This role will create a brand new Primary Domain Controller with a Active Directory Domain/Forest. No hardening is applied.
Based of the work done by @jborean93 in jborean93/ansible-windows
Works on
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
python3-winrm(pywinrm) is needed for WinRM.
defaults/main.yml
| Variable | Description | Default value |
|---|---|---|
| pdc_administrator_username | Settings this to Built-in Administrator account ensure that we know the password of NETBIOS\Administrator. 9/10 times you should leave this to the default value. | Administrator |
| pdc_administrator_password | The password of Built-in Administrator account. This password (if pdc_administrator_username left to the default value) will become the password of NETBIOS\Administrator. Change this to a strong password. | P@ssw0rd! |
| pdc_dns_nics | The name of the ethernet adapter to setup DNS on. Defaults to wildcard. 9/10 times you should leave this to the default value. | * |
| pdc_dns_servers | The DNS server to use on pdc_dns_nics. Defaults to {{ ansible_host }}. 9/10 times you should leave this to the default value. |
{{ ansible_host }} |
| pdc_domain | The Domain of the new Active Directory Forest. For testing\lab purposes it's recommend to use ad.domain.test. For production it's recommend to use a existing domain with a ad subdomain: ad.domain.tld |
ad.example.test |
| pdc_netbios | The NetBIOS of the new Active Directory Forest. Change this depending on your needs. | TEST |
| pdc_domain_path | The Distinguished Name of the domain. This should match the value given in pdc_domain (Example: dc=ad,dc=domain,dc=test) |
dc=ad,dc=example,dc=test |
| pdc_domain_safe_mode_password | The Domain Safe Mode password. Change this to a strong password. | P@ssw0rd! |
| pdc_domain_functional_level | Specifies the domain functional level of the first domain in the creation of a new forest. The domain functional level cannot be lower than the forest functional level, but it can be higher. Change this depending on your needs. | Default (Windows2008R2) |
| pdc_forest_functional_level | Specifies the forest functional level for the new forest. The default forest functional level in Windows Server is typically the same as the version you are running. Change this depending on your needs. | Default (Windows2008R2) |
| pdc_required_psmodules | PowerShell/DSC modules to install from the PSGallery. Always make sure to include ActiveDirectoryDscfor the WaitForAD-check. 9/10 times you should leave this to the default value. |
[xPSDesiredStateConfiguration, NetworkingDsc, ComputerManagementDsc, ActiveDirectoryDsc] |
| pdc_required_features | Windows Features that should be installed on the Domain Controller. Defaults to AD-domain-services and DNS. 9/10 times you should leave this to the default value. | ["AD-domain-services", "DNS"] |
| pdc_desired_dns_forwarders | The desired DNS Forwarders for the PDC. Defaults to Google DNS. Change this depending on your needs. | ["8.8.8.8", "8.8.4.4"] |
- WinRM on the windows host should configured for Ansible.
- justin_p.posh5
- justin_p.wincom
- hosts: primary_domain_controller
roles:
- role: justin_p.posh5
- role: justin_p.wincom
- role: justin_p.pdc
See https://github.com/justin-p/ansible-role-pdc/blob/master/tests/inventory.yml for an example inventory.
This role includes a Vagrantfile that will spin up a local Windows Server 2019 VM in Virtualbox.
After creating the VM it will automatically run our role.
pip3 install pywinrm
- Run
vagrant upto create a VM and run our role. - Run
vagrant provisionto reapply our role. - Run
vagrant destroy -f && vagrant upto recreate the VM and run our role. - Run
vagrant destroyto remove the VM.
MIT
- Justin Perdok (@justin-p), Orange Cyberdefense
Feel free to open issues, contribute and submit your Pull Requests. You can also ping me on Twitter (@JustinPerdok).