1. Request an SSL Certificate
- Pick a username and password for creating a local user account on each and every remote windows machine. You will make your remote connections through this account.
- Use the username and password to create a certificate request (watch this video to see how). The common name on the certificate request must be a fully qualified domain name (something like localWindowsUser.aa.bb.acme.com) Where localWindowsUser is the local Windows user account name you picked in sub-step #1 above and aa.bb.acme.com is the domain of your remote Windows machines (to get the domain click on Run then type cmd, click OK then type ipconfig. Domain name is after Connection-specific DNS Suffix).
- Attach the certificate request file to an email message asking for an SSL certificate and send it to your IT department or another certificate authority.
- While IT works on that continue with the following.
2. Install a version of python prior to 3.0 (for example # Python 2.7.13) with the following or similar commands
$ wget http://python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz$ tar xf Python-2.7.13.tar.xz$ cd Python-2.7.13$ ./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"$ make && make altinstall
3. Use the following or similar commands to install ansible, paramiko, PyYAML Jinja2 httplib2 six and pywinrm. More instructions are here but they didn't help me much.
$ git clone git://github.com/ansible/ansible.git --recursive$ cd ./ansible$ sudo easy_install pip$ sudo pip install paramiko PyYAML Jinja2 httplib2 six$ pip install "pywinrm>=0.1.1"$ pip install http://github.com/diyan/pywinrm/archive/master.zip#egg=pywinrm
4. Get root access to the folder /etc/ansible/ and create a text file named ansible.cfg with the following text in it. This tells Ansible where to look for your inventory file (the inventory file is the text file named hosts explained in step #5.)
[defaults]
inventory = /root/home/username/hosts
5. Create or edit the file /root/home/username/hosts to be something like this below. When you specify a group name like windows Ansible knows to carry out the task on every machine listed below the group name. See more details and examples here
[windows]123.123.123.123234.234.234.234(where windows is the name of your group and 123.123.123.123 and 234.234.234.234 are the ip addresses (you man also use fully qualified domain names see all options here) of your remote nodes)
6. The directory /etc/ansible/group_vars must have a YAML (text file with a .yml extension) with a file name that matches the group name you used in step #5 above (windows in this example). So the file /etc/ansible/group_vars/windows.yml should look something like this
ansible_user: ansibleAdminansible_password: p@$$w0rdansible_port: 5986ansible_connection: winrm
(where ansible_user: is the username you picked in in step #1 (without the domain) and ansible_password: is the password you picked in step #1. ansible_port: 5986 means you want to use an encrypted https connection and ansible_connection: winrm means that you want to connect to Powershell on the windows machine using the winrm module) also (versions before ansible 2.0 used ansible_ssh_pass: instead of ansible_password:) and (versions before ansible 2.0 used ansible_ssh_port: instead of ansible_port:)
7. Click on Start -> Control Panel -> Program and Features -> Add or Remove Programs. Scroll down to the M's and look for Microsoft .NET Framework. If you don't have version 4.0 or later, download and install it from here.
8. Create a local Windows account with admin privileges with the same username and password you picked in step #1 (also same as in the file /etc/ansible/group_vars/windows.yml). Click on Start -> Control Panel -> Administrative Tools -> Computer Management. Click on the plus sign or arrow next to Local Users and Groups. Right click on Users then click on New User. Enter the user name for both User name and Full name. Enter the password. Click on Create, Close and Close. Click on Start -> Control Panel -> User Accounts. Click on Manage User Accounts. Select your new account and click on Properties. Click on the Group Membership tab and change the Group Membership from Standard User to Administrator. Click OK, OK and Close. Restart computer. Note:The remote computer need not be logged into this account for Ansible to make a remote connection to Powershell, but the account must exist.
9. You will get 2 certificates (2 files) from the certificate request you made in step #1. You only need to import the Intermediate Certificate once (this certificate basically authenticates the origin of the other certificate). Import the Intermediate Certificate to the Intermediate Certification Authority folder with Microsoft Management Console (MMC). Then import the other certificate (and all future certificates from that source) to the Trusted Root Certification Authority folder with Microsoft Management Console (MMC). Watch this video to learn how to use MMC.10. Windows 7 machines and later have Powershell installed in C:\Windows\System32\Windows Powershell\v1.0\