Installing Domain Controller using Puppet

Posted: November 1, 2018 in puppet, Windows Server

Install DSC  and hiera-eyaml modules (for password encryption):

puppet module install puppetlabs-dsc
puppetserver gem install hiera-eyaml
Edit /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
    paths:
      - "nodes/%{trusted.certname}.yaml"
      - "windowspass.eyaml"
    options:
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

Create keys (make sure key path reflects path from hiera.yaml file):

/opt/puppetlabs/puppet/bin/eyaml createkeys

Create password (-l is just label):

/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Add this encrypted password to /etc/puppetlabs/puppet/data/windowspass.eyaml file:

12

/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml
image2018-10-31_12-20-1.png

Test decryption:

/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Secure keys:

chown -R puppet:puppet /etc/puppetlabs/puppet/keys
chmod 400 /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
chmod 400 /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem

 

For Windows currently is not possible to hide passwords when running  agent in verbose output:

puppet agent -t -v

 

Map content of windowspass.eyaml to manifest file:

'password' => Sensitive(lookup('password'))

Complete code-/etc/puppetlabs/code/environments/production/manifests/site.pp:

node 'windows.example.com' {
 
 
file {
 
['c:/NTDS']:
 
 ensure => directory
}
 
 
dsc_windowsfeature  {'dns':
            dsc_ensure => 'Present',
            dsc_name => 'DNS',
        }
 
 
dsc_windowsfeature  { 'addsinstall':
            dsc_ensure => 'Present',
            dsc_name => 'AD-Domain-Services',
        }
 
dsc_windowsfeature  {'addstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-ADDS',
        }
 
 
dsc_windowsfeature  {'addnstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-DNS-Server',
        }
 
 
 
dsc_xaddomain   { 'firstdc':
     subscribe => Dsc_windowsfeature['addsinstall'],
            dsc_domainname => 'ad.contoso.com',
     dsc_domainadministratorcredential => {
               'user' => 'pagent',
               'password' => Sensitive(lookup('password'))
     },
     dsc_safemodeadministratorpassword   => {
 'user' => 'pagent',
 'password' => 'password' => Sensitive(lookup('password'))
            },
 
            dsc_databasepath => 'c:\NTDS',
            dsc_logpath => 'c:\NTDS',
 
        }
 
 
reboot {'dsc_reboot':
 message => 'DSC has requested a reboot',
when => pending,
}

}


For debugging:

puppet master --debug --compile windows.example.com --environment=production

Creating new AD user,create New Security group and add user to it:

dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username   => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password   => {
'user' => 'tfl@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user'  => 'Administrator@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
dsc_xgroup {'testgroup':
dsc_ensure    => 'present',
dsc_memberstoinclude => 'tfl@ad.contoso.com',
dsc_groupname   => 'test',
#dsc_credential => {
#'user' => 'Administrator@ad.contoso.com',
#'password' => 'Passw0rd01'
#},
}
Advertisements
Comments
  1. Mohak Sharma says:

    After running the above configuration, I am not able to see the user “pagent” which we declared as domain admin in dsc_xaddomain. Is it the expected behaviour?

    Like

    • dragan979 says:

      Local admin is automatically promoted to Domain admin,see example at the end of article how to create AD users and add then to Security Group. In this example, pagent user is local admin, you need to specify your existing local admin user

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s