added tree and child domain

author: heqnx <root@heqnx.com> 2025-07-17 18:08:37 +0300
committer: heqnx <root@heqnx.com> 2025-07-17 18:08:37 +0300
commit: cbd285087e710a265bdddfb4521a39a57bc8702c (patch)
tree: f95919e8eba622b8a517ffa20a6880bd88cc5e03
parent: 156f392cd059a4f0de0b8ba2443eb2eeb1e1c41a (diff)
download: ansible-active-directory-range-cbd285087e710a265bdddfb4521a39a57bc8702c.tar.gz
ansible-active-directory-range-cbd285087e710a265bdddfb4521a39a57bc8702c.zip
26 files changed, 246 insertions, 1 deletions
diff --git a/ansible/.env.proxmox.example b/ansible/.env.proxmox.example
index a6fc008..d8c7a9b 100644
--- a/ansible/.env.proxmox.example
+++ b/ansible/.env.proxmox.example
@@ -12,8 +12,16 @@ export windows_username="packer"
 export windows_password="packer"
 export windows_svc_password="Svc1234!"
 
+# proxmox vm and template details
+export windows_server_template_id="200"
+export windows_server_template_name="winserver2019-tmpl"
+export linux_server_template_id="201"
+export linux_server_template_name="ubuntu2404-tmpl"
+
 # domain details
 export main_domain_name="contoso.com"
+export tree_domain_name="labtree.com"
+export child_domain_name="child.contoso.com"
 
 export main_dc01_vmid="5000"
 export main_dc01_hostname="dc01"
diff --git a/ansible/group_vars/all/main.yaml b/ansible/group_vars/all/main.yaml
index 2087d15..9878346 100644
--- a/ansible/group_vars/all/main.yaml
+++ b/ansible/group_vars/all/main.yaml
@@ -23,6 +23,8 @@ linux_server_template_name      : "{{ lookup('ansible.builtin.env', 'linux_serve
 
 # domain details
 main_domain_name                : "{{ lookup('ansible.builtin.env', 'main_domain_name') }}"
+tree_domain_name                : "{{ lookup('ansible.builtin.env', 'tree_domain_name') }}"
+child_domain_name               : "{{ lookup('ansible.builtin.env', 'child_domain_name') }}"
 
 main_dc01_vmid                  : "{{ lookup('ansible.builtin.env', 'main_dc01_vmid') }}" 
 main_dc01_hostname              : "{{ lookup('ansible.builtin.env', 'main_dc01_hostname') }}" 
diff --git a/ansible/main.yaml b/ansible/main.yaml
index 9ae5f38..f7d5afb 100644
--- a/ansible/main.yaml
+++ b/ansible/main.yaml
@@ -31,6 +31,64 @@
         ansible_winrm_server_cert_validation: ignore
       changed_when: false
 
+    - name: "deploy {{ tree_dc02_hostname }}.{{ tree_domain_name }} vm on {{ proxmox_hostname }}"
+      include_role:
+        name: proxmox_vm
+      vars:
+        os_type                             : "windows"
+        template                            : "{{ windows_server_template_name }}"
+        id                                  : "{{ windows_server_template_id }}"
+        vm                                  : "{{ tree_dc02_hostname }}.{{ tree_domain_name }}"
+        newid                               : "{{ tree_dc02_vmid }}"
+        vmid                                : "{{ tree_dc02_vmid }}"
+        ip                                  : "{{ tree_dc02_ip_address }}"
+        gateway                             : "{{ network_gateway }}"
+        dns                                 : "{{ main_dc01_ip_address }}"
+        hostname                            : "{{ tree_dc02_hostname }}"
+        domain                              : "{{ tree_domain_name }}"
+        fqdn                                : "{{ tree_dc02_hostname }}.{{ tree_domain_name }}"
+
+    - name: "add {{ tree_dc02_hostname }}.{{ tree_domain_name }} to in-memory inventory"
+      add_host:
+        name                                : "{{ tree_dc02_hostname }}.{{ tree_domain_name }}"
+        ansible_host                        : "{{ tree_dc02_ip_address }}"
+        ansible_connection                  : "{{ win_connector }}"
+        ansible_user                        : "{{ default_win_username }}"
+        ansible_password                    : "{{ default_win_password }}"
