diff options
| author | Jordan Borean <jborean93@gmail.com> | 2019-03-08 08:44:12 +1000 |
|---|---|---|
| committer | Toshio Kuratomi <a.badger@gmail.com> | 2019-03-11 11:53:04 -0700 |
| commit | e0294275d7945f12584cb4fad3e460c295ffb445 (patch) | |
| tree | 7cffd7b6b6c140a61f5ba766b69ba28b6706f267 | |
| parent | c4748fd011d14dbdde83fb3a7556e5186de26635 (diff) | |
| download | ansible-e0294275d7945f12584cb4fad3e460c295ffb445.tar.gz | |
win_domain: fix issue when running without credential delegation (#53480)
* win_domain: fix issue when running without credential delegation
* Add check for reboot is required to complete role e install
* Fix changelog sanity issue
* removed meta file accidentally committed
(cherry picked from commit 008db85d44ac47fd36b9b5edf9771d04cafb451f)
| -rw-r--r-- | changelogs/fragments/win_domain-cred.yaml | 3 | ||||
| -rw-r--r-- | lib/ansible/modules/windows/win_domain.ps1 | 47 |
2 files changed, 34 insertions, 16 deletions
diff --git a/changelogs/fragments/win_domain-cred.yaml b/changelogs/fragments/win_domain-cred.yaml new file mode 100644 index 0000000000..b174d20466 --- /dev/null +++ b/changelogs/fragments/win_domain-cred.yaml @@ -0,0 +1,3 @@ +bugfixes: +- win_domain - Fix when running without credential delegated authentication - https://github.com/ansible/ansible/issues/53182 +- 'win_domain - Do not fail if DC is already promoted but a reboot is required, return ``reboot_required: True``' diff --git a/lib/ansible/modules/windows/win_domain.ps1 b/lib/ansible/modules/windows/win_domain.ps1 index 7e5bc54f6a..fa9b6aee40 100644 --- a/lib/ansible/modules/windows/win_domain.ps1 +++ b/lib/ansible/modules/windows/win_domain.ps1 @@ -43,10 +43,12 @@ $result = @{changed=$false; reboot_required=$false} Ensure-Prereqs -Try { - $forest = Get-ADForest $dns_domain_name -ErrorAction SilentlyContinue -} -Catch { } +$forest = $null +try { + # Cannot use Get-ADForest as that requires credential delegation, the below does not + $forest_context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList Forest, $dns_domain_name + $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($forest_context) +} catch [System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException] { } If(-not $forest) { $result.changed = $true @@ -71,20 +73,33 @@ If(-not $forest) { if ($domain_netbios_name) { $install_forest_args.DomainNetBiosName = $domain_netbios_name } - - $iaf = Install-ADDSForest @install_forest_args - - $result.reboot_required = $iaf.RebootRequired - # The Netlogon service is set to auto start but is not started. This is - # required for Ansible to connect back to the host and reboot in a - # later task. Even if this fails Ansible can still connect but only - # with ansible_winrm_transport=basic so we just display a warning if - # this fails. + $iaf = $null try { - Start-Service -Name Netlogon - } catch { - Add-Warning -obj $result -message "Failed to start the Netlogon service after promoting the host, Ansible may be unable to connect until the host is manually rebooting: $($_.Exception.Message)" + $iaf = Install-ADDSForest @install_forest_args + } catch [Microsoft.DirectoryServices.Deployment.DCPromoExecutionException] { + # ExitCode 15 == 'Role change is in progress or this computer needs to be restarted.' + # DCPromo exit codes details can be found at https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment + if ($_.Exception.ExitCode -eq 15) { + $result.reboot_required = $true + } else { + Fail-Json -obj $result -message "Failed to install ADDSForest with DCPromo: $($_.Exception.Message)" + } + } + + if ($null -ne $iaf) { + $result.reboot_required = $iaf.RebootRequired + + # The Netlogon service is set to auto start but is not started. This is + # required for Ansible to connect back to the host and reboot in a + # later task. Even if this fails Ansible can still connect but only + # with ansible_winrm_transport=basic so we just display a warning if + # this fails. + try { + Start-Service -Name Netlogon + } catch { + Add-Warning -obj $result -message "Failed to start the Netlogon service after promoting the host, Ansible may be unable to connect until the host is manually rebooting: $($_.Exception.Message)" + } } } } |