Windows 无法执行Active Directory命令
我无法使用Ansible在PowerShell脚本中使用Active Directory命令,如Windows 无法执行Active Directory命令,windows,powershell,ansible,windows-server-2012-r2,winrm,Windows,Powershell,Ansible,Windows Server 2012 R2,Winrm,我无法使用Ansible在PowerShell脚本中使用Active Directory命令,如Get ADDomain,Get ADUser,等等。像ls,newitem这样的基本命令工作正常 环境 配置 我已通过PowerShell脚本在Windows Server 2012上启用了WinRM PowerShell脚本 这是我试图通过Ansible执行的基本脚本 ls New-Item -Path C:\testfile.txt -ItemType file Import-Module Ac
Get ADDomain
,Get ADUser
,等等。像ls
,newitem
这样的基本命令工作正常
环境
配置
我已通过PowerShell脚本在Windows Server 2012上启用了WinRM
PowerShell脚本
这是我试图通过Ansible执行的基本脚本
ls
New-Item -Path C:\testfile.txt -ItemType file
Import-Module ActiveDirectory
Get-Module
Get-ADDomain
问题
执行上述脚本时,ActiveDirectory
模块似乎已正确加载,但所有Active Directory命令均失败,错误如下:
Get-ADDomain:无法联系服务器。这可能是因为此服务器不存在、当前已关闭或没有运行Active Directory Web服务
有趣的是,相同的脚本直接在PowerShell上执行时没有任何错误
下面是Ansible的详细输出
root@box88:~# ansible-playbook /etc/ansible/win_test.yml
PLAY [windows] *****************************************************************
TASK [wintest : include] *******************************************************
included: /etc/ansible/roles/wintest/tasks/win_test.yml for box62.test.com
TASK [wintest : script] ********************************************************
changed: [box62.test.com]
TASK [wintest : debug] *********************************************************
ok: [box62.test.com] => {
"res.stdout_lines + [ res.stderr ]": [
"",
"",
" Directory: C:\\Users\\vkumar",
"",
"",
"Mode LastWriteTime Length Name ",
"---- ------------- ------ ---- ",
"d-r-- 6/28/2016 9:10 AM Contacts ",
"d-r-- 7/19/2016 9:30 PM Desktop ",
"d-r-- 6/28/2016 9:10 AM Documents ",
"d-r-- 6/28/2016 9:10 AM Downloads ",
"d-r-- 6/28/2016 9:10 AM Favorites ",
"d-r-- 6/28/2016 9:10 AM Links ",
"d-r-- 6/28/2016 9:10 AM Music ",
"d-r-- 6/28/2016 9:10 AM Pictures ",
"",
"",
" Directory: C:\\",
"",
"",
"Mode LastWriteTime Length Name ",
"---- ------------- ------ ---- ",
"-a--- 7/19/2016 10:01 PM 0 testfile.txt ",
"",
"Name : ActiveDirectory",
"Path : C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDi",
" rectory\\ActiveDirectory.psd1",
"Description : ",
"Guid : 43c15630-959c-49e4-a977-758c5cc93408",
"Version : 1.0.0.0",
"ModuleBase : C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDi",
" rectory",
"ModuleType : Manifest",
"PrivateData : ",
"AccessMode : ReadWrite",
"ExportedAliases : {}",
"ExportedCmdlets : {[Add-ADCentralAccessPolicyMember, ",
" Add-ADCentralAccessPolicyMember], ",
" [Add-ADComputerServiceAccount, ",
" Add-ADComputerServiceAccount], ",
" [Add-ADDomainControllerPasswordReplicationPolicy, ",
" Add-ADDomainControllerPasswordReplicationPolicy], ",
" [Add-ADFineGrainedPasswordPolicySubject, ",
" Add-ADFineGrainedPasswordPolicySubject]...}",
"ExportedFunctions : {}",
"ExportedVariables : {}",
"NestedModules : {Microsoft.ActiveDirectory.Management}",
"",
"",
"Name : Microsoft.PowerShell.Management",
"Path : C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsof",
" t.PowerShell.Management\\Microsoft.PowerShell.Management.psd",
" 1",
"Description : ",
"Guid : eefcb906-b326-4e99-9f54-8b4bb6ef3c6d",
"Version : 3.1.0.0",
"ModuleBase : C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"ModuleType : Manifest",