+        ansible_port                        : "{{ win_port }}"
+        ansible_winrm_transport             : basic
+        ansible_winrm_server_cert_validation: ignore
+      changed_when: false
+
+   - name: "deploy {{ child_dc03_hostname }}.{{ child_domain_name }} vm on {{ proxmox_hostname }}"
+     include_role:
+       name: proxmox_vm
+     vars:
+       os_type                             : "windows"
+       template                            : "{{ windows_server_template_name }}"
+       id                                  : "{{ windows_server_template_id }}"
+       vm                                  : "{{ child_dc03_hostname }}.{{ child_domain_name }}"
+       newid                               : "{{ child_dc03_vmid }}"
+       vmid                                : "{{ child_dc03_vmid }}"
+       ip                                  : "{{ child_dc03_ip_address }}"
+       gateway                             : "{{ network_gateway }}"
+       dns                                 : "{{ main_dc01_ip_address }}"
+       hostname                            : "{{ child_dc03_hostname }}"
+       domain                              : "{{ child_domain_name }}"
+       fqdn                                : "{{ child_dc03_hostname }}.{{ child_domain_name }}"
+
+   - name: "add {{ child_dc03_hostname }}.{{ child_domain_name }} to in-memory inventory"
+     add_host:
+       name                                : "{{ child_dc03_hostname }}.{{ child_domain_name }}"
+       ansible_host                        : "{{ child_dc03_ip_address }}"
+       ansible_connection                  : "{{ win_connector }}"
+       ansible_user                        : "{{ default_win_username }}"
+       ansible_password                    : "{{ default_win_password }}"
+       ansible_port                        : "{{ win_port }}"
+       ansible_winrm_transport             : basic
+       ansible_winrm_server_cert_validation: ignore
+     changed_when: false
+
     - name: "deploy {{ main_linux_srv01_hostname }}.{{ main_domain_name }} vm on {{ proxmox_hostname }}"
       include_role:
         name: proxmox_vm
@@ -126,6 +184,16 @@
         name: dc01
       when: inventory_hostname == main_dc01_hostname + '.' + main_domain_name
 
+    - name: "configure {{ tree_dc02_hostname }}.{{ tree_domain_name }}"
+      include_role:
+        name: dc02
+      when: inventory_hostname == tree_dc02_hostname + '.' + tree_domain_name
+
+    - name: "configure {{ child_dc03_hostname }}.{{ child_domain_name }}"
+      include_role:
+        name: dc03
+      when: inventory_hostname == child_dc03_hostname + '.' + child_domain_name
+
     - name: "configure {{ main_linux_srv01_hostname }}.{{ main_domain_name }}"
       include_role:
         name: srv01
@@ -135,7 +203,7 @@
       include_role:
         name: adcs01
       when: inventory_hostname == main_adcs01_hostname + '.' + main_domain_name
-
+    
     - name: "configure {{ main_websql01_hostname }}.{{ main_domain_name }}"
       include_role:
         name: websql01
diff --git a/ansible/roles/dc02/tasks/cleanup.yaml b/ansible/roles/dc02/tasks/cleanup.yaml
new file mode 100644
index 0000000..0e59407
--- /dev/null
+++ b/ansible/roles/dc02/tasks/cleanup.yaml
@@ -0,0 +1,3 @@
+- name: execute cleanup.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\cleanup.ps1
diff --git a/ansible/roles/dc02/tasks/init.yaml b/ansible/roles/dc02/tasks/init.yaml
new file mode 100644
index 0000000..84b3c3e
--- /dev/null
+++ b/ansible/roles/dc02/tasks/init.yaml
@@ -0,0 +1,3 @@
+- name: execute init.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\init.ps1
diff --git a/ansible/roles/dc02/tasks/install_software.yaml b/ansible/roles/dc02/tasks/install_software.yaml
new file mode 100644
index 0000000..a5018a8
--- /dev/null
+++ b/ansible/roles/dc02/tasks/install_software.yaml
