Upload Ansible Files

playbook/roles/windows_adcontroller_install/files/checkliste.txt

@@ -0,0 +1,5 @@
+Das ist Checklist für nach der Grundinstallation
+- User kontollieren ob alle angelegt sind
+- Azure-Client Einrichten (siehe HOWTo Cloud)
+- Lizneznmanager Einrichten (siehe HOWTo Cloud)
+- 

playbook/roles/windows_adcontroller_install/tasks/main.yaml

@@ -0,0 +1,221 @@
+- name: Check AD-Controller Service exists
+  ansible.builtin.win_service:
+    name: NTLD
+  register: file_check_ntld
+  ignore_unreachable: yes
+
+- name: Install Active-Directory-Service
+  ansible.builtin.win_shell:
+    Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools -IncludeAllSubFeature
+  when: file_check_ntld.exists == False
+
+- name: Reboot ad-controller
+  ansible.builtin.win_shell:
+    shutdown -t 0 -r
+  when: file_check_ntld.exists == False
+
+- name: Wait for Server Reboot
+  ansible.builtin.wait_for_connection:
+    delay: 10
+    timeout: 60
+  when: file_check_ntld.exists == False
+
+- name: Disable Local-Administrator-User
+  ansible.builtin.win_user:
+    name: Administrator
+    account_disabled: true
+  when: file_check_ntld.exists == False
+
+- name: Install-ADDSForest
+  ansible.builtin.win_shell: |
+    $password = ConvertTo-SecureString -String "adm.3dfx12" -AsPlainText -Force
+    Install-ADDSForest -DomainName {{ kundendomain }} -InstallDNS:$true -SafeModeAdministratorPassword $password -DomainMode WinThreshold -ForestMode WinThreshold -Force
+  when: file_check_ntld.exists == False
+
+- name: Wait for Server Reboot
+  ansible.builtin.wait_for_connection:
+    delay: 10
+    # timeout: 300
+  when: file_check_ntld.exists == False
+
+- name: Disable AD-Administrator-User
+  ansible.builtin.win_shell:
+    Disable-ADAccount -Identity "Administrator"
+  when: file_check_ntld.exists == False
+
+- name: ADD Reverse DNS Zone
+  ansible.builtin.win_shell:
+    Add-DnsServerPrimaryZone -NetworkID "{{privatip}}/24" -ReplicationScope "Domain"eml.kommerziale@tnp-gruppe.deeml.kommerziale@tnp-gruppe.de
+
+- name: ADD DNS Roles
+  ansible.builtin.win_shell: | 
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-ROU01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.1" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-SMTP01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.2" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-HAPROX01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.3" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-NEXT01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.4" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-DATA01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.5" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-CMS01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.6" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-AD01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.8" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-RDS01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.7" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-EX01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.9" -CreatePtr:$true
+    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-APP01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.10" -CreatePtr:$true
+
+- name: Create OU System-Accounts
+  ansible.builtin.win_shell:
+    New-ADOrganizationalUnit -Name "System-Accounts" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"
+
+- name: Create OU System-Accounts
+  ansible.builtin.win_shell:
+    New-ADOrganizationalUnit -Name "System-Gruppen" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"
+
+- name: Create OU Kunden-Gruppen
+  ansible.builtin.win_shell:
+    New-ADOrganizationalUnit -Name "{{ kundenkürzel }}-Gruppen" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"
+
+- name: Create OU Kunden-Gruppen
+  ansible.builtin.win_shell:
+    New-ADOrganizationalUnit -Name "{{ kundenkürzel }}-Benutzer" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"
+
+- name: Create Stines Admin
+  ansible.builtin.win_shell: |
+    $adminpw = ConvertTo-SecureString -String "adm.3dfx12" -AsPlainText -Force
+    New-ADUser -Name "Stines Admin" -GivenName "Stines" -Surname "Admin" -SamAccountName "stinessu" -UserPrincipalName "stinessu@{{kundendomain}}" -Path "OU=System-Accounts,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Enabled $true -AccountPassword $adminpw -ChangePasswordAtLogon:$false -PasswordNeverExpires:$true
+    Add-ADGroupMember -Identity Domänen-Admins -Members stinessu
+    $group = get-adgroup "Domänen-Admins" -properties @("primaryGroupToken")
+    get-aduser "stinessu" | set-aduser -replace @{primaryGroupID=$group.primaryGroupToken}
+
+- name: Create LDAP-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "LDAP-Admins" -SamAccountName LDAPAdmins -GroupCategory Security -GroupScope Global -DisplayName "LDAP-Admins" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "LDAP Admins für LDAP Verbindungen"
+
+- name: Create Mail-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "Mail-User" -SamAccountName MailUser -GroupCategory Security -GroupScope Global -DisplayName "Mail-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "E-Mail Mitglieder"
+
+- name: Create Exchange-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "EX-User" -SamAccountName EXUser -GroupCategory Security -GroupScope Global -DisplayName "EX-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Exchange Mitglieder"
