DSCResources/MSFT_ADDomainController/MSFT_ADDomainController.psm1

$resourceModulePath = Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent
$modulesFolderPath = Join-Path -Path $resourceModulePath -ChildPath 'Modules'

$aDCommonModulePath = Join-Path -Path $modulesFolderPath -ChildPath 'ActiveDirectoryDsc.Common'
Import-Module -Name $aDCommonModulePath

$dscResourceCommonModulePath = Join-Path -Path $modulesFolderPath -ChildPath 'DscResource.Common'
Import-Module -Name $dscResourceCommonModulePath

$script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US'

<#
    .SYNOPSIS
        Returns the current state of the domain controller.
 
    .PARAMETER DomainName
        Provide the FQDN of the domain the Domain Controller is being added to.
 
    .PARAMETER Credential
        Specifies the credential for the account used to install the domain controller.
        This account must have permission to access the other domain controllers
        in the domain to be able replicate domain information.
 
    .PARAMETER SafemodeAdministratorPassword
        Provide a password that will be used to set the DSRM password. This is a PSCredential.
 
    .NOTES
        Used Functions:
            Name | Module
            ------------------------------------------------|--------------------------
            Get-ADDomain | ActiveDirectory
            Get-ADDomainControllerPasswordReplicationPolicy | ActiveDirectory
            Get-DomainControllerObject | ActiveDirectoryDsc.Common
            Assert-Module | DscResource.Common
            New-ObjectNotFoundException | DscResource.Common
#>

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $DomainName,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        $SafemodeAdministratorPassword
    )

    Assert-Module -ModuleName 'ActiveDirectory'

    Write-Verbose -Message ($script:localizedData.ResolveDomainName -f $DomainName)

    $Domain = Get-DomainObject -Identity $DomainName -Credential $Credential -ErrorOnUnexpectedExceptions -Verbose:$VerbosePreference

    if (-not $Domain)
    {
        $errorMessage = $script:localizedData.MissingDomain -f $DomainName
        New-ObjectNotFoundException -Message $errorMessage
    }

    Write-Verbose -Message ($script:localizedData.DomainPresent -f $DomainName)

    $domainControllerObject = Get-DomainControllerObject `
        -DomainName $DomainName -ComputerName $env:COMPUTERNAME -Credential $Credential

    if ($domainControllerObject)
    {
        Write-Verbose -Message ($script:localizedData.IsDomainController -f
            $domainControllerObject.Name, $domainControllerObject.Domain)

        # If this is a read-only domain controller, retrieve any user or group that is a delegated administrator via the ManagedBy attribute
        $delegateAdministratorAccountName = $null
        if ($domainControllerObject.IsReadOnly)
        {
            $domainControllerComputerObject = $domainControllerObject.ComputerObjectDN | Get-ADComputer -Properties ManagedBy -Credential $Credential
            if ($domainControllerComputerObject.ManagedBy)
            {
                $domainControllerManagedByObject = $domainControllerComputerObject.ManagedBy | Get-ADObject -Properties objectSid -Credential $Credential
                
                $delegateAdministratorAccountName = Resolve-SamAccountName -ObjectSid $domainControllerManagedByObject.objectSid
            }
        }

        $allowedPasswordReplicationAccountName = (
            Get-ADDomainControllerPasswordReplicationPolicy -Allowed -Identity $domainControllerObject |
            ForEach-Object -MemberName sAMAccountName)
        $deniedPasswordReplicationAccountName = (
            Get-ADDomainControllerPasswordReplicationPolicy -Denied -Identity $domainControllerObject |
            ForEach-Object -MemberName sAMAccountName)
        $serviceNTDS = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters'
        $serviceNETLOGON = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters'
        $installDns = [System.Boolean](Get-Service -Name dns -ErrorAction SilentlyContinue)

