Archive for the ‘Windows Server’ Category

Microsoft Key Management Services (KMS) provides a way to automatically activate volume license editions of Microsoft Windows and Microsoft Office.

Detecting KMS servers

From Command prompt type:

nslookup -type=srv is domin name

Output should be something like below: SRV service location:
priority = 0
weight = 100
port = 1688
svr hostname =

If this test fails, you will need to have the following DNS record added to the DNS zone: 3600 IN SRV 0 100 1688

Activating Windows

Open a command prompt with elevation

Install default product key (bellow is example for Windows Server 2016 datacenter)

cscript.exe c:\windows\system32\slmgr.vbs /ipk WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY

For other keys refer to this link

Run the following command to point Windows to the KMS server.

cscript c:\windows\system32\slmgr.vbs -skms

Run the following command to activate Windows.

cscript c:\windows\system32\slmgr.vbs -ato

Run the following command to check activation staus

slmgr.vbs -dlv


In case you try activating evaluation version of Windows server 2016 if trying above steps you’ll get following error:

Error: 0xC004F069 On a computer running Microsoft Windows non-core edition, run ‘slui.exe 0x2a 0xC004F069’ to display the error text.

In this case run following commands:

Find available target editions

DISM.exe /Online /Get-TargetEditions

Change your target edition (bellow is example for Windows server 2016 datacenter)

DISM /online /Set-Edition:ServerStandard /ProductKey:WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY /AcceptEula

Reboot server, repeat above steps and you should be good to go




In this example 2 AD groups will be used


  • BitBucket.Admin (System Admin,Admin,Project creator,Bitbucket user)
  • BitBucket.User (Project creator,Bitbucket user)

Configuring Active Directory integration:

User directory-add directory-Microsoft Active Directory

Server Settings

Name: Active Directory server

Directory Type: Microsoft Active Directory


Port: 389

Username: ldapuser for searching AD

LDAP Schema

BaseDN: DC=example,DC=com

LDAP Permissions:

Read only

Advanced settings

Check Enable nested groups (leave other settings)

User Schema Settings

Show only members of BitBucket.Admin/Bitbucket.User AD groups

UserObject class: user

UserObjectFilter:(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf:1.2.840.113556.1.4.1941:=cn=BitBucket.Admin,OU=Groups,DC=example,DC=com (memberOf:1.2.840.113556.1.4.1941:=cn=BitBucket.User,OU=Groups,DC=example,DC=com)))

UserNameAtribute: sAMAccountName

UserName RDN Atribute: cn

User First Attribute Name: givenName

User Last Name attribute: sn

User Display Name Attribute: displayName

User Email Attribute: mail

User Password Attribute: unicodePwd

User Unique Attribute: objectGUID


Group Schema settings


Group Object Class: group

Group Obect Filter: (&(objectCategory=Group)(cn=BitBucket*))

Group Name attribute: cn

Group Description Attribute: description

Configuring group access and roles

In BitBucket go to Global permissions-add groups and assign roles

It’s presumed Chocolatey server will be installed on D drive,it’s presumed Chocolatey server has no internet access.

Choco installation files are obtained in following way:

On any windows machine with internet access following has been done:

  • installed chocolatey
  • after chocolatey has been installed following command has been executed:
    choco install chocolatey.server
  • all required files are downloaded to C:\tools folder


Copy tools folder somewhere to Ansible server, Ansible playbook will copy  it to D drive on Windows server.

Folder structure:

|—————–winplaybook/choco.yml   chocoserver/tools/


|             | ————–features/features.yml

|————–windows/vars_win.yml   vaul_win.yml

features.yml contains list of IIS features and IIS users

- Web-Server
- Web-Asp-Net45
- Web-AppInit 


- IIS APPPOOL\ChocolateyServer

chocoserver/tools contains chocolatey server installation (copied from windows machine with internet access)

Chocolatey API key is in vars_win.yml (unencrypted-point to vault_win.yml) and vault_win.yml (encrypted)


api_key: '{{ vault_api_key }}'


vault_api_key: myapi

Playbook will copy Chocolatey server files to D drive, installs IIS server and features,removes default IIS web site, creates Chocolatey application pool, sets ACL permissions on D:\tools\chocolatey.server and D:\tools\chocolatey.server\App_Data,creates Chocolatey IIS site and changes default API key

– name: install choco server
hosts: dc2
– group_vars/windows/vars_win.yml
– group_vars/features/features.yml
gather_facts: yes
– name: Copy Chocolatey server to D drive
src: /root/win_playbooks/choco_server/
dest: D:\
– name: Ensure IIS is installed
name: Web-Server
state: present
include_management_tools: True
– name: Ensure IIS Web-Server and ASP.NET are installed
name: ‘{{ item }}’
state: present
with_items: ‘{{ features }}’
– name: Ensure Default Web Site is not present
name: “Default Web Site”
state: absent
#- name: Chocolatey.server package is installed
# win_chocolatey:
# name: “chocolatey.server”
# state: present
– name: Configure AppPool for Chocolatey.server
name: ChocolateyServer
state: started
enable32BitAppOnWin64: true
managedRuntimeVersion: v4.0
managedPipelineMode: Integrated
startMode: AlwaysRunning
autoStart: true
– name: Grant read permissions to D:\tools\chocolatey.server
user: ‘{{ item }}’
path: D:\tools\chocolatey.server
rights: Read
state: present
type: allow
inherit: ContainerInherit, ObjectInherit
progagation: InheritOnly
with_items: ‘{{ users }}’
– name: Grant IIS APPPOOL\ modify permissions to D:\tools\chocolatey.server\App_Data
user: ‘{{ item }}’
path: D:\tools\chocolatey.server
rights: Modify
state: present
type: allow
inherit: ContainerInherit, ObjectInherit
progagation: InheritOnly
with_items: ‘{{ users }}’
– name: Create Chocolatey IIS site
name: “chocolatey”
state: started
port: 80
application_pool: “ChocolateyServer”
physical_path: D:\tools\chocolatey.server
register: website
– name: Change default API key
path: D:\tools\chocolatey.server\web.config
regexp: ‘<add key=”apiKey” value=”chocolateyrocks” />’
line:’         <add key=”apiKey” value=”{{ api_key }}”/>’
state: present

