Getting Started With Ansible: Setting Up a Windows Managed Node

ansible automation Sep 18, 2023

Introduction:

Setting up a Windows managed node is a crucial step in leveraging Ansible for managing your Windows infrastructure efficiently.  In this post, we'll walk through the process of setting up a Windows managed node using Ansible, enabling you to automate tasks on your Windows machines seamlessly.  I'll be using NTLM authentication vs Kerberos because I don't have a domain setup as part of the Getting Starting with Ansible series (coming later).  Once in place, we'll switch to using Kerberos, which is a more secure authentication protocol than NTLM.  See here for more information on these two authentication protocols.  If you're following along, set up your Ansible control node if you haven't done so already.  You can see that process in the "Getting Started With Ansible: Installing the Control Node" post.

Prerequisites:

Before diving into setting up a Windows managed node, ensure you have the following prerequisites in place.

  • Ansible Control Node
  • A Windows machine
  • Network connectivity
    • Ensure that there is proper network connectivity between the control node and the Windows machine you intend to configure as a managed node.
  • Local Windows administrator account
    •  To manage Windows, you'll need an account that is in the local administrators' group.  I've set up the same account for my lab environment across multiple Windows machines.

Configuring WinRM on the Windows Machine:

WinRM (Windows Remote Management) is crucial for Ansible communication with Windows machines.  It allows Ansible to remotely execute commands on the Windows managed node.  Let's go through the steps to configure WinRM on the Windows machine:

  1. Create a self-signed certificate: (we'll replace this step with a certificate from a certificate authority in a later post).
    1.  Open a Powershell window with administrative privileges on the Windows machine.
    2.  Run the following command to create the certificate.  
      1. New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "WinRMCertificate" 
  2. Enable WinRM:
    1.  Enable-PSRemoting -SkipNetworkProfileCheck -Force
  3. Configure WinRM listener to use SSL and port 5986:
    1. ($cert = get-childitem Cert:\LocalMachine\My\) -and (New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $cert.Thumbprint -Force)
  4. Create Windows Firewall Rule
    1. New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile  Any -LocalPort 5986 -Protocol TCP
    2.  

With WinRM configured on the Windows machine, you've enabled Ansible to communicate with it remotely.

Testing WinRM Connectivity:

Before proceeding further, it's important to test the WinRM connectivity from the control node to the Windows machine.  This ensures that Ansible can establish a connection and manage the Windows node effectively.  

To test WinRM connectivity, we'll create a simple inventory file on the control node and use the win_ping module to verify connectivity.  

  1. Connect to the Ansible control node.  I use Visual Studio Code, but any text editor will work.
  2. Create a file named hosts.ini.
  3. Paste the following into the file.  Be sure to update the IP address and the server name (my Windows machine is named SRV4).  We'll cover these settings in more detail in a later post.
    1. [windowsservers]
      SRV4 ansible_host=10.0.0.158

      [windowsservers:vars]
      ansible_connection=winrm
      ansible_winrm_server_cert_validation=ignore
      ansible_port=5986
      ansible_winrm_transport=ntlm
      ansible_winrm_operation_timeout_sec=60
      ansible_winrm_read_timeout_sec=300

  4. Save the hosts.ini file.
  5. If you're using Visual Studio Code, open a new terminal and change the directory to where you saved the hosts.ini file.
  6. Run the following ad-hoc ansible command.  Replace SRV4 with the specific server name that you added to the hosts.ini file.  Replace "Administrator" with your admin user name and provide the password once prompted.
    1. ansible -i hosts.ini -m win_ping SRV4 -u Administrator --ask-pass
  7. If the connection is successful, you'll see a message similar to the one below.
    1. SSH password:
      SRV4 | SUCCESS => {
      "changed": false,
      "ping": "pong"
      }

Demo:

 

Conclusion:

Congratulations!  You've successfully set up a Windows managed node and tested connectivity using the win_ping module.  This is just the beginning fo what Ansible can do to streamline your automation and configuration management processes.  I'll cover the Inventory file in more detail in an upcoming post.  Stay tuned.

Happy automating!