        $targetResource = @{
            AllowPasswordReplicationAccountName = @($allowedPasswordReplicationAccountName)
            Credential                          = $Credential
            DatabasePath                        = $serviceNTDS.'DSA Working Directory'
            DelegatedAdministratorAccountName   = $delegateAdministratorAccountName
            DenyPasswordReplicationAccountName  = @($deniedPasswordReplicationAccountName)
            DomainName                          = $domainControllerObject.Domain
            Ensure                              = $true
            FlexibleSingleMasterOperationRole   = @($domainControllerObject.OperationMasterRoles)
            InstallationMediaPath               = $null
            InstallDns                          = $installDns
            IsGlobalCatalog                     = $domainControllerObject.IsGlobalCatalog
            LogPath                             = $serviceNTDS.'Database log files path'
            ReadOnlyReplica                     = $domainControllerObject.IsReadOnly
            SafemodeAdministratorPassword       = $SafemodeAdministratorPassword
            SiteName                            = $domainControllerObject.Site
            SysvolPath                          = $serviceNETLOGON.SysVol -replace '\\sysvol$', ''
        }
    }
    else
    {
        Write-Verbose -Message ($script:localizedData.NotDomainController -f $env:COMPUTERNAME)

        $targetResource = @{
            AllowPasswordReplicationAccountName = $null
            Credential                          = $Credential
            DatabasePath                        = $null
            DelegatedAdministratorAccountName   = $null
            DenyPasswordReplicationAccountName  = $null
            DomainName                          = $DomainName
            Ensure                              = $false
            FlexibleSingleMasterOperationRole   = $null
            InstallationMediaPath               = $null
            InstallDns                          = $false
            IsGlobalCatalog                     = $false
            LogPath                             = $null
            ReadOnlyReplica                     = $false
            SafemodeAdministratorPassword       = $SafemodeAdministratorPassword
            SiteName                            = $null
            SysvolPath                          = $null
        }
    }

    return $targetResource
}

<#
    .SYNOPSIS
        Installs, or change properties on, a domain controller.
 
    .PARAMETER DomainName
        Provide the FQDN of the domain the Domain Controller is being added to.
 
    .PARAMETER Credential
        Specifies the credential for the account used to install the domain controller.
        This account must have permission to access the other domain controllers
        in the domain to be able replicate domain information.
 
    .PARAMETER SafemodeAdministratorPassword
        Provide a password that will be used to set the DSRM password. This is a PSCredential.
 
    .PARAMETER DatabasePath
        Provide the path where the NTDS.dit will be created and stored.
 
    .PARAMETER LogPath
        Provide the path where the logs for the NTDS will be created and stored.
 
    .PARAMETER SysvolPath
        Provide the path where the Sysvol will be created and stored.
 
    .PARAMETER SiteName
        Provide the name of the site you want the Domain Controller to be added to.
 
    .PARAMETER InstallationMediaPath
        Provide the path for the IFM folder that was created with ntdsutil.
        This should not be on a share but locally to the Domain Controller being promoted.
 
    .PARAMETER IsGlobalCatalog
        Specifies if the domain controller will be a Global Catalog (GC).
 
    .PARAMETER ReadOnlyReplica
        Specifies if the domain controller should be provisioned as read-only domain controller
 
    .PARAMETER DelegatedAdministratorAccountName
        Specifies the user or group that is the delegated administrator of this read-only domain controller.
 
    .PARAMETER AllowPasswordReplicationAccountName
        Provides a list of the users, computers, and groups to add to the password replication allowed list.
 
    .PARAMETER DenyPasswordReplicationAccountName
        Provides a list of the users, computers, and groups to add to the password replication denied list.
 
    .PARAMETER FlexibleSingleMasterOperationRole
        Specifies one or more Flexible Single Master Operation (FSMO) roles to
        move to this domain controller. The current owner must be online and
        responding for the move to be allowed.
 
    .PARAMETER InstallDns
        Specifies if the DNS Server service should be installed and configured on
        the domain controller. If this is not set the default value of the parameter
        InstallDns of the cmdlet Install-ADDSDomainController is used.
        The parameter `InstallDns` is only used during the provisioning of a domain
        controller. The parameter cannot be used to install or uninstall the DNS
        server on an already provisioned domain controller.
    .NOTES
        Used Functions:
            Name | Module
            ---------------------------------------------------|--------------------------
            Install-ADDSDomainController | ActiveDirectory
            Get-ADForest | ActiveDirectory
            Set-ADObject | ActiveDirectory
            Move-ADDirectoryServer | ActiveDirectory
            Move-ADDirectoryServerOperationMasterRole | ActiveDirectory
            Remove-ADDomainControllerPasswordReplicationPolicy | ActiveDirectory
            Add-ADDomainControllerPasswordReplicationPolicy | ActiveDirectory
            Get-DomainControllerObject | ActiveDirectoryDsc.Common
            Get-DomainObject | ActiveDirectoryDsc.Common
            New-InvalidOperationException | DscResource.Common
#>

function Set-TargetResource
{
    <#
        Suppressing this rule because $global:DSCMachineStatus is used to
        trigger a reboot for the one that was suppressed when calling
        Install-ADDSDomainController.
    #>