+
+- name: Create Bitwarden-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "Bitwarden-User" -SamAccountName BitwardenUser -GroupCategory Security -GroupScope Global -DisplayName "Bitwarden-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Bitwarden Mitglieder"
+
+- name: Create Nextcloud-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "Nextcloud-User" -SamAccountName NextcloudUser -GroupCategory Security -GroupScope Global -DisplayName "Nextcloud-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Nextcloud Mitglieder"
+
+- name: Create RDS-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "RDS-User" -SamAccountName RDSUser -GroupCategory Security -GroupScope Global -DisplayName "RDS-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "RDS Mitglieder"
+
+- name: Create VPN-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "VPN-User" -SamAccountName VPNUser -GroupCategory Security -GroupScope Global -DisplayName "VPN-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "VPN Mitglieder"
+
+- name: Create Daten-Gruppe
+  ansible.builtin.win_shell: |
+    New-ADGroup -Name "Daten-User" -SamAccountName DatenUser -GroupCategory Security -GroupScope Global -DisplayName "Daten-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Daten Mitglieder"
+
+- name: Create LDAP-Admin
+  ansible.builtin.win_shell: |
+    $adminpw = ConvertTo-SecureString -String "zzLGuggugSG7bwMQruv#3bPLwp4DfQ8Hq9Ldq$D6MPy2m" -AsPlainText -Force
+    New-ADUser -Name "LDAP Admin" -GivenName "LDAP" -Surname "Admin" -SamAccountName "ldap-admin" -UserPrincipalName "ldap@{{kundendomain}}" -Path "OU=System-Accounts,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Enabled $true -AccountPassword $adminpw -ChangePasswordAtLogon:$false -PasswordNeverExpires:$true
+    Add-ADGroupMember -Identity LDAPAdmins -Members ldap-admin
+    $group = get-adgroup "LDAPAdmins" -properties @("primaryGroupToken")
+    get-aduser "ldap-admin" | set-aduser -replace @{primaryGroupID=$group.primaryGroupToken}
+
+- name: Create Folder deployment
+  ansible.builtin.win_file:
+    path: C:\deployment\
+    state: directory
+    
+- name: Create Share Folder deployment
+  ansible.windows.win_share:
+    name: deployment
+    description: deployment
+    path: C:\deployment
+    list: false
+    full: Domänen-Admins
+    read: RDSUser,Domänen-Benutzer
+
+- name: Create AD-Controller Shortcuts on Stines-Admin Desktop
+  community.windows.win_shortcut:
+    src: '%SystemRoot%\system32\dsa.msc'
+    dest: C:\Users\Public\Desktop\AD-Controller.lnk
+    icon: '%SystemRoot%\system32\dsadmin.dll,0'
+
+- name: Create DNS Shortcuts on Stines-Admin Desktop
+  community.windows.win_shortcut:
+    src: '%SystemRoot%\system32\dnsmgmt.msc'
+    dest: C:\Users\Public\Desktop\DNS.lnk
+    icon: '%SystemRoot%\system32\dnsmgr.dll'
+
+- name: Create GPO Shortcuts on Stines-Admin Desktop
+  community.windows.win_shortcut:
+    src: '%SystemRoot%\system32\gpmc.msc'
+    dest: C:\Users\Public\Desktop\GPO.lnk
+    icon: '%SystemRoot%\system32\gpoadmin.dll'
+
+- name: Copy aduser CSV File
+  ansible.builtin.copy:
+    src: /root/ansible/playbook/kunden/{{ kunde }}/files/aduser.csv
+    dest: C:\deployment\aduser.csv
+
+- name: Install Azure-Client
+  ansible.builtin.win_shell: | 
+    wget https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi -outfile C:\deployment\AzureADConnect.msi
+#     C:\deployment\AzureADConnect.msi /quiet
+
+- name: Create GPO Folder PolicyDefinitions
+  ansible.builtin.win_file:
+    path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
+    state: directory
+
+- name: Create GPO Folder PolicyDefinitions\de
+  ansible.builtin.win_file:
+    path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\de
+    state: directory
+
+- name: Create GPO Folder PolicyDefinitions\de-DE
+  ansible.builtin.win_file:
+    path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\de-DE
+    state: directory
+
+- name: Import ADMX Files
+  ansible.builtin.copy:
+    src: all.zip
+    dest: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\all.zip
+
+- name: Export ADMX Files
+  ansible.builtin.win_shell: |
+    Expand-Archive C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\all.zip  -DestinationPath C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\
+
+- name: Copy GPO Settings
+  ansible.builtin.copy:
+    src: GPO.zip
+    dest: C:\deployment\GPO.zip
+
+- name: Export GPO Files
+  ansible.builtin.win_shell: |
+    Expand-Archive C:\deployment\GPO.zip  -DestinationPath C:\deployment\GPO
+
+- name: Import GPO Settings
+  ansible.builtin.win_shell: |
+    Import-GPO -BackupGpoName "RDS-Clients" -TargetName "RDS-Clients" -path C:\deployment\GPO\RDS-Clients\ -CreateIfNeeded:$true
+    Import-GPO -BackupGpoName "Exchange-Clients" -TargetName "Exchange-Clients" -path C:\deployment\GPO\Exchange-Clients\ -CreateIfNeeded:$true
+    Import-GPO -BackupGpoName "Google-Chrome" -TargetName "Google-Chrome" -path C:\deployment\GPO\Google-Chrome\ -CreateIfNeeded:$true
+
+- name: Install Druck-Server-Service
+  ansible.builtin.win_shell:
+    Install-WindowsFeature -Name Print-Server
+
+# - name: Copy CSV Import Script
+#   ansible.builtin.copy:
+#     src: /root/ansible/playbook/kunden/{{ kunde }}/files/import_ad_user.ps1
+#     dest: C:\deployment\import_ad_user.ps1
+
+# - name: Import ADUser by CSV File
+#   ansible.builtin.win_shell: |
+#     cd C:\deployment
+#     ./import_ad_user.ps1
+