Unlike other tasks, this one requires runas (become) permissions. So, we need to specify become statement in playbook, and to add following directives in group_vars folder (see this guide how to create it.

add 4 “ansible_become” lines as per example

ansible_user: Administrator
ansible_password: Pass
ansible_connection: winrm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore
ansible_become: yes
ansible_become_user: Administrator
ansible_become_pass: Passw
ansible_become_method: runas
Both are same account,it’s local admin account promoted to Domain Administrator after creating AD Domain, the reason why we need to add those 4 lines is because renaming AD joined machines required Active Directory credentials, those 4 “ansible_become” lines instruct Ansible to use domain administrator credentials instead of local administrator.
- name: Change computer name
  hosts: dc2
   - name: Change host name
     become: yes
       name: server2
     register: name_changed
   - name: reboot server after hostname changes
       msg: "Computer name changed,rebooting...."
       pre_reboot_delay: 15
     when: name_changed.changed


In this example Page file will be moved to D drive, in order for Ansible to “track changes” file C:\Pagefile.log will be created after Page file is moved and server will be restarted afterwards.

In this example page file is set to automatic (InitialSize = 0; MaximumSize = 0), we can set custom Initial/Maximum size (in MB).

- name: Moving page file to another drive
  hosts: winserver
  gather_facts: yes
   - name: "Move Page File to D Drive"
     win_shell: |
       $a=Get-WmiObject -Query "select * from Win32_PageFileSetting"
       if ($a.Name -like 'C:\pagefile.sys') {
       $CurrentPageFile = Get-WmiObject -Query "select * from Win32_PageFileSetting where name='c:\\pagefile.sys'"
       Set-WMIInstance -Class Win32_PageFileSetting -Arguments @{name="d:\pagefile.sys";InitialSize = 0; MaximumSize = 0}
       } write-output "Done" | out-file C:\Pagefile.log -Append
      creates: C:\Pagefile.log
     register: page
   - name: reboot server
       msg: "Page file moved,rebooting..."
       pre_reboot_delay: 15
     when: page.changed

Ansible have no module for setting Domain Group Policies,but we can use PowerShell commands. If we need to create Custom GPO and link it to some GPO, we can do it also by Powers shell – by setting Registry Values.

The key must be in one of the two following registry hives:

  • HKEY_LOCAL_MACHINE (HKLM) for a registry-based policy setting in Computer Configuration.
  • HKEY_CURRENT_USER (HKCU) for a registry-based policy setting in User Configuration.

Bellow is example for setting Screen Saver TimeOut to 900 seconds for User Configuration Settings GPO.


New GPO named BO-1-Desktops is created and linked to test OU.

- name: Configure GPO
        hosts: winserver
          - name: Set ScreenSaver Timeout
            win_shell: | 
              New-GPLink -Name "BO-1-Desktops" -Target 
              Set-GPRegistryValue -Name "BO-1-Desktops" -KEY "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveTimeOut" -Type DWORD      -Value 900 > C:\screensaverGPO.txt
              creates: C:\screensaverGPO.txt

Script won’t be executed if C:\screensaverGPO.txt exists.

Example for creating DNS zone

- name: Create DNS
  hosts: winserver
   - name: Create Forward lookup zone
     win_shell: |
       try {$getdns=Get-DnsServerZone -Name "" -ErrorAction SilentlyContinue
       if ($getdns -eq $null) {Add-DnsServerPrimaryZone -Name ""       -ReplicationScope "Forest" -PassThru > c:\dnszone.log}
       } catch {write-host "ok"}
       creates: C:\dnszone.log

This post explained how to use it with Puppet, in this post we’ll do the same.

Powershell script is doing following:

  •  reads JSON file above
  • Creates subnets defined from JSON file
  • Creates sites defined in JSON file
  • Assigns subnet to AD site (as specified in JSON file)

JSON and PS1 files are located in  /root/win_playbooks/files/ folder.

Both files will be copied to C:\Script

Script will be running only if file C:\Script\Logs\ADSite.log is present.

- name: Configure AD sites
hosts: winserver
gather_facts: yes
- name: Create folder
     path: C:\Script
     state: directory
- name: Copy files
     src: /root/win_playbooks/files/
     dest: C:\Script\
- name: Run Script
  win_shell: C:\Script\createsite.ps1
     creates: C:\Script\logs\CreateADSIte.log