    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '')]
    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '',
        Justification = 'Read-Only Domain Controller (RODC) Creation support(AllowPasswordReplicationAccountName and DenyPasswordReplicationAccountName)')]
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $DomainName,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        $SafemodeAdministratorPassword,

        [Parameter()]
        [System.String]
        $DatabasePath,

        [Parameter()]
        [System.String]
        $LogPath,

        [Parameter()]
        [System.String]
        $SysvolPath,

        [Parameter()]
        [System.String]
        $SiteName,

        [Parameter()]
        [System.String]
        $InstallationMediaPath,

        [Parameter()]
        [System.Boolean]
        $IsGlobalCatalog,

        [Parameter()]
        [System.Boolean]
        $ReadOnlyReplica,

        [Parameter()]
        [System.String]
        $DelegatedAdministratorAccountName,

        [Parameter()]
        [System.String[]]
        $AllowPasswordReplicationAccountName,

        [Parameter()]
        [System.String[]]
        $DenyPasswordReplicationAccountName,

        [Parameter()]
        [ValidateSet('DomainNamingMaster', 'SchemaMaster', 'InfrastructureMaster', 'PDCEmulator', 'RIDMaster')]
        [System.String[]]
        $FlexibleSingleMasterOperationRole,

        [Parameter()]
        [System.Boolean]
        $InstallDns
    )

    $getTargetResourceParameters = @{
        DomainName                    = $DomainName
        Credential                    = $Credential
        SafeModeAdministratorPassword = $SafemodeAdministratorPassword
    }

    $targetResource = Get-TargetResource @getTargetResourceParameters

    if ($PSBoundParameters.ContainsKey('DelegatedAdministratorAccountName'))
    {
        if (-not $PSBoundParameters.ContainsKey('ReadOnlyReplica') -or $ReadOnlyReplica -ne $true)
        {
            New-InvalidOperationException -Message $script:localizedData.DelegatedAdministratorAccountNameNotRODC
        }
    }

    if ($PSBoundParameters.ContainsKey('AllowPasswordReplicationAccountName'))
    {
        if (-not $PSBoundParameters.ContainsKey('ReadOnlyReplica') -or $ReadOnlyReplica -ne $true)
        {
            New-InvalidOperationException -Message $script:localizedData.AllowPasswordReplicationAccountNameNotRODC
        }
    }

    if ($PSBoundParameters.ContainsKey('DenyPasswordReplicationAccountName'))
    {
        if (-not $PSBoundParameters.ContainsKey('ReadOnlyReplica') -or $ReadOnlyReplica -ne $true)
        {
            New-InvalidOperationException -Message $script:localizedData.DenyPasswordReplicationAccountNameNotRODC
        }
    }

    if ($targetResource.Ensure -eq $false)
    {
        Write-Verbose -Message ($script:localizedData.Promoting -f $env:COMPUTERNAME, $DomainName)

        # Node is not a domain controller so we promote it.
        $installADDSDomainControllerParameters = @{
            DomainName                    = $DomainName
            SafeModeAdministratorPassword = $SafemodeAdministratorPassword.Password
            Credential                    = $Credential
            NoRebootOnCompletion          = $true
            Force                         = $true
        }

        if ($PSBoundParameters.ContainsKey('ReadOnlyReplica') -and $ReadOnlyReplica -eq $true)
        {
            if (-not $PSBoundParameters.ContainsKey('SiteName'))
            {
                New-InvalidOperationException -Message $script:localizedData.RODCMissingSite
            }

