New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
win_domain - Unable to issue winrm commands following promotion to Domain Controller #39235
Comments
Files identified in the description: If these files are inaccurate, please update the |
Thanks for this I'd spotted exactly the same behaviour but hadn't found a fix. There is a todo in the module about using an action plugin to handle the reboot, (as win_reboot does), but presumably this would have to also switch user as following the reboot you would need to connect as a domain user. I guess it would not be too hard to get the module code to start netlogon service, but whether the auth would remain in place long enough for the module to return would have to be tested. In my case I'm going from a workgroup to a DC, but I guess if you are going from a domain member to a DC the behaviour might be different, so I'm wary of suggesting that starting netlogon would fix all scenarios. |
I’m actually testing a greenfield deployment as well.
Unfortunately I don’t think we’d be able to start the netlogon service
prior to the server itself being a domain controller. Netlogon is set to
manual until the server is promoted, and just gives an error if you try to
start it before hand.
…On Tue, Apr 24, 2018 at 14:11 jhawkesworth ***@***.***> wrote:
Thanks for this I'd spotted exactly the same behaviour but hadn't found a
fix. There is a todo in the module about using an action plugin to handle
the reboot, (as win_reboot does), but presumably this would have to also
switch user as following the reboot you would need to connect as a domain
user.
I guess it would not be too hard to get the module code to start netlogon
service, but whether the auth would remain in place long enough for the
module to return would have to be tested.
In my case I'm going from a workgroup to a DC, but I guess if you are
going from a domain member to a DC the behaviour might be different, so I'm
wary of suggesting that starting netlogon would fix all scenarios.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#39235 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACdNS6ppMm4ZjNrUhLuNAeszoJnhiYPxks5tr3jxgaJpZM4TiAoR>
.
|
I was proposing a manual start in the win_domain.ps1 module code after it has completed the
|
That seems to do the trick. I just tested uncerimoniously slapping a "Start-Service -Name netlogon" after the last variable. Once that's done the playbook runs as expected.
Any thoughts on the best way to implement? Seems a little ham-fisted to just plop the command in there like I did. |
@jtauke Nice, thanks for trying it out. As for an actual implementation.... I'd be inclined to add a module parameter Also perhaps I'd do a Get-Service on netlogon and only start it if it was not in running state. I was also using S2016 so I'd want to feel confident this worked with older Windows versions before merging. In fact I might start with the testing as I think the module may date back to S2012R2 being the most recent windows version at the time. If it turns out it is specific to S2016 I'm not sure I'd just magically restart it, but just document that it has been needed on S2016 in the module docs. Hope that helps? Are you OK to create a PR? If you are, and you get stuck at all feel free to ask on #ansible-windows on IRC (freenode). |
I’ll see try to get a pull request in this weekend. Been swamped lately. |
I've also encountered this problem. Unfortunately just starting the netlogon service is not enough. Before running the win_domain module, I can login with What about instead adding a reboot option that takes "no", "yes" and "if-required", that could be used to solve both these problems? |
So I wiped the machine where I ran into this problem and retried, and am unable to reproduce this problem now... @jtauke did you already start working on a PR? if not I could give it a shot |
@stintel yes, just restarting netlogon is not enough, it will need a reboot straight afterwards, for which you can use the existing That said, it would be good to document the reboot in the module documentation examples as its effectively mandatory, although keeping the two tasks as separate things retains flexibility if there are scenarios where it makes sense to do something else between running |
Sorry, I've been remiss in getting a pull request put together. Here's the basics of what I've been testing with: If specified true the module will check the current state of the netlogon service, then, if it's not running, start the service. This allows ansible to continue to the next item (most likely a reboot), successfully.
|
@jborean93 What is your opinion on this ? I am not convinced this is something we want to fix in the module, but a proper fix needs Microsoft's attention... Is there an alternative ? Maybe async ? |
I don’t really think this is a Microsoft issue. The proper default for new-addsforest is for a reboot to occur after promotion. Something this module actively stops from happening (for good reason, so it can be handled by win_reboot). In the current state, I wouldn’t even consider this module to be functional, since it stops any Ansible commands from running after it does. |
I’ve been using this module for a while and have never come across this issue so I need to try and replicate it myself. I literally have run through this more than 10 times this past week testing out changes to ansible-windows and I never failed once so not sure what is happening. |
Just jumping in to say I'm seeing this exact same behavior on new 2012R2 instances on Azure. This is how I'm doing it in the playbook I'm using...
