In this article I will guide you through what’s needed to configure Ansible so it can be used to manage Windows hosts. Using Ansible to manage Windows hosts gives you great benefits such as installing updates, installing software, joining domains and a whole lot more all using infrastructure as code. We’re going to be using Kerberos to authenticate with our Windows hosts so you’re going to need a server running Active Directory Domain Services and then a Windows host joined to that domain, Ansible is going to be running on an Ubuntu host so that will also need joining to the domain (if you need assistance with that check out this article).
Let’s start by configuring our Windows host to allow Ansible to connect to it, simply run the following Powershell script on your Windows host.
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" $file = "$env:temp\ConfigureRemotingForAnsible.ps1" (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) powershell.exe -ExecutionPolicy ByPass -File $file
Now that’s done let’s SSH into our Ubuntu machine, this is going to be our Ansible controller (or control-node as Ansible like to call it) and install everything we need.
sudo apt install software-properties-common sudo apt-add-repository --yes --update ppa:ansible/ansible sudo apt update sudo apt install ansible sudo apt-get install python-dev libkrb5-dev krb5-user sudo apt-get install python-pip pip install pywinrm pip install pywinrm[kerberos]
Now that Ansible is installed we can get to configuring everything. Let’s add our Windows hosts to the /etc/ansible/hosts file
sudo nano /etc/ansible/hosts
Let’s declare a group called windows and add our hosts to it, make sure to use the full FQDN of the Windows machine you want to manage (in this case s2019 is the name of my Windows host and lab.local is the domain)
Below this we need to add some configuration to let Ansible know how to communicate with our Windows hosts. I’ve created an domain Anisble user that I’m going to use but you can use any domain account. Ideally we wouldn’t set our credentials here but this is fine just for an example, in production I’d pass these credentials in as part of a CI/CD pipeline.
[win:vars] [email protected] ansible_password=password ansible_connection=winrm ansible_winrm_transport=kerberos ansible_winrm_server_cert_validation=ignore
Save and exit (Ctrl + O, Enter, Ctrl + X)
Now that the configuration is done let’s write a basic playbook. A playbook is a collection of tasks that Ansible will execute against the hosts.
sudo nano updates.yml
- name: Windows Updates hosts: win tasks: - name: Install updates win_updates: category_names: - SecurityUpdates - CriticalUpdates reboot: yes
This playbook will install security and critical Windows updates and reboot if necessary. Let’s Save and Exit again.
Now we can run the playbook.
If all has gone to plan Ansible should connect to your Windows hosts and install the updates we told it to before rebooting if required.
This is a fairly basic example and like I said earlier; we ideally want to be doing this from a CI/CD pipeline – look for an article about that in the future. If you have any questions or comments then please leave a comment or contact me on Twitter. Thanks.