            $installADDSDomainControllerParameters.Add('ReadOnlyReplica', $true)
        }

        if ($PSBoundParameters.ContainsKey('DelegatedAdministratorAccountName'))
        {
            $installADDSDomainControllerParameters.Add('DelegatedAdministratorAccountName',
                $DelegatedAdministratorAccountName)
        }

        if ($PSBoundParameters.ContainsKey('AllowPasswordReplicationAccountName'))
        {
            $installADDSDomainControllerParameters.Add('AllowPasswordReplicationAccountName',
                $AllowPasswordReplicationAccountName)
        }

        if ($PSBoundParameters.ContainsKey('DenyPasswordReplicationAccountName'))
        {
            $installADDSDomainControllerParameters.Add('DenyPasswordReplicationAccountName',
                $DenyPasswordReplicationAccountName)
        }

        if ($PSBoundParameters.ContainsKey('DatabasePath'))
        {
            $installADDSDomainControllerParameters.Add('DatabasePath', $DatabasePath)
        }

        if ($PSBoundParameters.ContainsKey('LogPath'))
        {
            $installADDSDomainControllerParameters.Add('LogPath', $LogPath)
        }

        if ($PSBoundParameters.ContainsKey('SysvolPath'))
        {
            $installADDSDomainControllerParameters.Add('SysvolPath', $SysvolPath)
        }

        if ($PSBoundParameters.ContainsKey('SiteName') -and $SiteName)
        {
            $installADDSDomainControllerParameters.Add('SiteName', $SiteName)
        }

        if ($PSBoundParameters.ContainsKey('IsGlobalCatalog') -and $IsGlobalCatalog -eq $false)
        {
            $installADDSDomainControllerParameters.Add('NoGlobalCatalog', $true)
        }

        if ($PSBoundParameters.ContainsKey('InstallDns'))
        {
            $installADDSDomainControllerParameters.Add('InstallDns', $InstallDns)
        }

        if (-not [System.String]::IsNullOrWhiteSpace($InstallationMediaPath))
        {
            $installADDSDomainControllerParameters.Add('InstallationMediaPath', $InstallationMediaPath)
        }

        Install-ADDSDomainController @installADDSDomainControllerParameters

        Write-Verbose -Message ($script:localizedData.Promoted -f $env:COMPUTERNAME, $DomainName)

        <#
            Signal to the LCM to reboot the node to compensate for the one we
            suppressed from Install-ADDSDomainController
        #>

        [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '',
            Justification = 'Set LCM DSCMachineStatus to indicate reboot required')]
        $global:DSCMachineStatus = 1
    }
    elseif ($targetResource.Ensure)
    {
        # Node is a domain controller. We check if other properties are in desired state

        Write-Verbose -Message ($script:localizedData.IsDomainController -f $env:COMPUTERNAME, $DomainName)

        $domainControllerObject = Get-DomainControllerObject `
            -DomainName $DomainName -ComputerName $env:COMPUTERNAME -Credential $Credential

        # Check if Node Global Catalog state is correct
        if ($PSBoundParameters.ContainsKey('IsGlobalCatalog') -and
            $targetResource.IsGlobalCatalog -ne $IsGlobalCatalog)
        {
            # DC is not in the expected Global Catalog state
            if ($IsGlobalCatalog)
            {
                $globalCatalogOptionValue = 1

                Write-Verbose -Message $script:localizedData.AddGlobalCatalog
            }
            else
            {
                $globalCatalogOptionValue = 0

                Write-Verbose -Message $script:localizedData.RemoveGlobalCatalog
            }

            Set-ADObject -Identity $domainControllerObject.NTDSSettingsObjectDN -Replace @{
                options = $globalCatalogOptionValue
            }
        }

        if ($PSBoundParameters.ContainsKey('SiteName') -and $targetResource.SiteName -ne $SiteName)
        {
            # DC is not in correct site. Move it.
            Write-Verbose -Message ($script:localizedData.MovingDomainController -f
                $targetResource.SiteName, $SiteName)

            Move-ADDirectoryServer -Identity $env:COMPUTERNAME -Site $SiteName -Credential $Credential
        }

        if ($PSBoundParameters.ContainsKey('DelegatedAdministratorAccountName') -and
            $targetResource.DelegatedAdministratorAccountName -ne $DelegatedAdministratorAccountName)
        {
            # If this is a read-only domain controller, set the delegated administrator via the ManagedBy attribute
            if ($domainControllerObject.IsReadOnly)
            {
                Write-Verbose -Message ($script:localizedData.UpdatingDelegatedAdministratorAccountName -f
                $targetResource.DelegatedAdministratorAccountName, $DelegatedAdministratorAccountName)