Ansible disconnects during the |
If you are running Ansible 2.5 or above, I've had luck using the win_scheduled_task to automatically start the netlogon service when Windows Server 2012 is promoted to a domain controller. The - name: Create Netlogon scheduled task
win_scheduled_task:
name: Start Netlogon
actions:
- path: C\Windows\System32\sc.exe
arguements: start netlogon
triggers:
- type: event
subscription: "<QueryList><Query Id='0' Path='System'><Select Path='System'>*[System[(EventID='29223') and Security[@UserID='YOUR-ID-HERE']]]</Select></Query></QueryList>"
username: YOUR-USER
password: YOUR-PASS
logon_type: password
run_level: highest
state: present After the server is rebooted you can copy-paste this task and change the - name: Create Netlogon scheduled task
win_scheduled_task:
name: Start Netlogon
state: absent |
This might be another case we should explore wrapping in an action to handle the reboots automatically in a way that's "ansible-friendly" (ala |
@nitzmahone would you mind elaborating on the connection-related issues with win_domain_controller and what action plugin might solve it? I've tried to use the win_domain_controller module in one of my playbooks to configure 6 Windows Server 2012R2 hosts as domain controllers and 1-2 of the servers always seem to fail. (Not always the same servers fail). |
Running into this same issue.
Nothing works until I forcefully reboot the instance. Error I get:
|
@jseiser I believe win_reboot is not working in ansible 2.6.1 but should be fixed in 2.6.2, so worth trying again with latest devel or 2.6.2 when its released. |
Same problem with 2.6.2
Its not just win_reboot, its anything attempting to run after win_domain fails. Same problem exists if you attempt to promote using win_dsc as well.
Are there any known work arounds for this? Im am stuck on this and havent been able to find a way around it. Issue is also present when attempting to promote via win_dsc xActiveDirectory |
I have figured out why I never came across this issue, because the Netlogon service is not running post promotion, any authentication protocols that rely on the Negotiate protocol (like NTLM, Kerberos, CredSSP) will fail. My test playbooks always ran under Basic auth which is handled a bit different than the other protocols. I need to implement a good way to get beyond this as part of the 2.7 action-ify work but for now, setting |
Here is a PR that should solve this issue #43703. I am still planning on creating an action plugin to incorporate an automatic reboot in the 1 task. |
ISSUE TYPE
COMPONENT NAME
win_domain
ANSIBLE VERSION
CONFIGURATION
Default configuration in place. Currently utilizing an updated version of the win_domain module that includes a netbios name option (this new version was merged to devel branch recently).
OS / ENVIRONMENT
CentOS 7, managing Windows Server 2016
SUMMARY
STEPS TO REPRODUCE
Shortened copy of the playbook from https://github.com/jborean93/ansible-windows
EXPECTED RESULTS
Create a new AD forest using the variables passed to it. Then reboot.
ACTUAL RESULTS
Server is promoted to a domain controller, and winrm connectivity is killed before the reboot command can run. Causing the playbook to fail. I've tracked it down to the netlogon service not being started following promotion to a domain controller. If that service is manually started from console, winrm functionality is restored. The existing module, win_domain squelches the automatic reboot triggered by Install-ADDSForest, a function that isn't recommended by Microsoft, because the server in question won't respond properly as a DC or a domain member until rebooted. I'm currently testing the module with the reboot allowed (to see how it reacts to being rebooted outside of win_reboot).
Anyone else have any other ideas?
The text was updated successfully, but these errors were encountered: