Having issues running win_domain_group

Archives Ansible Project
,
1

Hey all,

i’ve been using Ansibe with Linux for years, but now I have a need to use it to build out some Windows boxes and I am running into some issues. So far I am able to instal the AD-DS features and create my domain all properly, but I am unable to create any groups in the new domain that I am setting up. When I try I get the error:

TASK [Gathering Facts] ***********************************************************************************************************************************************************************
ok: [XX.XX.XX.XX]

TASK [ping test] *****************************************************************************************************************************************************************************
ok: [XX.XX.XX.XX]

TASK [create the Mission domain group] *******************************************************************************************************************************************************
fatal: [XX.XX.XX.XX]: FAILED! => {“changed”: false, “created”: false, “msg”: “failed to retrieve initial details for group Mission: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.”}

PLAY RECAP ***********************************************************************************************************************************************************************************
XX.XX.XX.XX : ok=2 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

I can’t figure out what is causing this issue. My reading of the documentation only says

“This must be run on a host that has the ActiveDirectory powershell module installed.”

I have tested that this is the case by RDPing into the host and performing an “Import-Module -Name ActiveDirectory” and the module does import.

The target is a windows 2016 server running in AWS, my Ansible workstation is a Mac running Catalina with Ansible installed in a venv via PIP.

Appreciate the help!
Thanks
Craig

2

Install the RSAT role on your ansible target and that’ll take care of your issue.

3

This issue is due to the double hop problem typically seen with WinRM. Any further outbound authentications from the Windows host (Ansible → Windows host → AD controller) will appear as an anonymous user and results in either access is denied or resource not found type errors. You have 3 options

  1. Use become on your task with the same credentials as the connection user

`

  • name: run win_domain_group with become
    win_domain_group:

    become: yes
    become_method: runas
    vars:
    ansible_become_user: ‘{{ ansible_user }}’ # The module will run as this user and have it’s credentials enabled for further network authentication.
    ansible_become_pass: ‘{{ ansible_password }}’

`

  1. Use explicit credentials with win_domain_group, i.e. set domain_username and domain_password
  2. Use CredSSP or Kerberos with credential delegation set as your WinRM transport
    All 3 options allow the requests to AD to be backed by a set of credentials so it doesn’t appear as an anonymous user they are just done in different ways.

Thaks

Jordan