                $delegateAdministratorAccountSecurityIdentifier = Resolve-SecurityIdentifier -SamAccountName $DelegatedAdministratorAccountName

                Set-ADComputer -Identity $domainControllerObject.ComputerObjectDN -ManagedBy $delegateAdministratorAccountSecurityIdentifier -Credential $Credential
            }
        }

        if ($PSBoundParameters.ContainsKey('AllowPasswordReplicationAccountName'))
        {
            $testMembersParameters = @{
                ExistingMembers = $targetResource.AllowPasswordReplicationAccountName
                Members         = $AllowPasswordReplicationAccountName
            }

            if (-not (Test-Members @testMembersParameters))
            {
                Write-Verbose -Message (
                    $script:localizedData.AllowedSyncAccountsMismatch -f
                    ($targetResource.AllowPasswordReplicationAccountName -join ';'),
                    ($AllowPasswordReplicationAccountName -join ';')
                )

                $getMembersToAddAndRemoveParameters = @{
                    DesiredMembers = $AllowPasswordReplicationAccountName
                    CurrentMembers = $targetResource.AllowPasswordReplicationAccountName
                }

                $getMembersToAddAndRemoveResult = Get-MembersToAddAndRemove @getMembersToAddAndRemoveParameters

                $adPrincipalsToRemove = $getMembersToAddAndRemoveResult.MembersToRemove
                $adPrincipalsToAdd = $getMembersToAddAndRemoveResult.MembersToAdd

                if ($null -ne $adPrincipalsToRemove)
                {
                    $removeADPasswordReplicationPolicy = @{
                        Identity    = $domainControllerObject
                        AllowedList = $adPrincipalsToRemove
                    }

                    Remove-ADDomainControllerPasswordReplicationPolicy @removeADPasswordReplicationPolicy `
                        -Confirm:$false
                }

                if ($null -ne $adPrincipalsToAdd)
                {
                    $addADPasswordReplicationPolicy = @{
                        Identity    = $domainControllerObject
                        AllowedList = $adPrincipalsToAdd
                    }

                    Add-ADDomainControllerPasswordReplicationPolicy @addADPasswordReplicationPolicy
                }
            }
        }

        if ($PSBoundParameters.ContainsKey('DenyPasswordReplicationAccountName'))
        {
            $testMembersParameters = @{
                ExistingMembers = $targetResource.DenyPasswordReplicationAccountName
                Members         = $DenyPasswordReplicationAccountName;
            }

            if (-not (Test-Members @testMembersParameters))
            {
                Write-Verbose -Message (
                    $script:localizedData.DenySyncAccountsMismatch -f
                    ($targetResource.DenyPasswordReplicationAccountName -join ';'),
                    ($DenyPasswordReplicationAccountName -join ';')
                )

                $getMembersToAddAndRemoveParameters = @{
                    DesiredMembers = $DenyPasswordReplicationAccountName
                    CurrentMembers = $targetResource.DenyPasswordReplicationAccountName
                }

                $getMembersToAddAndRemoveResult = Get-MembersToAddAndRemove @getMembersToAddAndRemoveParameters

                $adPrincipalsToRemove = $getMembersToAddAndRemoveResult.MembersToRemove
                $adPrincipalsToAdd = $getMembersToAddAndRemoveResult.MembersToAdd

                if ($null -ne $adPrincipalsToRemove)
                {
                    $removeADPasswordReplicationPolicy = @{
                        Identity   = $domainControllerObject
                        DeniedList = $adPrincipalsToRemove
                    }

                    Remove-ADDomainControllerPasswordReplicationPolicy @removeADPasswordReplicationPolicy `
                        -Confirm:$false
                }

                if ($null -ne $adPrincipalsToAdd)
                {
                    $addADPasswordReplicationPolicy = @{
                        Identity   = $domainControllerObject
                        DeniedList = $adPrincipalsToAdd
                    }

                    Add-ADDomainControllerPasswordReplicationPolicy @addADPasswordReplicationPolicy
                }

