Automated ADDS & ADCS setup on a fresh Windows Server 2016 image in Azure

For a project we are working we require a Windows Server 2016 virtual machine instance, for now referred to as winvm, with Active Directory Domain Services (ADDS) and Active Domain Certificate Services (ADCS) enabled.

I have written a Powershell script on my local machine that I send through ssh/scp to my CentOS 8 VM used for maintenance, for now referred to as centosvm. So far I achieved to connect centosvm with winvm through rdp, more specifically FreeRDP. I am able to share folders and therefore files, which I can subsequently manually run using the pop-up GUI that shows my Windows Server desktop. I wish to be able to automate this more, but I am currently stuck due to security policies of Windows.

• For one, ssh is disabled by default, so I am unable to use Ansible on this fresh image without manually enabling it.
• Second, FreeRDP has options to execute a remote application through the /app:{path/to/application} option and allows for arguments to be passed with /app-cmd:{command line arguments here}. The issue with this is that Windows Server 2016 has a default registry value that disables RDP from executing applications. See the bottom of this page for more information. Changing the value does allow RDP to execute applications and send the relevant arguments, but it still requires manual input. Since Windows blocks this for RDP in general, other software providing RDP connections such as Rdesktop should result in the same behaviour.
• Lastly, Azure has a built-in functionality called Run-Command, which is exactly what I need as it allows me to pass a Powershell script that it will somehow pass to winvm with HTTPS(? they use port 443) and execute it non-interactively. For this project we want our code base to be largely platform-agnostic, so relying on an Azure-exclusive feature is out of the question.

With the last point in mind, I still have a glimmer of hope that this can be fully automated, i.e. executing a script on centosvm without user interaction that fully configures ADDS and ADCS. If Azure can do it, then why can’t we?

Anyone has any experience on this subject?

My infrastructure looks like this:

Non-Azure:

• [Ubuntu 20.04] Local machine used to interface with Azure and subsequently centosvm.

Relevant Azure resources (built through Terraform):

• centosvm: [CentOS 8] Only resource with a public ip that I can reach from my local machine. Private IP is 10.0.2.11
• winvm: [Windows Server 2016] Resource with only a private IP @ 10.0.2.10 in the same subnet as centosvm, reachable through rdp.

Thanks in advance!

P.S. Doing the setup manually is not the end of the world, but we would just like to streamline the process as much as possible. I would appreciate it if the answers were not simply along the lines of "well if the scripts are small enough then just keep doing it manually".