unable to install exchange 2016 using ansible

[Chandra Pandey]

I get error while installing fresh exchange 2016 server using ansible --- 

ExchangeSetup.log Error 

Active Directory operation failed on . The supplied credential for 'ADS\Chandra Pandey' is invalid.

[09/12/2016 19:34:45.0055] [0] The supplied credential is invalid

Ansible Error: 

<dev-01.xyz.com> WINRM RESULT u'<Response code 0, out "C:\\Users\\Chandra Pan", err "">'

<dev-01.xyz.com> PUT "/etc/ansible/playbooks/exch.ps1" TO "C:\Users\Chandra Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1"

<dev-01.xyz.com> WINRM PUT "/etc/ansible/playbooks/exch.ps1" to "C:\Users\Chandra Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1" (offset=121 size=121)

<dev-01.xyz.com> EXEC &  'C:\Users\Chandra Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1'

<dev-01.xyz.com> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABDAGgAYQBuAGQAcgBhACAAUABhAG4AZABlAHkAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMANwAwADgAOAA0ADYALgA1AC0AMgA4ADAAMwA0ADUANwA3ADkAMwAzADMAMAAyADUAXABlAHgAYwBoAC4AcABzADEAJwA=']

<dev-01.xyz.com> WINRM RESULT u'<Response code 0, out "\r\nWelcome to Microso", err "There is a pending r">'

<dev-01.xyz.com> EXEC Set-StrictMode -Version Latest

Remove-Item "C:\Users\Chandra Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025" -Force -Recurse;

<dev-01.xyz.com> WINRM EXEC u'PowerShell' [u'-NoProfile', u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', u'-EncodedCommand', u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEMAaABhAG4AZAByAGEAIABQAGEAbgBkAGUAeQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA3ADAAOAA4ADQANgAuADUALQAyADgAMAAzADQANQA3ADcAOQAzADMAMwAwADIANQAiACAALQBGAG8AcgBjAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwA=']

<dev-01.xyz.com> WINRM RESULT u'<Response code 0, out "", err "">'

<dev-01.xyz.com> WINRM CLOSE SHELL: 2304FF63-3899-4A5F-AA24-67A3E8DAF0B1

changed: [dev-01.xyz.com] => {"changed": true, "invocation": {"module_args": {"_raw_params": "exch.ps1"}, "module_name": "script"}, "rc": 0, "stderr": "There is a pending reboot from a previous installation of a Windows Server role or feature. Please restart the computer and then run Setup again.\r\nYou must be a member of the 'Organization Management' role group or a member of the 'Enterprise Admins' group to continue.\r\nYou must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.\r\nYou must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology.\r\nYou must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology.\r\nYou must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.\r\nYou must use an account that's a member of the Organization Management role group to install or upgrade the first Client Access server role in the topology.\r\nYou must use an account that's a member of the Organization Management role group to install the first Mailbox server role in the topology.\r\nSetup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'ADS\\Chandra Pandey' is invalid.  See the Exchange setup log for more information on this error.\r\nEither Active Directory doesn't exist, or it can't be contacted.\r\n", "stdout": "\r\nWelcome to Microsoft Exchange Server 2016 Unattended Setup\r\n\r\nCopying Files...\r\nFile copy complete.\r\nSetup will now collect additional information needed for installation.\r\n\r\n     Languages\r\n     Management tools\r\n     Mailbox role: Transport service\r\n     Mailbox role: Client Access service\r\n     Mailbox role: Unified Messaging service\r\n     Mailbox role: Mailbox service\r\n     Mailbox role: Front End Transport service\r\n     Mailbox role: Client Access Front End service\r\n\r\nPerforming Microsoft Exchange Server Prerequisite Check\r\n\r\n Configuring Prerequisites ... COMPLETED\r\n Prerequisite Analysis\r\n\r\nThe Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\\ExchangeSetupLogs folder.\r\n", "stdout_lines": ["", "Welcome to Microsoft Exchange Server 2016 Unattended Setup", "", "Copying Files...", "File copy complete.", "Setup will now collect additional information needed for installation.", "", "     Languages", "     Management tools", "     Mailbox role: Transport service", "     Mailbox role: Client Access service", "     Mailbox role: Unified Messaging service", "     Mailbox role: Mailbox service", "     Mailbox role: Front End Transport service", "     Mailbox role: Client Access Front End service", "", "Performing Microsoft Exchange Server Prerequisite Check", "", " Configuring Prerequisites ... COMPLETED", " Prerequisite Analysis", "", "The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\\ExchangeSetupLogs folder."]}

==========

event errors:

The description for Event ID 4027 from source MSExchange ADAccess cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