            }
        }

        if ($PSBoundParameters.ContainsKey('FlexibleSingleMasterOperationRole'))
        {
            foreach ($desiredFlexibleSingleMasterOperationRole in $FlexibleSingleMasterOperationRole)
            {
                if ($desiredFlexibleSingleMasterOperationRole -notin $targetResource.FlexibleSingleMasterOperationRole)
                {
                    switch ($desiredFlexibleSingleMasterOperationRole)
                    {
                        <#
                            Connect to any available domain controller to get the
                            current owner for the specific role.
                        #>

                        { $_ -in @('DomainNamingMaster', 'SchemaMaster') }
                        {
                            $currentOwnerFullyQualifiedDomainName = (Get-ADForest).$_
                        }

                        { $_ -in @('InfrastructureMaster', 'PDCEmulator', 'RIDMaster') }
                        {
                            $currentOwnerFullyQualifiedDomainName = (Get-ADDomain).$_
                        }
                    }

                    Write-Verbose -Message ($script:localizedData.MovingFlexibleSingleMasterOperationRole -f
                        $desiredFlexibleSingleMasterOperationRole, $currentOwnerFullyQualifiedDomainName)

                    <#
                        Using the object returned from Get-ADDomainController to handle
                        an issue with calling Move-ADDirectoryServerOperationMasterRole
                        with Fully Qualified Domain Name (FQDN) in the Identity parameter.
                    #>

                    $MoveADDirectoryServerOperationMasterRoleParameters = @{
                        Identity            = $domainControllerObject
                        OperationMasterRole = $desiredFlexibleSingleMasterOperationRole
                        Server              = $currentOwnerFullyQualifiedDomainName
                        ErrorAction         = 'Stop'
                    }

                    Move-ADDirectoryServerOperationMasterRole @MoveADDirectoryServerOperationMasterRoleParameters
                }
            }
        }
    }
}

<#
    .SYNOPSIS
        Determines if the domain controller is in desired state.
 
    .PARAMETER DomainName
        Provide the FQDN of the domain the Domain Controller is being added to.
 
    .PARAMETER Credential
        Specifies the credential for the account used to install the domain controller.
        This account must have permission to access the other domain controllers
        in the domain to be able replicate domain information.
 
    .PARAMETER SafemodeAdministratorPassword
        Provide a password that will be used to set the DSRM password. This is a PSCredential.
 
    .PARAMETER DatabasePath
        Provide the path where the NTDS.dit will be created and stored.
 
    .PARAMETER LogPath
        Provide the path where the logs for the NTDS will be created and stored.
 
    .PARAMETER SysvolPath
        Provide the path where the Sysvol will be created and stored.
 
    .PARAMETER SiteName
        Provide the name of the site you want the Domain Controller to be added to.
 
    .PARAMETER InstallationMediaPath
        Provide the path for the IFM folder that was created with ntdsutil.
        This should not be on a share but locally to the Domain Controller being promoted.
 
    .PARAMETER IsGlobalCatalog
        Specifies if the domain controller will be a Global Catalog (GC).
 
    .PARAMETER ReadOnlyReplica
        Specifies if the domain controller should be provisioned as read-only domain controller
 
    .PARAMETER DelegatedAdministratorAccountName
        Specifies the user or group that is the delegated administrator of this read-only domain controller.
 
    .PARAMETER AllowPasswordReplicationAccountName
        Provides a list of the users, computers, and groups to add to the password replication allowed list.
 
    .PARAMETER DenyPasswordReplicationAccountName
        Provides a list of the users, computers, and groups to add to the password replication denied list.
 
    .PARAMETER FlexibleSingleMasterOperationRole
        Specifies one or more Flexible Single Master Operation (FSMO) roles to
        move to this domain controller. The current owner must be online and
        responding for the move to be allowed.
 
    .PARAMETER InstallDns
        Specifies if the DNS Server service should be installed and configured on
        the domain controller. If this is not set the default value of the parameter
        InstallDns of the cmdlet Install-ADDSDomainController is used.
        The parameter `InstallDns` is only used during the provisioning of a domain
        controller. The parameter cannot be used to install or uninstall the DNS
        server on an already provisioned domain controller.
 
        Not used in Test-TargetResource.
 