@@ -0,0 +1,3 @@
+- name: execute install-software.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\install-software.ps1
diff --git a/ansible/roles/dc02/tasks/main.yaml b/ansible/roles/dc02/tasks/main.yaml
new file mode 100644
index 0000000..8cdafa8
--- /dev/null
+++ b/ansible/roles/dc02/tasks/main.yaml
@@ -0,0 +1,36 @@
+- name: wait for winrm to be available
+  ansible.builtin.wait_for:
+    host: "{{ ansible_host }}"
+    port: "{{ ansible_port }}"
+    timeout: 300
+  delegate_to: localhost
+
+- name: execute init.ps1
+  import_tasks: init.yaml
+
+- name: set hostname
+  import_tasks: set_hostname.yaml
+
+- name: reboot after hostname change
+  import_tasks: reboot.yaml
+
+- name: execute setup-tree-domain.ps1
+  import_tasks: setup_tree_domain.yaml
+
+- name: reboot after domain setup
+  import_tasks: reboot.yaml
+
+- name: execute dc-wait-for-ready.ps1
+  import_tasks: wait_for_ready.yaml
+
+- name: execute setup-defender-gpo.ps1 as domain admin
+  import_tasks: setup_defender_gpo.yaml
+
+- name: reboot after gpo setup
+  import_tasks: reboot.yaml
+
+- name: execute install-software.ps1
+  import_tasks: install_software.yaml
+
+- name: execute cleanup.ps1
+  import_tasks: cleanup.yaml
diff --git a/ansible/roles/dc02/tasks/populate_ad.yaml b/ansible/roles/dc02/tasks/populate_ad.yaml
new file mode 100644
index 0000000..e65ab64
--- /dev/null
+++ b/ansible/roles/dc02/tasks/populate_ad.yaml
@@ -0,0 +1,7 @@
+- name: execute populate-ad.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\populate-ad.ps1
+    parameters:
+      DomainName: "{{ main_domain_name }}"
+      UserPassword: "{{ default_win_user_password }}"
+      SvcPassword: "{{ default_win_svc_password }}"
diff --git a/ansible/roles/dc02/tasks/reboot.yaml b/ansible/roles/dc02/tasks/reboot.yaml
new file mode 100644
index 0000000..f36b168
--- /dev/null
+++ b/ansible/roles/dc02/tasks/reboot.yaml
@@ -0,0 +1,3 @@
+- name: reboot
+  ansible.windows.win_reboot:
+    reboot_timeout: 3600
diff --git a/ansible/roles/dc02/tasks/set_hostname.yaml b/ansible/roles/dc02/tasks/set_hostname.yaml
new file mode 100644
index 0000000..d279485
--- /dev/null
+++ b/ansible/roles/dc02/tasks/set_hostname.yaml
@@ -0,0 +1,2 @@
+- name: set hostname
+  win_shell: Rename-Computer -NewName "{{ tree_dc02_hostname }}" -Force
diff --git a/ansible/roles/dc02/tasks/setup_defender_gpo.yaml b/ansible/roles/dc02/tasks/setup_defender_gpo.yaml
new file mode 100644
index 0000000..18d8042
--- /dev/null
+++ b/ansible/roles/dc02/tasks/setup_defender_gpo.yaml
@@ -0,0 +1,7 @@
+- name: execute setup-defender-gpo.ps1 as domain admin
+  ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-defender-gpo.ps1 -DomainName "{{ tree_domain_name }}"
+  become: yes
+  become_method: runas
+  become_user: "{{ tree_domain_name }}\\Administrator"
+  vars:
+    ansible_become_password: "{{ default_win_password }}"
diff --git a/ansible/roles/dc02/tasks/setup_domain.yaml b/ansible/roles/dc02/tasks/setup_domain.yaml
new file mode 100644
index 0000000..ef8a541
--- /dev/null
+++ b/ansible/roles/dc02/tasks/setup_domain.yaml
@@ -0,0 +1,2 @@
+- name: execute setup-main-domain.ps1
+  ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-main-domain.ps1 -DomainName "{{ tree_domain_name }}" -SafeModePassword "P4ssw0rd1234!"
diff --git a/ansible/roles/dc02/tasks/setup_tree_domain.yaml b/ansible/roles/dc02/tasks/setup_tree_domain.yaml
new file mode 100644
index 0000000..2067844
--- /dev/null
+++ b/ansible/roles/dc02/tasks/setup_tree_domain.yaml
@@ -0,0 +1,9 @@
+- name: execute setup-tree-domain.ps1
+  ansible.windows.win_shell: >
+    powershell.exe -ExecutionPolicy Bypass 
+    -File C:\scripts\setup-tree-domain.ps1 
+    -ParentForestRootDomain "{{ main_domain_name }}" 
+    -NewTreeDomainName "{{ tree_domain_name }}" 
+    -SafeModePassword "P4ssw0rd1234!" 