ExSetup.exe

7044

Get Servers for ads.xyz.com

TopologyClientTcpEndpoint (localhost)

3

System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:890/Microsoft.Exchange.Directory.TopologyService. The connection attempt lasted for a time span of 00:00:02.0468972. TCP error code 10061: No connection could be made because the target machine actively refused it [::1]:890.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it [::1]:890

   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)

   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

   --- End of inner exception stack trace ---

Server stack trace: 

   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)

   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

Exception rethrown at [0]: 

   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

   at System.ServiceModel.ICommunicationObject.Open()

   at Microsoft.Exchange.Net.ServiceProxyPool`1.GetClient(Int32 retry, Boolean& doNotReturnProxyAfterRetry, Boolean useCache)

   at Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception)

the message resource is present but the message is not found in the string/message table

======================

The description for Event ID 106 from source MSExchange Common cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

1

Base for Average Latency

MSExchange ServiceProxyPool

The exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.

   at System.Diagnostics.PerformanceCounter.InitializeImpl()

   at System.Diagnostics.PerformanceCounter.IncrementBy(Int64 value)

   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.IncrementBy(Int64 incrementValue)

Last worker process info : Last worker process info not available!

Processes running while Performance counter failed to update: 

6300 TrustedInstaller

1176 svchost

2548 vmtoolsd

4912 csrss

380 csrss

1364 inetinfo

5892 winrshost

5692 WMSvc

1948 svchost

1220 nsd

2336 SMSvcHost

6664 svchost

1152 svchost

560 lsass

6860 taskhostex

1740 rdpinput

1396 mqsvc

2132 vmtoolsd

752 LogonUI

944 svchost

4292 taskhostex

548 services

872 svchost

1728 splunkd

7044 ExSetup

4224 cmd

4084 splunk-winevtlog

5264 conhost

728 TabTip

4272 ccSvcHst

4456 dwm

1696 snmp

6616 VSSVC

1096 spoolsv

2868 unsecapp

2472 svchost

1940 conhost

5424 powershell

2860 WmiPrvSE

760 svchost

3248 svchost

484 winlogon

5800 taskhost

5404 AeXAgentUIHost

1660 ccSvcHst

3504 dllhost

4092 splunk-winprintmon

6576 WmiApSrv

2240 svchost

2040 uptmagnt

4776 AeXMetricProv

656 svchost

5184 AeXSMAppDetector

6364 TiWorker

452 csrss

252 smss

2368 setup

2020 svchost

2412 TabTip32

440 wininit

3196 svchost

2200 svchost

4376 AeXNSAgentHostSurrogate32

1420 SMSvcHost

6540 powershell

432 svchost

3780 splunk-perfmon

6536 conhost

624 svchost

1604 NPSrvHost

788 dwm

2192 putty

812 svchost

6524 conhost

4944 winlogon

2184 serversetup

4812 explorer

3364 splunk-wmi

3336 WmiPrvSE

2376 AeXNSAgent

4320 rdpclip

5128 AeXSMLogUpload

3748 msdtc

4 System

3484 NPSrvWatchdog

5212 conhost

0 Idle

Performance Counters Layout information: FileMappingNotFoundException for category MSExchange ServiceProxyPool : Microsoft.Exchange.Diagnostics.FileMappingNotFoundException: Cound not open File mapping for name Global\netfxcustomperfcounters.1.0msexchange serviceproxypool. Error Details: 2

   at Microsoft.Exchange.Diagnostics.FileMapping.OpenFileMapping(String name, Boolean writable)

   at Microsoft.Exchange.Diagnostics.PerformanceCounterMemoryMappedFile.Initialize(String fileMappingName, Boolean writable)

   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetAllInstancesLayout(String categoryName)

the message resource is present but the message is not found in the string/message table

============================

Login Successfull on system 

An account was successfully logged on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:

Security ID: ADS\Chandra Pandey

Account Name: Chandra Pandey

Account Domain: ADS

Logon ID: 0xD475400

Logon GUID: {10046cb6-9f06-048b-d251-f66c2878fa16}

Process Information:

Process ID: 0x0

Process Name: -

Network Information:

Workstation Name:

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Kerberos

Authentication Package: Kerberos

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

===================

Special privileges assigned to new logon.

Subject:

Security ID: ADS\Chandra Pandey

Account Name: Chandra Pandey

Account Domain: ADS

Logon ID: 0xD475400

Privileges: SeSecurityPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeTakeOwnershipPrivilege

SeDebugPrivilege

SeSystemEnvironmentPrivilege

SeLoadDriverPrivilege

SeImpersonatePrivilege

SeEnableDelegationPrivilege

===================================================== 

I am part of "Organization Management role group" in AD

I am able to run ansible commands for dev-01 server with same ads\chandra pandey credentails but can't install exchange 

[J Hawkesworth]

Can you share you playbook for creating Exchange?

