Is there a way in Ansible to have it wait for a windows server to have finished joining his domain before moving on?
I use vmware_guest joindomain feature but the problem is that it pass the control back to ansible before the serer has finished his join process, so other play fails afterward. I looked into the wait_for resource but I don’t see anything in it that could help me.
Right now, I do a dumb “wait_for: timeout=300” to give the guestOS time to join, but that’s no real solution.
You can use wait_for_connection and make sure your ansible_user/pass is a domain account that is only valid after joining the domain. You could also not do the domain joining as part of vmware_guest but get Ansible to do it wiht the win_domain_membership (https://docs.ansible.com/ansible/latest/modules/win_domain_membership_module.html) and win_reboot modules.
I'm about to get into Ansible so I'm not too familiar with which modules you can use but if you can create a variable that represents what the FQDN of the system will be and then loop until the VM.config.hostname attribute that you pull from vcenter matches the FQDN variable. It's how I do it in vRO and it works great for me.
Unfortunately, wait_for_connection requires WinRM to be enabled on the windows guest, and WinRM is only configured after we join the server to the domain. The reason being that the certificate to configure WinRM comes from the Domain CA.(We refuse to use self-signed certificate because, frankly, those things are evil)
Same with all win_* modules, they require WinRM first. The Chicken and Egg problem. :-/
Sounds like wait_for_connection will still work. If you are waiting for it to be joined to the domain and that’s when winrm will be active then it sounds like it does what you want. wait_for_connection does run over WinRM but if it isn’t available it will keep on retrying until it either works or a timeout is reached.
1- Deploy VM from template, using vmware_guest and we do a join domain as part of the customization feature. But the vmware_guest module does not wait for customization to finish before giving back control to Ansible for the next step.
2- Execute a powershell script on the guest using vmware_guest_shell That script gets a certificate from the domain CA and then configure winRM, but it will fail if the guest is not joined to the domain yet
3- WinRM activated, happy campers as all win_* module now works and win_dsc too. But if step 2 failed, all further steps will fail too.
So, wait_for_connection will not work before step 2 is done, but would actually be required btw step 1 and 2.
Maybe I could put a loop with a check for domain membership in the powershell script though. i’ll try that after vacations and report back.