    .NOTES
        Used Functions:
            Name | Module
            ------------------------------|--------------------------
            Test-ADReplicationSite | ActiveDirectoryDsc.Common
            Test-Members | ActiveDirectoryDsc.Common
            New-InvalidOperationException | DscResource.Common
            New-ObjectNotFoundException | DscResource.Common
#>

function Test-TargetResource
{
    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "",
        Justification = 'Read-Only Domain Controller (RODC) Creation support($AllowPasswordReplicationAccountName and DenyPasswordReplicationAccountName)')]
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $DomainName,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        $SafemodeAdministratorPassword,

        [Parameter()]
        [System.String]
        $DatabasePath,

        [Parameter()]
        [System.String]
        $LogPath,

        [Parameter()]
        [System.String]
        $SysvolPath,

        [Parameter()]
        [System.String]
        $SiteName,

        [Parameter()]
        [System.String]
        $InstallationMediaPath,

        [Parameter()]
        [System.Boolean]
        $IsGlobalCatalog,

        [Parameter()]
        [System.Boolean]
        $ReadOnlyReplica,

        [Parameter()]
        [System.String]
        $DelegatedAdministratorAccountName,

        [Parameter()]
        [System.String[]]
        $AllowPasswordReplicationAccountName,

        [Parameter()]
        [System.String[]]
        $DenyPasswordReplicationAccountName,

        [Parameter()]
        [ValidateSet('DomainNamingMaster', 'SchemaMaster', 'InfrastructureMaster', 'PDCEmulator', 'RIDMaster')]
        [System.String[]]
        $FlexibleSingleMasterOperationRole,

        [Parameter()]
        [System.Boolean]
        $InstallDns
    )

    Write-Verbose -Message ($script:localizedData.TestingConfiguration -f $env:COMPUTERNAME, $DomainName)

    if ($PSBoundParameters.ContainsKey('DelegatedAdministratorAccountName'))
    {
        if (-not $PSBoundParameters.ContainsKey('ReadOnlyReplica') -or $ReadOnlyReplica -ne $true)
        {
            New-InvalidOperationException -Message $script:localizedData.DelegatedAdministratorAccountNameNotRODC
        }
    }

    if ($PSBoundParameters.ContainsKey('AllowPasswordReplicationAccountName'))
    {
        if (-not $PSBoundParameters.ContainsKey('ReadOnlyReplica') -or $ReadOnlyReplica -ne $true)
        {
            New-InvalidOperationException -Message $script:localizedData.AllowPasswordReplicationAccountNameNotRODC
        }
    }

    if ($PSBoundParameters.ContainsKey('DenyPasswordReplicationAccountName'))
    {
        if (-not $PSBoundParameters.ContainsKey('ReadOnlyReplica') -or $ReadOnlyReplica -ne $true)
        {
            New-InvalidOperationException -Message $script:localizedData.DenyPasswordReplicationAccountNameNotRODC
        }
    }

    if ($PSBoundParameters.ContainsKey('ReadOnlyReplica') -and $ReadOnlyReplica -eq $true)
    {
        if (-not $PSBoundParameters.ContainsKey('SiteName'))
        {
            New-InvalidOperationException -Message $script:localizedData.RODCMissingSite
        }
    }

    if ($PSBoundParameters.ContainsKey('SiteName'))
    {
        if (-not (Test-ADReplicationSite -SiteName $SiteName -DomainName $DomainName -Credential $Credential))
        {
            $errorMessage = $script:localizedData.FailedToFindSite -f $SiteName, $DomainName
            New-ObjectNotFoundException -Message $errorMessage
        }
    }

    $getTargetResourceParameters = @{
        DomainName                    = $DomainName
        Credential                    = $Credential
        SafeModeAdministratorPassword = $SafemodeAdministratorPassword
    }

    $existingResource = Get-TargetResource @getTargetResourceParameters

    $testTargetResourceReturnValue = $existingResource.Ensure

    if ($PSBoundParameters.ContainsKey('ReadOnlyReplica') -and $ReadOnlyReplica)
    {
        if ($testTargetResourceReturnValue -and -not $existingResource.ReadOnlyReplica)
        {
            New-InvalidOperationException -Message $script:localizedData.CannotConvertToRODC
        }
    }

    if ($PSBoundParameters.ContainsKey('SiteName') -and $existingResource.SiteName -ne $SiteName)
    {
        Write-Verbose -Message ($script:localizedData.WrongSite -f $existingResource.SiteName, $SiteName)