"PrivateData : ",
"AccessMode : ReadWrite",
"ExportedAliases : {}",
"ExportedCmdlets : {[Add-Computer, Add-Computer], [Add-Content, Add-Content], ",
" [Checkpoint-Computer, Checkpoint-Computer], ",
" [Clear-Content, Clear-Content]...}",
"ExportedFunctions : {}",
"ExportedVariables : {}",
"NestedModules : {Microsoft.PowerShell.Commands.Management.dll}",
"",
"",
"",
"Get-ADDomain : Unable to contact the server. This may be because this server \r\ndoes not exist, it is currently down, or it does not have the Active Directory \r\nWeb Services running.\r\nAt C:\\Users\\vkumar\\AppData\\Local\\Temp\\ansible-tmp-1468990893.98-136722234533486\r\n\\test.ps1:5 char:1\r\n+ Get-ADDomain\r\n+ ~~~~~~~~~~~~\r\n+ CategoryInfo : ResourceUnavailable: (TEST:ADDomain) [Get-ADDoma \r\nin], ADServerDownException\r\n+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirector \r\ny.Management.Commands.GetADDomain\r\n"
]
}
PLAY RECAP *********************************************************************
box62.test.com : ok=3 changed=1 unreachable=0 failed=0
root@box88:~#
听起来PowerShell在Ansible环境中无法发现域控制器? 你可以改为运行:
Get-ADDomain -Server MyDomainController
听起来PowerShell在Ansible环境中无法发现域控制器? 你可以改为运行:
Get-ADDomain -Server MyDomainController
上周,我在配置PowerShell worker节点以运行AD脚本时偶然发现了一个相同的问题。在四处挖掘之后,我找到了那本书并复习了它。不久之后,我在ServerFault上发现了一个问题,这让我怀疑这是一个Kerberos双跳身份验证问题——特别是从用户分号的注释和回答中 因此,我在Ansible文档中遵循了这个建议(同一个文档用分号表示):
- 将
设置为ansible\u winrm\u transport
或credssp
(使用kerberos
)以绕过双跳问题并访问网络资源ansible\u winrm\u kerberos\u delegation=true
ansible\u winrm\u transport
已设置为kerberos
。我的解决方案是添加以下行:
ansible\u winrm\u kerberos\u委派:true
到我的组变量文件。在那之后,我运行了我的playbook,它运行了一个名为TestAD.ps1的脚本,该脚本试图运行Get ADDomain
。这就是最终的Ansible输出:
ok: [psworker.domain.com] => {
"msg": {
"changed": true,
"cmd": "powershell.exe C:/scripts/TestAD.ps1",
"delta": "0:00:01.101562",
"end": "2020-07-31 09:08:44.785758",
"failed": false,
"rc": 0,
"start": "2020-07-31 09:08:43.684196",
"stderr": "",
"stderr_lines": [],
"stdout_lines": [
"Unrestricted",
"",
"",
"AllowedDNSSuffixes : {}",
"ChildDomains : {}",
"ComputersContainer : OU=mydomain Servers,DC=mydomain,DC=com",
"DeletedObjectsContainer : CN=Deleted Objects,DC=mydomain,DC=com",
"DistinguishedName : DC=mydomain,DC=com",
"DNSRoot : mydomain.com",
"DomainControllersContainer : OU=Domain Controllers,DC=mydomain,DC=com",
"DomainMode : Windows2012R2Domain",
"DomainSID : S-1-5-21-644830395-273481423-308473177",
"ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=mydomain,DC=com",
"Forest : mydomain.com",
"InfrastructureMaster : devdc00.mydomain.com",
"LastLogonReplicationInterval : ",
"LinkedGroupPolicyObjects : {cn={BD2441AA-23B7-4D11-B499-73642A1734A8},cn=policies,cn=system,DC=mydomain,DC=",
" com, cn={E73254A1-C013-4D45-8BB3-FEE2E1300B11},cn=policies,cn=system,DC=mydomain",
" ,DC=com, cn={CF7575AC-E140-4869-B8C7-904C753D8E28},cn=policies,cn=system,DC=mydoma",
" in,DC=com, cn={C63CB9EB-262E-4AD7-BC0B-70B3EF2F7B48},cn=policies,cn=system,DC=my",
" domain,DC=com...}",
"LostAndFoundContainer : CN=LostAndFound,DC=mydomain,DC=com",
"ManagedBy : ",
"Name : mydomain",
"NetBIOSName : mydomain",
"ObjectClass : domainDNS",
"ObjectGUID : 6f59e1a2-8857-46f2-90fd-51710bde58d6",
