Reputation: 5762
Unable to execute Active Directory Commands
I am unable to use Active Directory commands like Get-ADDomain, Get-ADUser, etc in a PowerShell script using Ansible. Basic commands like ls, New-Item work fine.
Environment
ad-dns.test.com - Windows 2012 AD and DNS Server
box88.test.com - CentOS 7.2 (Not joined to domain) : Ansible, Kerberos, Python
box62.test.com - Windows 2012 R2 Standard (Joined to domain)
[email protected] - Domain User for the Kerberos Ticket
Configuration
I have enabled WinRM on Windows Server 2012 through ConfigureRemotingForAnsible.ps1 PowerShell script.
PowerShell Script
This is the basic script which I am trying to execute through Ansible.
ls
New-Item -Path C:\testfile.txt -ItemType file
Import-Module ActiveDirectory
Get-Module
Get-ADDomain
Problem
When I execute the above script, ActiveDirectory module appears to be loaded properly but all Active Directory commands fails with below error:
Get-ADDomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
Interestingly, the same script executes without any errors directly on PowerShell.
Here is the detailed output of Ansible.
root@box88:~# ansible-playbook /etc/ansible/win_test.yml
PLAY [windows] *****************************************************************
TASK [wintest : include] *******************************************************
included: /etc/ansible/roles/wintest/tasks/win_test.yml for box62.test.com
TASK [wintest : script] ********************************************************
changed: [box62.test.com]
TASK [wintest : debug] *********************************************************
ok: [box62.test.com] => {
"res.stdout_lines + [ res.stderr ]": [
"",
"",
" Directory: C:\\Users\\vkumar",
"",
"",
"Mode LastWriteTime Length Name ",
"---- ------------- ------ ---- ",
"d-r-- 6/28/2016 9:10 AM Contacts ",
"d-r-- 7/19/2016 9:30 PM Desktop ",
"d-r-- 6/28/2016 9:10 AM Documents ",
"d-r-- 6/28/2016 9:10 AM Downloads ",
"d-r-- 6/28/2016 9:10 AM Favorites ",
"d-r-- 6/28/2016 9:10 AM Links ",
"d-r-- 6/28/2016 9:10 AM Music ",
"d-r-- 6/28/2016 9:10 AM Pictures ",
"",
"",
" Directory: C:\\",
"",
"",
"Mode LastWriteTime Length Name ",
"---- ------------- ------ ---- ",
"-a--- 7/19/2016 10:01 PM 0 testfile.txt ",
"",
"Name : ActiveDirectory",
"Path : C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDi",
" rectory\\ActiveDirectory.psd1",
"Description : ",
"Guid : 43c15630-959c-49e4-a977-758c5cc93408",
"Version : 1.0.0.0",
"ModuleBase : C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDi",
" rectory",
"ModuleType : Manifest",
"PrivateData : ",
"AccessMode : ReadWrite",
"ExportedAliases : {}",
"ExportedCmdlets : {[Add-ADCentralAccessPolicyMember, ",
" Add-ADCentralAccessPolicyMember], ",
" [Add-ADComputerServiceAccount, ",
" Add-ADComputerServiceAccount], ",
" [Add-ADDomainControllerPasswordReplicationPolicy, ",
" Add-ADDomainControllerPasswordReplicationPolicy], ",
" [Add-ADFineGrainedPasswordPolicySubject, ",
" Add-ADFineGrainedPasswordPolicySubject]...}",
"ExportedFunctions : {}",
"ExportedVariables : {}",
"NestedModules : {Microsoft.ActiveDirectory.Management}",
"",
"",
"Name : Microsoft.PowerShell.Management",
"Path : C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsof",
" t.PowerShell.Management\\Microsoft.PowerShell.Management.psd",
" 1",
"Description : ",
"Guid : eefcb906-b326-4e99-9f54-8b4bb6ef3c6d",
"Version : 3.1.0.0",
"ModuleBase : C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"ModuleType : Manifest",
"PrivateData : ",
"AccessMode : ReadWrite",
"ExportedAliases : {}",
"ExportedCmdlets : {[Add-Computer, Add-Computer], [Add-Content, Add-Content], ",
" [Checkpoint-Computer, Checkpoint-Computer], ",
" [Clear-Content, Clear-Content]...}",
"ExportedFunctions : {}",
"ExportedVariables : {}",
"NestedModules : {Microsoft.PowerShell.Commands.Management.dll}",
"",
"",
"",
"Get-ADDomain : Unable to contact the server. This may be because this server \r\ndoes not exist, it is currently down, or it does not have the Active Directory \r\nWeb Services running.\r\nAt C:\\Users\\vkumar\\AppData\\Local\\Temp\\ansible-tmp-1468990893.98-136722234533486\r\n\\test.ps1:5 char:1\r\n+ Get-ADDomain\r\n+ ~~~~~~~~~~~~\r\n+ CategoryInfo : ResourceUnavailable: (TEST:ADDomain) [Get-ADDoma \r\nin], ADServerDownException\r\n+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirector \r\ny.Management.Commands.GetADDomain\r\n"
]
}
PLAY RECAP *********************************************************************
box62.test.com : ok=3 changed=1 unreachable=0 failed=0
root@box88:~#
Upvotes: 0
Views: 4295
Answers (2)
Reputation: 94
I stumbled onto an identical issue last week while configuring a PowerShell worker node for running AD scripts. After some digging around I found the Ansible WinRM guide and reviewed the limitations section. Shortly afterwards, I found this question on ServerFault, which raised my suspicion that it is a Kerberos double hop authentication issue - particularly from comments and answers from user Semicolon.
