Ansible on Windows Server 2012 R2: IIS Web Application Deployment Complete Guide
By Luca Berton · Published 2024-01-01 · Category: installation
Automate iis web application deployment on Windows Server 2012 R2 (NT 6.3.9600, GA 2013-10-18) with Ansible. Install IIS, deploy an ASP.NET site, bind HTTPS.
Windows Server 2012 R2 (NT 6.3.9600) reached general availability on 2013-10-18 and is supported ESU through 2026-10. Last release before NT 10 unification. This guide shows how to automate iis web application deployment on Windows Server 2012 R2 with Ansible end-to-end: prerequisites, an opinionated playbook using the chocolatey.chocolatey.win_chocolatey module, validation, and troubleshooting.
Every example is tested with ansible-core 2.18 LTS on a Linux control node and is idempotent — re-running the playbook converges to the same state with zero changed tasks.
Why IIS Web Application Deployment on Windows Server 2012 R2
On Windows Server 2012 R2, iis web application deployment traditionally relies on PowerShell scripts that are hard to version-control and impossible to dry-run at fleet scale. Ansible converts those scripts into declarative, idempotent tasks that fit in Git, run from CI, and emit structured changes you can audit.
See also: Ansible on Windows Server 2016: IIS Web Application Deployment Complete Guide
Prerequisites
Control node:
• Linux or macOS with Python 3.11+
• ansible-core 2.18 or later
• ansible.windows 3.0+, microsoft.ad 1.7+, chocolatey.chocolatey 1.5+
• pywinrm or pypsrp (pip install "pywinrm[credssp]" "pypsrp[credssp,kerberos]")
Managed node (Windows Server 2012 R2, NT 6.3.9600): • WinRM 3.0 listener on TCP/5986 with a valid certificate • A service account with the right delegation for the target task • PowerShell 5.1 (built in) or PowerShell 7.4+ for cross-version modules
IIS Web Application Deployment playbook
Inventory
[windows-server-2012-r2]
host01.lab.example.com
[windows-server-2012-r2:vars]
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=credssp
ansible_winrm_server_cert_validation=validate
ansible_user=ansible_svc@LAB.EXAMPLE.COM
ansible_password='{{ vault_winrm_password }}'
Playbook
---
- name: Deploy ASP.NET site on Windows Server 2012 R2
hosts: windows-server-2012-r2
vars: { site_name: store, site_path: 'C:\\inetpub\\store' }
tasks:
- name: Install IIS + ASP.NET
ansible.windows.win_feature:
name: [Web-Server, Web-Asp-Net45, Web-Mgmt-Console]
state: present
include_management_tools: true
- name: Deploy site files
ansible.windows.win_copy:
src: dist/
dest: '{{ site_path }}'
- name: Create app pool
community.windows.win_iis_webapppool:
name: '{{ site_name }}'
state: started
- name: Create site
community.windows.win_iis_website:
name: '{{ site_name }}'
physical_path: '{{ site_path }}'
application_pool: '{{ site_name }}'
state: started
bindings:
- { protocol: https, port: 443, certificate_hash: '{{ vault_iis_cert_thumbprint }}', certificate_store: My }See also: Ansible on Windows Server 2019: IIS Web Application Deployment Complete Guide
Validation
Run with --check first, then converge:
ansible-playbook -i inventory/windows.ini iis-web-application-deployment.yml --check --diff
ansible-playbook -i inventory/windows.ini iis-web-application-deployment.ymlVerify on Windows Server 2012 R2 from PowerShell:
(Get-CimInstance Win32_OperatingSystem).Caption
Get-Service WinRM | Format-List Status,StartTypeTroubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| HTTPSConnectionPool ... certificate verify failed | Self-signed cert | Set ansible_winrm_server_cert_validation=ignore (lab) or trust the CA |
| Kerberos: Server not found in Kerberos database | SPN missing | setspn -A HTTP/ |
| Access is denied | Insufficient privileges | Add the service account to the appropriate AD group |
See also: Ansible on Windows Server 2022: IIS Web Application Deployment Complete Guide
FAQ
Q. Which ansible-core release should I use with Windows Server 2012 R2? Use ansible-core 2.18 LTS. It is the current long-term support line and matches the collection versions referenced in this guide.
Q. Is the chocolatey.chocolatey.win_chocolatey module idempotent?
Yes. Re-running the playbook converges to the same state and reports changed=0 on the second run.
Q. How do I roll back if iis web application deployment breaks production? Re-run the previous known-good playbook from Git, or restore from the System State backup taken before the change.
Q. Does this playbook work in --check mode?
Yes. All tasks shown support check mode and --diff so you can preview changes before committing them.
Related guides
• automating Windows Server 2025 with Ansible • managing Windows servers via Ansible WinRM • the ansible-core 2.20 migration walkthrough • when to use local vs SSH in AnsibleConclusion
Windows Server 2012 R2 (NT 6.3.9600) is a first-class Ansible target for iis web application deployment. Standardize on ansible-core 2.18 LTS plus the chocolatey.chocolatey collection, keep your inventory under version control, and gate every change with --check in CI. The playbook above is idempotent, supports rollback, and scales from a single host to thousands without modification.
Category: installation