Are you trying to perform Windows Server 2019 Administration with Ansible?

This guide is for you.

When we have multiple servers, it becomes very difficult to manage them. For making this easy we can automate server management with the help of Ansible.

Ansible can be used for deployment of applications, routine maintenance of servers, configuration management, continuous delivery, orchestration, or any repetitive work.

Ansible can manage desktop OSs including Windows 7, 8.1, and 10, and server OSs including Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019. 

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to automate their Windows server for ease of management.

In this context, we shall look into how to use Ansible for Server Management.

Steps to Automate Windows Server 2019 Administration with Ansible

Ansible is a simple and powerful IT automation engine used by many companies. Before going into the steps of how to automate Windows server 2019 administration with Ansible, we will see what are the prerequisites for this.

Prerequisites for Automating

The following are the prerequisites:

1. Powershell version 3.0 or higher

2. .NET Framework 4.0 or higher

3. Windows Remote Management Listener or SSH (Cygwin)

4. Windows 7+, and server OSs including Windows Server 2008+

5. Chocolatey

6. WSUS for updating OS packages and patching

7. Ansible or AWX

1. Install Chocolatey and WSUS

Chocolatey helps to install and generally manage their software. It makes it so easy to install applications via Command-Line or PowerShell. WSUS makes it easy for the users to deliver Operating System updates/patching.

How to Install Chocolatey?

a. Ensure that we are using an administrative shell.

b. Next, copy the following command to the cmd.exe shell:

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command " [System.Net.ServicePointManager]::SecurityProtocol = 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

c. And then press enter.

To verify that Chocolatey is installed, we will use the choco command:

C:\WINDOWS\system32>choco
Chocolatey v0.10.15
Please run 'choco -?' or 'choco -?' for help menu.
C:\WINDOWS\system32>

How to Install WSUS ?

Steps to follow are given below:

1. First, start Server Manager.

2. Then click on "Add Roles and Features".

3. After that click Next on Wizard.

4. Select Installation type by clicking on "Role-based or feature-based-installation" and click "Next".

5. Choose Destination Server by selecting the server where we will install WSUS and click "Next".

6. After this we can select Roles to install by checking the "Windows Service Update Services" box. Then in the pop-up window click "Add Features", then click on "Next" on the upcoming two windows.

7. Then on the window titled "Select Role Services", click "Next".

8. In the window named "Content Location", we have the option of specifying where update packages will be stored. If we do not have any location, we can simply uncheck the box and click "Next".

9. Click "Next" on the next two windows, then click on install in the last window.

10. We will reboot the server after the installations are done.

11 After that click on the WSUS icon, we can see a message "Configuration requires..". Click on More, which will bring up another window. On the pop-up window, click on the "Launch Post-installation" link.

2. Install Ansible AWX

We are going to use Ansible AWX to manage the Windows as it is easy to use and it is a friendly web management space.

Install Ansible AWX

1. Install epel release repo and dependencies with the following commands:

$ sudo dnf -y install epel-release
$ sudo dnf -y install dnf-plugins-core
$ sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo dnf config-manager --set-enabled PowerTools

AWX  packages dependencies can be installed by running the command below:

<code$ sudo dnf install -y git python3-pip curl ansible gcc nodejs gcc-c++ gettext lvm2 device-mapper-persistent-data pwgen bzip2

2. Install Docker and Docker Compose

First, we will download the Docker repository file to /etc/yum.repos.d/docker-ce.repo and update the RPM index cache before installing Docker:

$ sudo curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
$ sudo yum makecache
$ sudo dnf -y install docker-ce --nobest

To start at boot and check if it is running we can use the following commands:

$ sudo systemctl enable --now docker
$ systemctl status docker

We will add a user to the docker group to run docker commands without sudo using the following command:

$ sudo usermod -aG docker $USER

Next, we will use the pip3 command to get the docker-compose and docker python module installed as shown below.