+    -Username Administrator 
+    -Password "{{ default_win_password }}"
diff --git a/ansible/roles/dc02/tasks/wait_for_ready.yaml b/ansible/roles/dc02/tasks/wait_for_ready.yaml
new file mode 100644
index 0000000..b077e07
--- /dev/null
+++ b/ansible/roles/dc02/tasks/wait_for_ready.yaml
@@ -0,0 +1,3 @@
+- name: execute dc-wait-for-ready.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\dc-wait-for-ready.ps1
diff --git a/ansible/roles/dc03/tasks/cleanup.yaml b/ansible/roles/dc03/tasks/cleanup.yaml
new file mode 100644
index 0000000..0e59407
--- /dev/null
+++ b/ansible/roles/dc03/tasks/cleanup.yaml
@@ -0,0 +1,3 @@
+- name: execute cleanup.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\cleanup.ps1
diff --git a/ansible/roles/dc03/tasks/init.yaml b/ansible/roles/dc03/tasks/init.yaml
new file mode 100644
index 0000000..84b3c3e
--- /dev/null
+++ b/ansible/roles/dc03/tasks/init.yaml
@@ -0,0 +1,3 @@
+- name: execute init.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\init.ps1
diff --git a/ansible/roles/dc03/tasks/install_software.yaml b/ansible/roles/dc03/tasks/install_software.yaml
new file mode 100644
index 0000000..a5018a8
--- /dev/null
+++ b/ansible/roles/dc03/tasks/install_software.yaml
@@ -0,0 +1,3 @@
+- name: execute install-software.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\install-software.ps1
diff --git a/ansible/roles/dc03/tasks/main.yaml b/ansible/roles/dc03/tasks/main.yaml
new file mode 100644
index 0000000..e487caf
--- /dev/null
+++ b/ansible/roles/dc03/tasks/main.yaml
@@ -0,0 +1,36 @@
+- name: wait for winrm to be available
+  ansible.builtin.wait_for:
+    host: "{{ ansible_host }}"
+    port: "{{ ansible_port }}"
+    timeout: 300
+  delegate_to: localhost
+
+- name: execute init.ps1
+  import_tasks: init.yaml
+
+- name: set hostname
+  import_tasks: set_hostname.yaml
+
+- name: reboot after hostname change
+  import_tasks: reboot.yaml
+
+- name: execute setup-child-domain.ps1
+  import_tasks: setup_child_domain.yaml
+
+- name: reboot after domain setup
+  import_tasks: reboot.yaml
+
+- name: execute dc-wait-for-ready.ps1
+  import_tasks: wait_for_ready.yaml
+
+- name: execute setup-defender-gpo.ps1 as domain admin
+  import_tasks: setup_defender_gpo.yaml
+
+- name: reboot after gpo setup
+  import_tasks: reboot.yaml
+
+- name: execute install-software.ps1
+  import_tasks: install_software.yaml
+
+- name: execute cleanup.ps1
+  import_tasks: cleanup.yaml
diff --git a/ansible/roles/dc03/tasks/populate_ad.yaml b/ansible/roles/dc03/tasks/populate_ad.yaml
new file mode 100644
index 0000000..e65ab64
--- /dev/null
+++ b/ansible/roles/dc03/tasks/populate_ad.yaml
@@ -0,0 +1,7 @@
+- name: execute populate-ad.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\populate-ad.ps1
+    parameters:
+      DomainName: "{{ main_domain_name }}"
+      UserPassword: "{{ default_win_user_password }}"
+      SvcPassword: "{{ default_win_svc_password }}"
diff --git a/ansible/roles/dc03/tasks/reboot.yaml b/ansible/roles/dc03/tasks/reboot.yaml
new file mode 100644
index 0000000..f36b168
--- /dev/null
+++ b/ansible/roles/dc03/tasks/reboot.yaml
@@ -0,0 +1,3 @@
+- name: reboot
+  ansible.windows.win_reboot:
+    reboot_timeout: 3600
diff --git a/ansible/roles/dc03/tasks/set_hostname.yaml b/ansible/roles/dc03/tasks/set_hostname.yaml
new file mode 100644
index 0000000..9f697b7
--- /dev/null
+++ b/ansible/roles/dc03/tasks/set_hostname.yaml
@@ -0,0 +1,2 @@
+- name: set hostname
+  win_shell: Rename-Computer -NewName "{{ child_dc03_hostname }}" -Force
diff --git a/ansible/roles/dc03/tasks/setup_child_domain.yaml b/ansible/roles/dc03/tasks/setup_child_domain.yaml
new file mode 100644
index 0000000..3d8a970
--- /dev/null
+++ b/ansible/roles/dc03/tasks/setup_child_domain.yaml
@@ -0,0 +1,9 @@
+- name: execute setup-child-domain.ps1
+  ansible.windows.win_shell: >
+    powershell.exe -ExecutionPolicy Bypass 
+    -File C:\scripts\setup-child-domain.ps1 
+    -ParentDomainName "{{ main_domain_name }}" 
+    -ChildDOmainName "{{ child_domain_name }}" 
+    -SafeModePassword "P4ssw0rd1234!" 
