221 lines
11 KiB
YAML
221 lines
11 KiB
YAML
- name: Check AD-Controller Service exists
|
|
ansible.builtin.win_service:
|
|
name: NTLD
|
|
register: file_check_ntld
|
|
ignore_unreachable: yes
|
|
|
|
- name: Install Active-Directory-Service
|
|
ansible.builtin.win_shell:
|
|
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools -IncludeAllSubFeature
|
|
when: file_check_ntld.exists == False
|
|
|
|
- name: Reboot ad-controller
|
|
ansible.builtin.win_shell:
|
|
shutdown -t 0 -r
|
|
when: file_check_ntld.exists == False
|
|
|
|
- name: Wait for Server Reboot
|
|
ansible.builtin.wait_for_connection:
|
|
delay: 10
|
|
timeout: 60
|
|
when: file_check_ntld.exists == False
|
|
|
|
- name: Disable Local-Administrator-User
|
|
ansible.builtin.win_user:
|
|
name: Administrator
|
|
account_disabled: true
|
|
when: file_check_ntld.exists == False
|
|
|
|
- name: Install-ADDSForest
|
|
ansible.builtin.win_shell: |
|
|
$password = ConvertTo-SecureString -String "adm.3dfx12" -AsPlainText -Force
|
|
Install-ADDSForest -DomainName {{ kundendomain }} -InstallDNS:$true -SafeModeAdministratorPassword $password -DomainMode WinThreshold -ForestMode WinThreshold -Force
|
|
when: file_check_ntld.exists == False
|
|
|
|
- name: Wait for Server Reboot
|
|
ansible.builtin.wait_for_connection:
|
|
delay: 10
|
|
# timeout: 300
|
|
when: file_check_ntld.exists == False
|
|
|
|
- name: Disable AD-Administrator-User
|
|
ansible.builtin.win_shell:
|
|
Disable-ADAccount -Identity "Administrator"
|
|
when: file_check_ntld.exists == False
|
|
|
|
- name: ADD Reverse DNS Zone
|
|
ansible.builtin.win_shell:
|
|
Add-DnsServerPrimaryZone -NetworkID "{{privatip}}/24" -ReplicationScope "Domain"eml.kommerziale@tnp-gruppe.deeml.kommerziale@tnp-gruppe.de
|
|
|
|
- name: ADD DNS Roles
|
|
ansible.builtin.win_shell: |
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-ROU01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.1" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-SMTP01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.2" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-HAPROX01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.3" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-NEXT01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.4" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-DATA01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.5" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-CMS01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.6" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-AD01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.8" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-RDS01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.7" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-EX01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.9" -CreatePtr:$true
|
|
Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-APP01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.10" -CreatePtr:$true
|
|
|
|
- name: Create OU System-Accounts
|
|
ansible.builtin.win_shell:
|
|
New-ADOrganizationalUnit -Name "System-Accounts" -Path "DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}"
|
|
|
|
- name: Create OU System-Accounts
|
|
ansible.builtin.win_shell:
|
|
New-ADOrganizationalUnit -Name "System-Gruppen" -Path "DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}"
|
|
|
|
- name: Create OU Kunden-Gruppen
|
|
ansible.builtin.win_shell:
|
|
New-ADOrganizationalUnit -Name "{{ kundenkürzel }}-Gruppen" -Path "DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}"
|
|
|
|
- name: Create OU Kunden-Gruppen
|
|
