Automate Windows without network connectivity with Ansible

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• ManageEngine OpManager: Comprehensive monitoring for on-prem, cloud, and containers - Thu, Mar 23 2023
• Install K3s, a lightweight, production-grade Kubernetes distro - Mon, Mar 20 2023
• VMware NSX Advanced Load Balancer: Installation and configuration - Fri, Mar 10 2023

Configuring, installing, and making changes to a Windows environment through the GUI can be extremely cumbersome, especially at scale. Generally, when thinking about automation, it is a prerequisite to have network connectivity to your Windows machine. However, let's take a look at using Ansible to power your automation. Ansible provides several modules that allow you to automate your Windows environment without a network connection.

Ansible automation tools for Windows

If you haven't looked at Ansible for automating your Windows environment, take a look. It provides a great way to automate your environment using very simple "playbooks" that can be executed against your Windows hosts for provisioning, configuration management, and other very helpful tasks.

The great thing about Windows automation is that it is agentless. It works with the native Windows PowerShell remoting capability to provide easy, native Windows management for your environment. Using the agentless approach that Ansible provides, you can easily perform the following tasks in Windows:

• Installing and uninstalling applications
• Managing Windows features
• Managing and administering Windows services
• Automating local Windows users and groups
• Managing and configuring Windows updates
• Installing packages using the Chocolatey package management system
• Running various custom scripts, including PowerShell

These are just a few of the capabilities that Ansible provides for your Windows environment. However, the ability to manage Windows as described with native PowerShell remoting requires network connectivity. Can you use Ansible in your Windows environment if you don't have network connectivity? Yes. How?

Let's take a look at how you can easily automate your Windows virtual machines using Ansible without network connectivity.

Ansible automation without network connectivity

Ansible enables communicating with various platforms outside of Windows, including VMware vSphere environments. One of the really great features of Ansible with VMware vSphere environments is that you can communicate with VMs using only VMware Tools.

If you are running Windows virtual machines inside your VMware vSphere environment, Ansible can communicate with VMware Tools in an out-of-band manner that allows successfully running your configuration and automation playbooks on your Windows virtual machines without having any network connectivity to them. You may wonder why you would want to have the ability to automate your virtual machines without network connectivity.

Let's consider a few use cases.

Use cases

What are the use cases for needing/wanting to perform automated tasks using Ansible when there is no network connectivity? A few come to mind, including the following:

• Building a Windows server/client: During the build and initial configuration of the operating system, there is a period when the machine does not have network connectivity or has "unconfigured" network connectivity.
• Changing network properties or other network configuration: Obviously, if you are working directly with making changes to the network configuration on a Windows machine, you will be in a "catch-22" of losing connectivity to the machine if you make changes to the network adapter or other properties.
• Lab environments: There are a few scenarios in a lab environment that may require connecting without network connectivity. For instance, you may want to reseed a lab environment with a subset of machines from production and have temporarily broken domain memberships on those machines. You can do this easily by performing an out-of-band rejoin using Ansible without connecting via the network with broken network credentials.

The above are only a few of the use cases among many that Ansible can solve, with its ability to automate Windows without network connectivity using VMware Tools. So, how is this accomplished using Ansible?

Ansible modules for VMware guest operating system interaction

There are a couple of Ansible VMware modules that I want to focus on that provide the functionality to automate Windows without having a network connection; instead, they provide PowerShell remote-assisted automation. In case you are not familiar with Ansible and its use of modules, what are they?

Ansible modules are scripts that Ansible makes use of by way of the Ansible API as well as the ansible and ansible-playbook executables. These modules are reusable and provide JSON string output before exiting. Ansible includes many "in-the-box" modules that can be used to interact with various platforms, including VMware, Windows, Linux, and many others.

Let's look at the following modules you can use to automate your Windows environment through VMware without network connectivity.

