be able to use the image you created in Virginia on your servers in Dallas. Not being a fan of setting up a Windows server one time (let alone multiple times), we switched to Ansible for configuring Windows machines.
Ansible’s Windows support isn’t very comprehensive yet, however, many of the modules they have work without issues. In the past, we’ve run into issues with a few modules either outright failing (win_acl) or improperly reporting a failure (win_iis_webbindings). There’s also the issue of them not having modules for some basic things like importing SSL Certificates into the machines cert store. In these scenario’s, we will generally write PowerShell to manually work around the problem. In spite of these issues, the easy to read and write nature of the YAML syntax makes it a preferable choice for us versus a bulky PowerShell script or other automation tools that require some dev experience.
Before a Windows machine can be used with Ansible, you’ll need to open up the Windows machine for PowerShell remoting (WinRM). Fortunately, there’s already a PowerShell script written that can be used for this purpose that can be viewed here. With cloud providers like Google Cloud Engine (GCE) and AWS, I suggest running that as a startup script along with some PowerShell written to create a username/password so you don’t need to log-in to the machine. Port 5986 will need to be open in your firewall or whatever port you use for WinRM. After that, the box should be reachable by Ansible and you can begin writing automation to setup your machine. A comprehensive list of available Windows modules can be found here.
If you’re not using a local user and your environment is being managed with a domain controller, Ansible will still work. You will need to use Kerberos and generate a keytab file to authenticate with your domain controller as well as the Python-Kerberos library. Detailed instructions on that process can be found here.
Hope this post helps give you some good tips and suggestions for ways to setup a new Windows server without needing to have any dev experience. Reach out if you have any questions.