ansible.builtin.win_shell:
|
|
New-ADOrganizationalUnit -Name "{{ kundenkürzel }}-Benutzer" -Path "DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}"
|
|
|
|
- name: Create Stines Admin
|
|
ansible.builtin.win_shell: |
|
|
$adminpw = ConvertTo-SecureString -String "adm.3dfx12" -AsPlainText -Force
|
|
New-ADUser -Name "Stines Admin" -GivenName "Stines" -Surname "Admin" -SamAccountName "stinessu" -UserPrincipalName "stinessu@{{kundendomain}}" -Path "OU=System-Accounts,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Enabled $true -AccountPassword $adminpw -ChangePasswordAtLogon:$false -PasswordNeverExpires:$true
|
|
Add-ADGroupMember -Identity Domänen-Admins -Members stinessu
|
|
$group = get-adgroup "Domänen-Admins" -properties @("primaryGroupToken")
|
|
get-aduser "stinessu" | set-aduser -replace @{primaryGroupID=$group.primaryGroupToken}
|
|
|
|
- name: Create LDAP-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "LDAP-Admins" -SamAccountName LDAPAdmins -GroupCategory Security -GroupScope Global -DisplayName "LDAP-Admins" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "LDAP Admins für LDAP Verbindungen"
|
|
|
|
- name: Create Mail-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "Mail-User" -SamAccountName MailUser -GroupCategory Security -GroupScope Global -DisplayName "Mail-User" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "E-Mail Mitglieder"
|
|
|
|
- name: Create Exchange-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "EX-User" -SamAccountName EXUser -GroupCategory Security -GroupScope Global -DisplayName "EX-User" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "Exchange Mitglieder"
|
|
|
|
- name: Create Bitwarden-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "Bitwarden-User" -SamAccountName BitwardenUser -GroupCategory Security -GroupScope Global -DisplayName "Bitwarden-User" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "Bitwarden Mitglieder"
|
|
|
|
- name: Create Nextcloud-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "Nextcloud-User" -SamAccountName NextcloudUser -GroupCategory Security -GroupScope Global -DisplayName "Nextcloud-User" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "Nextcloud Mitglieder"
|
|
|
|
- name: Create RDS-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "RDS-User" -SamAccountName RDSUser -GroupCategory Security -GroupScope Global -DisplayName "RDS-User" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "RDS Mitglieder"
|
|
|
|
- name: Create VPN-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "VPN-User" -SamAccountName VPNUser -GroupCategory Security -GroupScope Global -DisplayName "VPN-User" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "VPN Mitglieder"
|
|
|
|
- name: Create Daten-Gruppe
|
|
ansible.builtin.win_shell: |
|
|
New-ADGroup -Name "Daten-User" -SamAccountName DatenUser -GroupCategory Security -GroupScope Global -DisplayName "Daten-User" -Path "OU=System-Gruppen,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Description "Daten Mitglieder"
|
|
|
|
- name: Create LDAP-Admin
|
|
ansible.builtin.win_shell: |
|
|
$adminpw = ConvertTo-SecureString -String "zzLGuggugSG7bwMQruv#3bPLwp4DfQ8Hq9Ldq$D6MPy2m" -AsPlainText -Force
|
|
New-ADUser -Name "LDAP Admin" -GivenName "LDAP" -Surname "Admin" -SamAccountName "ldap-admin" -UserPrincipalName "ldap@{{kundendomain}}" -Path "OU=System-Accounts,DC={{ kundendomain.split(".")[0]}},DC={{ kundendomain.split(".")[1]}}" -Enabled $true -AccountPassword $adminpw -ChangePasswordAtLogon:$false -PasswordNeverExpires:$true
|
|
Add-ADGroupMember -Identity LDAPAdmins -Members ldap-admin
|
|