So, I followed this suggestion in the Ansible documentation (the same one echoed by Semicolon):
- Set
ansible_winrm_transporttocredssporkerberos(withansible_winrm_kerberos_delegation=true) to bypass the double hop issue and access network resources
In my scenario, ansible_winrm_transport was already set to kerberos in my group variables file. My solution was to add this line:
ansible_winrm_kerberos_delegation: true
to my group variables file. After that addition, I ran my playbook which runs a script called TestAD.ps1, which attempts to run Get-ADDomain. This was the resulting Ansible output:
ok: [psworker.domain.com] => {
"msg": {
"changed": true,
"cmd": "powershell.exe C:/scripts/TestAD.ps1",
"delta": "0:00:01.101562",
"end": "2020-07-31 09:08:44.785758",
"failed": false,
"rc": 0,
"start": "2020-07-31 09:08:43.684196",
"stderr": "",
"stderr_lines": [],
"stdout_lines": [
"Unrestricted",
"",
"",
"AllowedDNSSuffixes : {}",
"ChildDomains : {}",
"ComputersContainer : OU=mydomain Servers,DC=mydomain,DC=com",
"DeletedObjectsContainer : CN=Deleted Objects,DC=mydomain,DC=com",
"DistinguishedName : DC=mydomain,DC=com",
"DNSRoot : mydomain.com",
"DomainControllersContainer : OU=Domain Controllers,DC=mydomain,DC=com",
"DomainMode : Windows2012R2Domain",
"DomainSID : S-1-5-21-644830395-273481423-308473177",
"ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=mydomain,DC=com",
"Forest : mydomain.com",
"InfrastructureMaster : devdc00.mydomain.com",
"LastLogonReplicationInterval : ",
"LinkedGroupPolicyObjects : {cn={BD2441AA-23B7-4D11-B499-73642A1734A8},cn=policies,cn=system,DC=mydomain,DC=",
" com, cn={E73254A1-C013-4D45-8BB3-FEE2E1300B11},cn=policies,cn=system,DC=mydomain",
" ,DC=com, cn={CF7575AC-E140-4869-B8C7-904C753D8E28},cn=policies,cn=system,DC=mydoma",
" in,DC=com, cn={C63CB9EB-262E-4AD7-BC0B-70B3EF2F7B48},cn=policies,cn=system,DC=my",
" domain,DC=com...}",
"LostAndFoundContainer : CN=LostAndFound,DC=mydomain,DC=com",
"ManagedBy : ",
"Name : mydomain",
"NetBIOSName : mydomain",
"ObjectClass : domainDNS",
"ObjectGUID : 6f59e1a2-8857-46f2-90fd-51710bde58d6",
"ParentDomain : ",
"PDCEmulator : devdc00.mydomain.com",
"PublicKeyRequiredPasswordRolling : ",
"QuotasContainer : CN=NTDS Quotas,DC=mydomain,DC=com",
"ReadOnlyReplicaDirectoryServers : {}",
"ReplicaDirectoryServers : {dc01.mydomain.com, devdc00.mydomain.com}",
"RIDMaster : dc00.mydomain.com",
"SubordinateReferences : {DC=DomainDnsZones,DC=mydomain,DC=com, DC=ForestDnsZones,DC=mydomain,DC=com, ",
" CN=Configuration,DC=mydomain,DC=com}",
"SystemsContainer : CN=System,DC=mydomain,DC=com",
"UsersContainer : CN=Users,DC=mydomain,DC=com",
"",
"",
""
]
}
}
Here are the settings in my group_vars file (can be set in the playbook directly):
ansible_connection: winrm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore
ansible_winrm_kerberos_delegation: true
ansible_winrm_transport: kerberos
I use the exact same PowerShell script to configure WinRM for Ansible.
Upvotes: 2
Reputation: 342
It sounds like PowerShell can not discover a Domain Controller while in the Ansible environment? Can you instead run:
Get-ADDomain -Server MyDomainController
Upvotes: 0
Related Questions
- Windows PowerShell is in NonInteractive mode. Read and Prompt
- Powershell enable WinRM remotely
- Cannot connect to windows server with Domain Account using Ansible
- How To Execute PowerShell via WinRM
- Ansible - how to execute powershell win_command as elevated privilege
- Impossible to invoke command on a server (Powershell)
- How to run ansible command in PowerShell?
- Running a PowerShell command using Ansible
- Ansible Delegate_to WinRM
- Powershell - Invoke command access denied while not running under domain admin account