+    -Username Administrator 
+    -Password "{{ default_win_password }}"
diff --git a/ansible/roles/dc03/tasks/setup_defender_gpo.yaml b/ansible/roles/dc03/tasks/setup_defender_gpo.yaml
new file mode 100644
index 0000000..9813f7b
--- /dev/null
+++ b/ansible/roles/dc03/tasks/setup_defender_gpo.yaml
@@ -0,0 +1,7 @@
+- name: execute setup-defender-gpo.ps1 as domain admin
+  ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-defender-gpo.ps1 -DomainName "{{ child_domain_name }}"
+  become: yes
+  become_method: runas
+  become_user: "{{ child_domain_name }}\\Administrator"
+  vars:
+    ansible_become_password: "{{ default_win_password }}"
diff --git a/ansible/roles/dc03/tasks/setup_domain.yaml b/ansible/roles/dc03/tasks/setup_domain.yaml
new file mode 100644
index 0000000..64ab8c0
--- /dev/null
+++ b/ansible/roles/dc03/tasks/setup_domain.yaml
@@ -0,0 +1,6 @@
+- name: execute setup-main-domain.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\setup-main-domain.ps1
+    parameters:
+      DomainName: "{{ child_domain_name }}"
+      SafeModePassword: "{{ default_win_safemode_password }}"
diff --git a/ansible/roles/dc03/tasks/setup_gpo.yaml b/ansible/roles/dc03/tasks/setup_gpo.yaml
new file mode 100644
index 0000000..fc44130
--- /dev/null
+++ b/ansible/roles/dc03/tasks/setup_gpo.yaml
@@ -0,0 +1,7 @@
+- name: execute setup-gpo.ps1 as domain admin
+  ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-gpo.ps1 -DomainName "{{ main_domain_name }}"
+  become: yes
+  become_method: runas
+  become_user: "{{ main_domain_name }}\\Administrator"
+  vars:
+    ansible_become_password: "{{ default_win_password }}"
diff --git a/ansible/roles/dc03/tasks/wait_for_ready.yaml b/ansible/roles/dc03/tasks/wait_for_ready.yaml
new file mode 100644
index 0000000..b077e07
--- /dev/null
+++ b/ansible/roles/dc03/tasks/wait_for_ready.yaml
@@ -0,0 +1,3 @@
+- name: execute dc-wait-for-ready.ps1
+  ansible.windows.win_powershell:
+    script: C:\scripts\dc-wait-for-ready.ps1
author	heqnx <root@heqnx.com>	2025-07-17 18:08:37 +0300
committer	heqnx <root@heqnx.com>	2025-07-17 18:08:37 +0300
commit	cbd285087e710a265bdddfb4521a39a57bc8702c (patch)
tree	f95919e8eba622b8a517ffa20a6880bd88cc5e03
parent	156f392cd059a4f0de0b8ba2443eb2eeb1e1c41a (diff)
download	ansible-active-directory-range-cbd285087e710a265bdddfb4521a39a57bc8702c.tar.gz ansible-active-directory-range-cbd285087e710a265bdddfb4521a39a57bc8702c.zip