The final goal of this guide is to get the Ansible configuration script (ConfigureRemotingForAnsible.ps1) to complete successfully. And to run a successful Ansible win_ping.
These instructions are NOT for a production server. This is just to get Ansible up and running. This setup should be performed on a secure private network.
If you're running a PARADISE environment and are thinking about switching to VirtualBox, do the switch first, then continue on with these instructions. Make sure you're getting the most out of your install by using the settings described in JDPFu.com.
You may want to install git and clone THIS repository so you'll have the necessary scripts in your Windows VM. I like installing the portable version for this step and then provision one later with my server setup in Ansible.
$ git clone https://github.com/nckz/ansible-windows7sp1.git
Download the .NET 4.5 dotNetFx45_Full_setup.exe from microsoft.com, then install.
If this doesn't install checkout step 1.a, else move on to step 2.
I wasn't able to install the .NET framework directly because I kept getting an error that looked like this:
80070422 ERROR_SERVICE_DISABLED. The service cannot be started, either because it is disabled or because__it has no enabled devices associated with it.
Luckily Google found a post with a solution from the MS Forum which offered the Repair.bat
script as a solution. I don't know what this does, but Google top hits are as follows:
wuauserv
is related to "Windows Update".bits
is the "Background Intelligent Service" used to download windows updates.DcomLaunch
is a service that confirms signature of windows files.
It seems the script sets these services to auto-start, perhaps.
In an Administrator command window run:
> .\Repair.bat
Download the Windows Management Framework Windows6.1-KB2819745-x64-MultiPkg.msu from social.technet.microsoft.com, and install it. After the reboot, check for the correct PowerShell version by entering:
> $PSVersionTable
...
PSVersion 4.0
...
Stop all programs that are using a network interface. If your on a PARADISE environment then issue the:
start_stop_procs.pl stop
in a command window.
Disable the "Public" loopback network adapters in the Network and Sharing Center
(located in the Control Panel
). The other adaptors should have
private profiles; if they don't, then change them to private. You can do this
by temporarily disabling them. When you toggle them back on, Windows will ask
what type of network they're connected to; select "work" or "home", etc...
In a PowerShell enter the following command:
> winrm quickconfig
Answer 'y' to the following prompts:
- Set WinRM service type to dealyed auto start?
- Create a WinRM listener on HTTP://* ....?
- From superuser.com, Hit 'Start', in the searchbox enter
gpedit.msc
then press 'Enter'. - Find and click the "Computer Configuration"->"Administrative Templates"->"Windows Components"->"Windows Remote Shell" by drilling down into the folder structure on the left panel.
- Double Click the "Allow Remote Shell Access" policy and then check
enabled
in the box on the left. - Click "OK" to accept the changes.
The script can be found on the Ansible Windows Support page. Run download and run this script in a PowerShell with the 'Verbose' flag.
> ConfigureRemotingForAnsible.ps1 -Verbose
...
PS C:\Users\me\Desktop\ansible-windows7sp1> .\ConfigureRemotingForAnsible.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Disabled | HTTPS: Enabled
VERBOSE: PS Remoting has been successfully configured for Ansible.
In a PowerShell, enter the following command and you should see this as the output:
> winrm get winrm/config
...
PS C:\Users\me> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true [Source="GPO"]
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30
If your trying to use a Windows VM as part of your build chain, like me, you'll want to go ahead and increase the memory and number-of-processes quota. To do this, enter the following commands (via social.technet.microsoft.com) in the PowerShell:
winrm set winrm/config/winrs '@{MaxProcessesPerShell="10000"}'
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="8000"}'
This will allow the sessions to take up to 8GB of memory and 10,000 processes.
I like to use a domain name instead of IP addresses, especially when testing a
setup. This allows you to use the .local zeroconf tld on your test network in
conjuction with your computer's name. The Ansible example included in this repo
uses win1.local
. To change your computer's name follow these instructions from
kb.iu.edu. To install Bonjour, download the binary
from support.apple.com.
You may want to install zeroconf on your host; for Ubuntu hosts use:
$ sudo apt-get install avahi-daemon avahi-discover avahi-utils libnss-mdns service-discovery-applet mdns-scan
The test.yml
is a simple test from docs.ansible.com, that simply runs an ip
check and a file stat. The one included here has the hosts changed to
'windows'. Before running the run_test.sh
, modify the HOSTS
file with
the user-name and password that you plan to start a remote session with in your
windows machine. It is required that the user has a password.
In addition to the links I've used above, these posts were very useful for understanding why some settings are unsafe and how to turn those settings on.