• vmware_vm_shell
• vmware_guest_file_operation

vmware_vm_shell

The first module to take a close look at is the vmware_vm_shell module. Using this module, you can do anything you want to do by running PowerShell commands or scripts inside your Windows environment without having connectivity at the network level.

It does this by communicating either through an ESXi host or vCenter and with the guest virtual machine by way of VMware Tools via the guest operations API. With the vmware_vm_shell command, you can run PowerShell commands, scripts, and other configuration inside your guest virtual machine using only VMware Tools.

You will need to authenticate to your vCenter/ESXi host as well as the Windows guest operating system to run commands. However, once authenticated, you can easily configure your Windows machine without limitations outside of PowerShell.

Let's take a look at an example of a code snippet where we will change the DNS server value of a Windows guest while the network adapter is disconnected. The quick and easy playbook using the Ansible vmware_vm_shell module looks like the following. Take note of the variables that I have included in a test-vars.yml file:

• vm_user
• vm_password
• vm_name
• vm_dns_server

I have set the vm_dns_server variable to 8.8.8.8.

- name: Test VM Shell Ansible
 hosts: localhost 
 gather_facts: false
 vars_files: 
  test-vars.yml
 tasks: 
 - name: Configure DNS via vmware_vm_shell
  local_action:
   module: vmware_vm_shell
   <<: *esxi_login
   vm_username: '{{ vm_user }}'
   vm_password: '{{ vm_password }}'
   vm_id: '{{ vm_name }}'
   vm_shell: 'c:\windows\system32\windowspowershell\v1.0\powershell.exe'
   vm_shell_args: '-command "(Set-DnsClientServerAddress -InterfaceAlias Ethernet0 -ServerAddresses {{ vm_dns_server }})"'
   wait_for_process: true

As you can see, we are simply using the Set-DnsClientServerAddress PowerShell cmdlet to carry out the change to DNS. However, the vmware_vm_shell Ansible module is the vehicle that interacts with the Windows guest VM. Does it work without network connectivity?

Below, I have disconnected the network adapter from the virtual machine. The current value of the DNS server entry for the network adapter is shown.

Network is disconnected on a Windows test VM

Now, let's run the Ansible playbook using the vmware_vm_shell module.

Running the Ansible playbook to change DNS with the network adapter disconnected

After running the playbook, the DNS server value has changed to the 8.8.8.8 value set in the variables file. So, even with the network adapter disconnected, we are still able to run PowerShell commands inside the Windows virtual machine via VMware Tools.

DNS server value is changed even with the network adapter disconnected

vmware_guest_file_operation

Another really powerful little Ansible module that allows getting files over to your Windows guest operating system running in your vSphere environment without network connectivity is the vmware_guest_file_operation module.

As part of the same test Ansible playbook, I am copying a PowerShell .PS1 script to a custom folder on the Windows machine. Below, you can see that the fixdomain.ps1 script is set to be copied from the resources folder on the Ansible box to the target Windows directory.

- name: copy file to vm
  local_action:
   module: vmware_guest_file_operation
   <<: *esxi_login
   vm_username: '{{ vm_user }}'
   vm_password: '{{ vm_password }}'
   vm_id: '{{ vm_name }}'
   copy:
     src: "resources/fixdomain.ps1"
     dest: "c:\\windows\\tools\\fixdomain.ps1"
     overwrite: true

Does it work without network connectivity? As you can see below, after running the playbook, the file is successfully copied to the Windows machine without the network adapter connected.

Copying a file to a Windows machine without network connectivity using Ansible

Final thoughts

Ansible provides a really great toolset for automating your Windows environment. If you have Windows guest virtual machines running inside your VMware vSphere environment, Ansible provides modules to interact with the guest operating system even if the network adapter is not connected.

This is accomplished with an out-of-band connection using VMware Tools running inside the Windows guest operating system. With the vmware_vm_shell and vmware_guest_file_operation modules, you can run scripts as well as copy files to a Windows machine without network connectivity and automate operations independent of the status of your network connection.