DSCResources/AddsDomain/AddsDomain.schema.psm1

configuration AddsDomain
{
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars')]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments')]
    param
    (
        [Parameter(Mandatory = $true)]
        [string]
        $DomainFQDN,

        [Parameter(Mandatory = $true)]
        [string]
        $DomainName,

        [Parameter()]
        [pscredential]
        $DomainAdministrator,

        [Parameter()]
        [pscredential]
        $SafeModeAdministratorPassword,

        [Parameter()]
        [string]
        $DatabasePath = 'C:\Windows\NTDS',

        [Parameter()]
        [string]
        $LogPath = 'C:\Windows\Logs',

        [Parameter()]
        [string]
        $SysvolPath = 'C:\Windows\SYSVOL',

        [Parameter()]
        [string]
        $ForestMode = 'WinThreshold',

        [Parameter()]
        [boolean]
        $ForceRebootBefore,

        [Parameter()]
        [hashtable[]]
        $DomainTrusts,

        [Parameter()]
        [boolean]
        $EnablePrivilegedAccessManagement = $false
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName ActiveDirectoryDsc

    WindowsFeature ADDS
    {
        Name   = 'AD-Domain-Services'
        Ensure = 'Present'
    }

    WindowsFeature RSAT
    {
        Name      = 'RSAT-AD-PowerShell'
        Ensure    = 'Present'
        DependsOn = '[WindowsFeature]ADDS'
    }

    [string]$nextDependsOn = '[WindowsFeature]RSAT'

    if ($ForceRebootBefore -eq $true)
    {
        $rebootKeyName = 'HKLM:\SOFTWARE\DSC Community\CommonTasks\RebootRequests'
        $rebootVarName = 'RebootBefore_ADDomain'

        Script $rebootVarName
        {
            TestScript = {
                $val = Get-ItemProperty -Path $using:rebootKeyName -Name $using:rebootVarName -ErrorAction SilentlyContinue

                if ($val -ne $null -and $val.$rebootVarName -gt 0)
                {
                    return $true
                }
                return $false
            }
            SetScript  = {
                if ( -not (Test-Path -Path $using:rebootKeyName) )
                {
                    New-Item -Path $using:rebootKeyName -Force
                }
                Set-ItemProperty -Path $rebootKeyName -Name $using:rebootVarName -value 1
                $global:DSCMachineStatus = 1
            }
            GetScript  = { return `
                @{
                    result = 'result'
                }
            }
            DependsOn  = $nextDependsOn
        }

        $nextDependsOn = "[Script]$rebootVarName"
    }

    ADDomain $DomainName
    {
        DomainName                    = $DomainFQDN
        DomainNetbiosName             = $DomainName
        SafemodeAdministratorPassword = $SafeModeAdministratorPassword
        Credential                    = $DomainAdministrator
        DatabasePath                  = $DatabasePath
        LogPath                       = $LogPath
        SysvolPath                    = $SysvolPath
        ForestMode                    = $ForestMode
        DependsOn                     = $nextDependsOn
    }

    # assign DomainAdministrator to group 'Enterprise Admins' - otherwise ADOptionalFeature will fail with insufficient rights
    ADGroup "EnterpriseAdmins_$DomainName"
    {
        GroupName        = 'Enterprise Admins'
        MembersToInclude = $(Split-Path -Path $DomainAdministrator.UserName -Leaf)
        DependsOn        = "[ADDomain]$DomainName"
    }

    ADOptionalFeature RecycleBinFeature
    {
        DependsOn                         = "[ADGroup]EnterpriseAdmins_$DomainName"
        ForestFQDN                        = $DomainFQDN
        EnterpriseAdministratorCredential = $DomainAdministrator
        FeatureName                       = 'Recycle Bin Feature'
    }

    if ( $EnablePrivilegedAccessManagement -eq $true )
    {
        ADOptionalFeature PrivilegedAccessManagementFeature
        {
            DependsOn                         = "[ADGroup]EnterpriseAdmins_$DomainName"
            ForestFQDN                        = $DomainFQDN
            EnterpriseAdministratorCredential = $DomainAdministrator
            FeatureName                       = 'Privileged Access Management Feature'
        }
    }

    foreach ($trust in $DomainTrusts)
    {
        WaitForAdDomain $trust.Name
        {
            DomainName = $trust.Fqdn
            Credential = $trust.Credential
        }

        ADDomainTrust $trust.Name
        {
            SourceDomainName = $DomainName
            TargetCredential = $trust.Credential
            TargetDomainName = $trust.Fqdn
            TrustDirection   = 'Bidirectional'
            TrustType        = 'Forest'
            DependsOn        = "[WaitForAdDomain]$($trust.Name)"
        }
    }
}