Installing Domain Controller using Puppet

Posted: November 1, 2018 in puppet, Windows Server

Install DSC  and hiera-eyaml modules (for password encryption):

puppet module install puppetlabs-dsc
puppetserver gem install hiera-eyaml
Edit /etc/puppetlabs/puppet/hiera.yaml
version: 5
  datadir: data
  data_hash: yaml_data
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
      - "nodes/%{trusted.certname}.yaml"
      - "windowspass.eyaml"
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

Create keys (make sure key path reflects path from hiera.yaml file):

/opt/puppetlabs/puppet/bin/eyaml createkeys

Create password (-l is just label):

/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Add this encrypted password to /etc/puppetlabs/puppet/data/windowspass.eyaml file:


/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml

Test decryption:

/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Secure keys:

chown -R puppet:puppet /etc/puppetlabs/puppet/keys
chmod 400 /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
chmod 400 /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem


For Windows currently is not possible to hide passwords when running  agent in verbose output:

puppet agent -t -v


Map content of windowspass.eyaml to manifest file:

'password' => Sensitive(lookup('password'))

Complete code-/etc/puppetlabs/code/environments/production/manifests/site.pp:

node '' {
file {
 ensure => directory
dsc_windowsfeature  {'dns':
            dsc_ensure => 'Present',
            dsc_name => 'DNS',
dsc_windowsfeature  { 'addsinstall':
            dsc_ensure => 'Present',
            dsc_name => 'AD-Domain-Services',
dsc_windowsfeature  {'addstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-ADDS',
dsc_windowsfeature  {'addnstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-DNS-Server',
dsc_xaddomain   { 'firstdc':
     subscribe => Dsc_windowsfeature['addsinstall'],
            dsc_domainname => '',
     dsc_domainadministratorcredential => {
               'user' => 'pagent',
               'password' => Sensitive(lookup('password'))
     dsc_safemodeadministratorpassword   => {
 'user' => 'pagent',
 'password' => 'password' => Sensitive(lookup('password'))
            dsc_databasepath => 'c:\NTDS',
            dsc_logpath => 'c:\NTDS',
reboot {'dsc_reboot':
 message => 'DSC has requested a reboot',
when => pending,


For debugging:

puppet master --debug --compile --environment=production

Creating new AD user,create New Security group and add user to it:

dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => '',
dsc_username   => 'tfl',
dsc_userprincipalname => '',
dsc_password   => {
'user' => '',
'password' => Sensitive(lookup('password'))
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user'  => '',
'password' => Sensitive(lookup('password'))
dsc_xgroup {'testgroup':
dsc_ensure    => 'present',
dsc_memberstoinclude => '',
dsc_groupname   => 'test',
#dsc_credential => {
#'user' => '',
#'password' => 'Passw0rd01'
  1. Mohak Sharma says:

    After running the above configuration, I am not able to see the user “pagent” which we declared as domain admin in dsc_xaddomain. Is it the expected behaviour?


    • dragan979 says:

      Local admin is automatically promoted to Domain admin,see example at the end of article how to create AD users and add then to Security Group. In this example, pagent user is local admin, you need to specify your existing local admin user


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s