"ParentDomain : ",
"PDCEmulator : devdc00.mydomain.com",
"PublicKeyRequiredPasswordRolling : ",
"QuotasContainer : CN=NTDS Quotas,DC=mydomain,DC=com",
"ReadOnlyReplicaDirectoryServers : {}",
"ReplicaDirectoryServers : {dc01.mydomain.com, devdc00.mydomain.com}",
"RIDMaster : dc00.mydomain.com",
"SubordinateReferences : {DC=DomainDnsZones,DC=mydomain,DC=com, DC=ForestDnsZones,DC=mydomain,DC=com, ",
" CN=Configuration,DC=mydomain,DC=com}",
"SystemsContainer : CN=System,DC=mydomain,DC=com",
"UsersContainer : CN=Users,DC=mydomain,DC=com",
"",
"",
""
]
}
}
以下是my group_vars文件中的设置(可直接在playbook中设置):
我使用完全相同的PowerShell脚本为Ansible配置WinRM。我上周在配置PowerShell worker节点以运行AD脚本时遇到了相同的问题。在四处挖掘之后,我找到了那本书并复习了它。不久之后,我在ServerFault上发现了一个问题,这让我怀疑这是一个Kerberos双跳身份验证问题——特别是从用户分号的注释和回答中 因此,我在Ansible文档中遵循了这个建议(同一个文档用分号表示):
- 将
设置为ansible\u winrm\u transport
或credssp
(使用kerberos
)以绕过双跳问题并访问网络资源ansible\u winrm\u kerberos\u delegation=true
ansible\u winrm\u transport
已设置为kerberos
。我的解决方案是添加以下行:
ansible\u winrm\u kerberos\u委派:true
到我的组变量文件。在那之后,我运行了我的playbook,它运行了一个名为TestAD.ps1的脚本,该脚本试图运行Get ADDomain
。这就是最终的Ansible输出:
ok: [psworker.domain.com] => {
"msg": {
"changed": true,
"cmd": "powershell.exe C:/scripts/TestAD.ps1",
"delta": "0:00:01.101562",
"end": "2020-07-31 09:08:44.785758",
"failed": false,
"rc": 0,
"start": "2020-07-31 09:08:43.684196",
"stderr": "",
"stderr_lines": [],
"stdout_lines": [
"Unrestricted",
"",
"",
"AllowedDNSSuffixes : {}",
"ChildDomains : {}",
"ComputersContainer : OU=mydomain Servers,DC=mydomain,DC=com",
"DeletedObjectsContainer : CN=Deleted Objects,DC=mydomain,DC=com",
"DistinguishedName : DC=mydomain,DC=com",
"DNSRoot : mydomain.com",
"DomainControllersContainer : OU=Domain Controllers,DC=mydomain,DC=com",
"DomainMode : Windows2012R2Domain",
"DomainSID : S-1-5-21-644830395-273481423-308473177",
"ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=mydomain,DC=com",
"Forest : mydomain.com",
"InfrastructureMaster : devdc00.mydomain.com",
"LastLogonReplicationInterval : ",
"LinkedGroupPolicyObjects : {cn={BD2441AA-23B7-4D11-B499-73642A1734A8},cn=policies,cn=system,DC=mydomain,DC=",
" com, cn={E73254A1-C013-4D45-8BB3-FEE2E1300B11},cn=policies,cn=system,DC=mydomain",
" ,DC=com, cn={CF7575AC-E140-4869-B8C7-904C753D8E28},cn=policies,cn=system,DC=mydoma",
" in,DC=com, cn={C63CB9EB-262E-4AD7-BC0B-70B3EF2F7B48},cn=policies,cn=system,DC=my",
" domain,DC=com...}",
"LostAndFoundContainer : CN=LostAndFound,DC=mydomain,DC=com",
"ManagedBy : ",
"Name : mydomain",
"NetBIOSName : mydomain",
"ObjectClass : domainDNS",
"ObjectGUID : 6f59e1a2-8857-46f2-90fd-51710bde58d6",
"ParentDomain : ",
"PDCEmulator : devdc00.mydomain.com",
"PublicKeyRequiredPasswordRolling : ",
"QuotasContainer : CN=NTDS Quotas,DC=mydomain,DC=com",
"ReadOnlyReplicaDirectoryServers : {}",
"ReplicaDirectoryServers : {dc01.mydomain.com, devdc00.mydomain.com}",
"RIDMaster : dc00.mydomain.com",
"SubordinateReferences : {DC=DomainDnsZones,DC=mydomain,DC=com, DC=ForestDnsZones,DC=mydomain,DC=com, ",
" CN=Configuration,DC=mydomain,DC=com}",
"SystemsContainer : CN=System,DC=mydomain,DC=com",
"UsersContainer : CN=Users,DC=mydomain,DC=com",
"",
"",
""
]
}
}
以下是my group_vars文件中的设置(可直接在playbook中设置):
我使用完全相同的PowerShell脚本为Ansible配置WinRM