Having issues running win_domain_group

[Craig Simon]

Hey all,

i've been using Ansibe with Linux for years, but now I have a need to use it to build out some Windows boxes and I am running into some issues.  So far I am able to instal the AD-DS features and create my domain all properly, but I am unable to create any groups in the new domain that I am setting up.  When I try I get the error:

TASK [Gathering Facts] ***********************************************************************************************************************************************************************

ok: [XX.XX.XX.XX]

TASK [ping test] *****************************************************************************************************************************************************************************

ok: [XX.XX.XX.XX]

TASK [create the Mission domain group] *******************************************************************************************************************************************************

fatal: [XX.XX.XX.XX]: FAILED! => {"changed": false, "created": false, "msg": "failed to retrieve initial details for group Mission: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running."}

PLAY RECAP ***********************************************************************************************************************************************************************************

XX.XX.XX.XX                : ok=2    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

I can't figure out what is causing this issue.  My reading of the documentation only says 

"This must be run on a host that has the ActiveDirectory powershell module installed."

I have tested that this is the case by RDPing into the host and performing an "Import-Module -Name ActiveDirectory" and the module does import.

The target is a windows 2016 server running in AWS, my Ansible workstation is a Mac running Catalina with Ansible installed in a venv via PIP.

Appreciate the help!

Thanks
Craig

[Jesse Lyon]

Install the RSAT role on your ansible target and that'll take care of your issue.

[Jordan Borean]

This issue is due to the double hop problem typically seen with WinRM. Any further outbound authentications from the Windows host (Ansible -> Windows host -> AD controller) will appear as an anonymous user and results in either access is denied or resource not found type errors. You have 3 options

1. Use become on your task with the same credentials as the connection user

- name: run win_domain_group with become
  win_domain_group:
    ...
  become: yes
  become_method: runas
  vars:
    ansible_become_user: '{{ ansible_user }}'  # The module will run as this user and have it's credentials enabled for further network authentication.
    ansible_become_pass: '{{ ansible_password }}'

1. Use explicit credentials with win_domain_group, i.e. set domain_username and domain_password
2. Use CredSSP or Kerberos with credential delegation set as your WinRM transport

All 3 options allow the requests to AD to be backed by a set of credentials so it doesn't appear as an anonymous user they are just done in different ways.

Thaks

Jordan