$group = get-adgroup "LDAPAdmins" -properties @("primaryGroupToken")
|
|
get-aduser "ldap-admin" | set-aduser -replace @{primaryGroupID=$group.primaryGroupToken}
|
|
|
|
- name: Create Folder deployment
|
|
ansible.builtin.win_file:
|
|
path: C:\deployment\
|
|
state: directory
|
|
|
|
- name: Create Share Folder deployment
|
|
ansible.windows.win_share:
|
|
name: deployment
|
|
description: deployment
|
|
path: C:\deployment
|
|
list: false
|
|
full: Domänen-Admins
|
|
read: RDSUser,Domänen-Benutzer
|
|
|
|
- name: Create AD-Controller Shortcuts on Stines-Admin Desktop
|
|
community.windows.win_shortcut:
|
|
src: '%SystemRoot%\system32\dsa.msc'
|
|
dest: C:\Users\Public\Desktop\AD-Controller.lnk
|
|
icon: '%SystemRoot%\system32\dsadmin.dll,0'
|
|
|
|
- name: Create DNS Shortcuts on Stines-Admin Desktop
|
|
community.windows.win_shortcut:
|
|
src: '%SystemRoot%\system32\dnsmgmt.msc'
|
|
dest: C:\Users\Public\Desktop\DNS.lnk
|
|
icon: '%SystemRoot%\system32\dnsmgr.dll'
|
|
|
|
- name: Create GPO Shortcuts on Stines-Admin Desktop
|
|
community.windows.win_shortcut:
|
|
src: '%SystemRoot%\system32\gpmc.msc'
|
|
dest: C:\Users\Public\Desktop\GPO.lnk
|
|
icon: '%SystemRoot%\system32\gpoadmin.dll'
|
|
|
|
- name: Copy aduser CSV File
|
|
ansible.builtin.copy:
|
|
src: /root/ansible/playbook/kunden/{{ kunde }}/files/aduser.csv
|
|
dest: C:\deployment\aduser.csv
|
|
|
|
- name: Install Azure-Client
|
|
ansible.builtin.win_shell: |
|
|
wget https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi -outfile C:\deployment\AzureADConnect.msi
|
|
# C:\deployment\AzureADConnect.msi /quiet
|
|
|
|
- name: Create GPO Folder PolicyDefinitions
|
|
ansible.builtin.win_file:
|
|
path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
|
|
state: directory
|
|
|
|
- name: Create GPO Folder PolicyDefinitions\de
|
|
ansible.builtin.win_file:
|
|
path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\de
|
|
state: directory
|
|
|
|
- name: Create GPO Folder PolicyDefinitions\de-DE
|
|
ansible.builtin.win_file:
|
|
path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\de-DE
|
|
state: directory
|
|
|
|
- name: Import ADMX Files
|
|
ansible.builtin.copy:
|
|
src: all.zip
|
|
dest: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\all.zip
|
|
|
|
- name: Export ADMX Files
|
|
ansible.builtin.win_shell: |
|
|
Expand-Archive C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\all.zip -DestinationPath C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\
|
|
|
|
- name: Copy GPO Settings
|
|
ansible.builtin.copy:
|
|
src: GPO.zip
|
|
dest: C:\deployment\GPO.zip
|
|
|
|
- name: Export GPO Files
|
|
ansible.builtin.win_shell: |
|
|
Expand-Archive C:\deployment\GPO.zip -DestinationPath C:\deployment\GPO
|
|
|
|
- name: Import GPO Settings
|
|
ansible.builtin.win_shell: |
|
|
Import-GPO -BackupGpoName "RDS-Clients" -TargetName "RDS-Clients" -path C:\deployment\GPO\RDS-Clients\ -CreateIfNeeded:$true
|
|
Import-GPO -BackupGpoName "Exchange-Clients" -TargetName "Exchange-Clients" -path C:\deployment\GPO\Exchange-Clients\ -CreateIfNeeded:$true
|
|
Import-GPO -BackupGpoName "Google-Chrome" -TargetName "Google-Chrome" -path C:\deployment\GPO\Google-Chrome\ -CreateIfNeeded:$true
|
|
|
|
- name: Install Druck-Server-Service
|
|
ansible.builtin.win_shell:
|
|
Install-WindowsFeature -Name Print-Server
|
|
|
|
# - name: Copy CSV Import Script
|
|
# ansible.builtin.copy:
|
|
# src: /root/ansible/playbook/kunden/{{ kunde }}/files/import_ad_user.ps1
|
|
# dest: C:\deployment\import_ad_user.ps1
|
|
|
|
# - name: Import ADUser by CSV File
|
|
# ansible.builtin.win_shell: |
|
|
# cd C:\deployment
|
|
# ./import_ad_user.ps1
|
|
|