$ sudo pip3 install -U docker docker-compose

We can confirm the version using the following command:

$ docker-compose version

3. Clone AWX using the following commands:

$ cd ~
$ git clone --depth 50 https://github.com/ansible/awx.git

Next, we will change to installer directory

The installer directory has a config file we need to modify and execute:

$ cd ~/awx/installer/

Before we edit the inventory file, we will generate a secret encryption key using the following:

$ pwgen -N 1 -s 30

Edit the inventory file and customize it to suit the needs of our environment.

$ vim inventory
[all:vars]
dockerhub_base=ansible
awx_task_hostname=awx
awx_web_hostname=awxweb
postgres_data_dir="~/.awx/pgdocker"
host_port=80
host_port_ssl=443
docker_compose_dir="~/.awx/awxcompose"
pg_username=awx
pg_password=awxpass
pg_database=awx
pg_port=5432
admin_user=admin
admin_password=SuperSecret
create_preload_data=True
project_data_dir=/var/lib/awx/projects ##Directory For playbooks inside the server
awx_alternate_dns_servers="8.8.8.8,8.8.4.4"
secret_key=yBs76VurxRiBwtDHrrF2JJlLgVrcv3
awx_official=true

After that, we will alter firewall rules using the following commands:

$ sudo firewall-cmd --zone=public --add-masquerade --permanent
$ sudo firewall-cmd --permanent --add-service={http,https}
$ sudo firewall-cmd --reload

3. Adding AWX project data folder

using the following command:

$ sudo mkdir -p /var/lib/awx/projects

We will now run the ansible-playbook command followed by option -i which tells it the inventory file to use. The name of the playbook file is install.yml.

$ sudo ansible-playbook -i inventory install.yml

We can then check created docker containers and their status using the docker ps command.

$ docker ps

4. Accessing AWX Web Interface:

To have access to the AWX web console, point the browser to our Ansible's AWX server IP: http://our-server-ip-address

In case, we changed the port configuration in the inventory file, then point our browser to http://our-server-ip-address:<port>

After that, we can enter the admin username and admin_password password that we specified in the inventory file. When the authentication is successful, we will get to the AWX administration dashboard.

5. Creating User and Team

We can click on the Users tab found on the left menu and click on the green + icon, then fill in the details of the new user to be added. After completing we can click "Save".

Click on the "Teams" tab and do similar steps to create a Team.

6. Creating an Organization

Clicking on Users displays all the Users associated with this Organization.

7. Creating credentials

We can click on "Credentials" on the left menu and then click the green + to add a new server credential, "Save" once done.

8. Create a new Inventory and add it to the Organization

To create a new inventory, click the Add (+) button and select Inventory from the drop-down.

9. Setting up a Project

We can click on the "Projects" tab on the left menu and then click on add (+) to create a new project.

3. Configure Windows Remote Management for Ansible

We will use this script, ConfigureRemotingForAnsible.ps1, which can be used to set up the basics. This script sets up both HTTP and HTTPS listeners with a self-signed certificate and enables the Basic authentication option on the service.

We can run the following in PowerShell (as Administrator):

$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
powershell.exe -ExecutionPolicy ByPass -File $file

WinRM Listener

To view the current listeners that are running on the WinRM service, we can run the following command:

winrm enumerate winrm/config/Listener

How to Execute Ansible Playbook in Windows ?

Once WinRM has been set up, we will be able to time to manage it using Ansible. If we prefer using the terminal, we can add a host called windows in "/etc/ansible/hosts" file, then execute the command below to test if everything works well:

ansible -i windows -m win_ping -e ansible_connection=winrm \
-e ansible_user=<Our-Windows-User> -e ansible_password=<Our-Windows-Password> \
-e ansible_winrm_transport=basic \
-e ansible_winrm_server_cert_validation=ignore

The above script helps us to ensure that we have automated Windows Server 2019 Administration with Ansible.

[Need urgent assistance for automating with ansible? We can help you. ]