Is there anything useful in <SystemDrive>:\\ExchangeSetupLogs\\ExchangeSetup.log ?

One of the errors was about being unable to talk to a local port.  Does there need to be some firewall configuration before running this step?

I think it is possible that you need auth delegation (I don't know anything about Exchange architecture, but if it requires talking to other windows hosts during installation it might need auth delegation.

To use auth delegation, ensure you are running pywinrm 0.2.0 and set the following in your windows group_vars/ inventory:

ansible_winrm_transport: kerberos
ansible_winrm_kerberos_delegation: yes

I hope the above helps, please let us know how you get on.

Jon

[Matt Davis]

I'm actually undertaking the same task this week for a PoC demo, so I'll let you know if I figure out the magic incantations to get it working. :)

-Matt

[Chandra Pandey]

Hi, Thanks , will wait for your result ... 

[Matt Davis]

Worked fine for me using Kerberos delegation: ansible_winrm_transport=kerberos and ansible_winrm_kerberos_delegation=yes. The setup takes so ridiculously long that I didn't try it any other way, so your mileage may vary.

-Matt

[Chandra Pandey]

I am getting below message after enable delegation , also pasting my , playbook ansible settings ... if you can review with yours? 

========

[root@dev-testser-lx01 playbooks]# vi /etc/ansible/hosts

[root@dev-testser-lx01 playbooks]# ansible-playbook win_exchange.yml -vvvv

Using /etc/ansible/ansible.cfg as config file

Loaded callback default of type stdout, v2.0

PLAYBOOK: win_exchange.yml *****************************************************

1 plays in win_exchange.yml

PLAY [install] *****************************************************************

TASK [install exchange] ********************************************************

task path: /etc/ansible/playbooks/win_exchange.yml:19

<dev-ansiblewn01.ads.xyz.com> ESTABLISH WINRM CONNECTION FOR USER: Chandra Pan...@ADS.xyz.COM on PORT 5986 TO dev-ansiblewn01.ads.xyz.com

fatal: [dev-ansiblewn01.ads.xyz.com]: UNREACHABLE! => {"changed": false, "msg": "kerberos: 'module' object has no attribute 'util'", "unreachable": true}

        to retry, use: --limit @win_exchange.retry

PLAY RECAP *********************************************************************

dev-ansiblewn01.ads.xyz.com : ok=0    changed=0    unreachable=1    failed=0

====================

My hosts setting 

[wintestserverchandra]

dev-ansiblewn01.ads.xyz.com

[wintestserverchandra:vars]

ansible_ssh_user = Chandra Pan...@ADS.xyz.COM

#ansible_ssh_user = ADS\Chandra Pandey

#ansible_ssh_pass = password

#ansible_winrm_transport = ntlm

ansible_winrm_transport = kerberos

ansible_winrm_kerberos_delegation = yes

ansible_connection = winrm

ansible_ssh_port = 5986

ansible_winrm_server_cert_validation = ignore

~

~

================

My play book 

---

- name: install

  hosts: wintestserverchandra

  gather_facts: false

  tasks:

     - name: install exchange

       raw: 'D:\install\Exchange2016\.\Setup.exe /mode:Install /role:Mailbox /TargetDir:D:\Mailbox /IAcceptExchangeServerLicenseTerms'

      

~

~

~

=================

klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Chandra Pan...@ADS.XYZ.COM

Valid starting       Expires              Service principal

09/17/2016 09:12:06  09/17/2016 19:12:06  krbtgt/ADS.X...@ADS.XYZ.COM

        renew until 09/18/2016 09:12:03

================================

[Chandra Pandey]

[Matt Davis]

Make sure you're using the very latest pykerberos package from PyPI, not kerberos (remove kerberos if it's there) to get all the latest goodies lit up.

[Chandra Pandey]

Hi,

Can you please let me know the commands to install and configuration of host or group var ?

[J Hawkesworth]

The following ought to remove pykerberos and install kerberos and latest version of pywinrm.  Latest version of pywinrm also needs requests-kerberos to make kerberos connections - if it doesn't get installed, install that too.  Check what you have installed using 'pip list'

pip uninstall pykerberos

pip install kerberos
pip install pywinrm version==0.2.0

You should be able to set configuration in host or group vars.  Generally I prefer to use group_vars so I don't have to copy and paste settings for individual hosts, but its really a case of what makes sense for your inventory.

Jon

[Matt Davis]

There's actually a bug in pywinrm for older Pythons (eg, the one in RHEL7) that is triggered by enabling kerberos delegation. It's fixed in pywinrm 0.2.1.