Ansible make static dns record in Microsoft DNS
If you have a heterogenous datacenter with GNU/Linux and Microsoft servers, you might run into this problem. When you want to create dynamic dns records programmatically, you can use the nsupdate module. It doesn't work with gsstsig auth which is the only way the AD DNS works for "secure updates" so I previously wrote a wrapper for doing so. However, when you want to create static records, it's a little bit harder. With the help of my Windows teammates, I now have a working solution for making static records in AD DNS, complete with the reverse PTR records.
Dependencies
- A Windows Server 2016 client with RSAT with DNS installed. Apparently regular RSAT isn't enough. I don't know what's involved in installing the right components, so if anybody could share your notes for how that works, comment at the end here.
- Winrm with kerberos auth enabled
The tricky part here was learning how to elevate privileges once getting to the Windows client.
Playbook
---
- name: playbook that creates static DNS static records, both A and PTR, through the windows utility box
hosts: localhost
vars_files:
- /etc/ansible/creds/windows_service_account.yml
tasks:
- add_host:
group: rsat
name: "rsat01.ad.example.com"
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_user: "{{ win_ansible_user }}"
ansible_ssh_pass: "{{ win_ansible_ssh_pass }}"
ansible_port: "5986"
ansible_win_rm_scheme: https
ansible_winrm_transport: kerberos
ansible_host: rsat01.ad.example.com
changed_when: false
no_log: true
- set_fact:
ansible_winrm_server_cert_validation: ignore
- name: make static a and ptr records, ad
win_shell: Add-DnsServerResourceRecord -ComputerName ad.example.com -ZoneName ad.example.com -A -Name newhost1 -IPv4Address 10.234.56.78 -CreatePtr
become: yes
become_method: runas
become_user: "{{ win_ansible_user }}"
delegate_to: rsat01.ad.example.com
vars:
ansible_winrm_transport: kerberos
...
Comments