Hi!
I’m using ansible core 2.14.2 on a RedHat 8 virtual machine.
When I install a server with vRealize Automation, it will start a playbook that will do some basic stuff on the new vm like creating folders, adding the server to the domain, install some software etc.
I want to add an spn for the server as well and I use this task for it:
- name: Add SPNs to computer
microsoft.ad.computer:
name: “{{hostname}}”
domain_server: “{{domain}}”
domain_username: “{{user}}”
domain_password: “{{ lookup(‘file’, ‘vars/{{domainshort}}’) }}”
spn:
add:
- “TERMSRV/{{hostname}}.{{domain}}”
In 90% of our installs, it works but sometimes I get the following error:
TASK [Add SPNs to computer] ****************************************************,fatal: [*servername]: FAILED! => {“changed”: false, “distinguished_name”: null, “msg”: “New-ADComputer failed: The specified account already exists”, “object_guid”: null},PLAY RECAP *********************************************************************,servername : ok=16 changed=12 unreachable=0 failed=1 skipped=7 rescued=0 ignored=0
In some cases, the spn already exists indeed so I remove the server, remove the spn and remove the computer object, run the deploy again and it works.
Now I have a server where the spn does not exists, double checked by the AD team as well and it throws the error. The weird thing about it is that it says New-ADComputer but I only add the spn so I expect to see Set-ADComputer.
The AD team does not want me to use set instead of add spn because a few spns are created by default when adding the server in the domain.
I just don’t get it that for 90% of our deploys it works, 9% throws an error but is fixed with removing the SPN and that 1% does not want to install no matter what even if the spn did not exist yet.
Maybe someone has an idea I did not think of? Keep in mind, I’m not a linux person nor ansible person so if you have something I need to check, please explain me like I’m 5 