        $testTargetResourceReturnValue = $false
    }

    # Check Global Catalog Config
    if ($PSBoundParameters.ContainsKey('IsGlobalCatalog') -and $existingResource.IsGlobalCatalog -ne $IsGlobalCatalog)
    {
        if ($IsGlobalCatalog)
        {
            Write-Verbose -Message ($script:localizedData.ExpectedGlobalCatalogEnabled -f
                $existingResource.SiteName, $SiteName)
        }
        else
        {
            Write-Verbose -Message ($script:localizedData.ExpectedGlobalCatalogDisabled -f
                $existingResource.SiteName, $SiteName)
        }

        $testTargetResourceReturnValue = $false
    }

    # If this is a read-only domain controller, check the delegated administrator
    if ($existingResource.ReadOnlyReplica)
    {
        if ($PSBoundParameters.ContainsKey('DelegatedAdministratorAccountName') -and $existingResource.DelegatedAdministratorAccountName -ne $DelegatedAdministratorAccountName)
        {
            Write-Verbose -Message ($script:localizedData.DelegatedAdministratorAccountNameMismatch -f $existingResource.DelegatedAdministratorAccountName, $DelegatedAdministratorAccountName)

            $testTargetResourceReturnValue = $false
        }
    }

    if ($PSBoundParameters.ContainsKey('AllowPasswordReplicationAccountName') -and
        $null -ne $existingResource.AllowPasswordReplicationAccountName)
    {
        $testMembersParameters = @{
            ExistingMembers = $existingResource.AllowPasswordReplicationAccountName
            Members         = $AllowPasswordReplicationAccountName
        }

        if (-not (Test-Members @testMembersParameters))
        {
            Write-Verbose -Message (
                $script:localizedData.AllowedSyncAccountsMismatch -f
                ($existingResource.AllowPasswordReplicationAccountName -join ';'),
                ($AllowPasswordReplicationAccountName -join ';')
            )

            $testTargetResourceReturnValue = $false
        }
    }

    if ($PSBoundParameters.ContainsKey('DenyPasswordReplicationAccountName') -and
        $null -ne $existingResource.DenyPasswordReplicationAccountName)
    {
        $testMembersParameters = @{
            ExistingMembers = $existingResource.DenyPasswordReplicationAccountName
            Members         = $DenyPasswordReplicationAccountName;
        }

        if (-not (Test-Members @testMembersParameters))
        {
            Write-Verbose -Message (
                $script:localizedData.DenySyncAccountsMismatch -f
                ($existingResource.DenyPasswordReplicationAccountName -join ';'),
                ($DenyPasswordReplicationAccountName -join ';')
            )

            $testTargetResourceReturnValue = $false
        }
    }

    <#
        Only evaluate Flexible Single Master Operation (FSMO) roles if the
        node is already a domain controller.
    #>

    if ($PSBoundParameters.ContainsKey('FlexibleSingleMasterOperationRole') -and $existingResource.Ensure -eq $true)
    {
        $FlexibleSingleMasterOperationRole | ForEach-Object -Process {
            if ($_ -notin $existingResource.FlexibleSingleMasterOperationRole)
            {
                Write-Verbose -Message ($script:localizedData.NotOwnerOfFlexibleSingleMasterOperationRole -f $_ )

                $testTargetResourceReturnValue = $false
            }
        }
    }

    return $testTargetResourceReturnValue
}

<#
    .SYNOPSIS
        Return a hashtable with members that are not present in CurrentMembers,
        and members that are present add should not be present.
 
    .PARAMETER DesiredMembers
        Specifies the list of desired members in the hashtable.
 
    .PARAMETER CurrentMembers
        Specifies the list of current members in the hashtable.
 
    .OUTPUTS
        Returns a hashtable with two properties. The property MembersToAdd contains the
        members as ADPrincipal objects that are not members in the collection
        provided in $CurrentMembers. The property MembersToRemove contains the
        unwanted members as ADPrincipal objects in the collection provided
        in $CurrentMembers.
#>

function Get-MembersToAddAndRemove
{
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowNull()]
        [AllowEmptyCollection()]
        [System.String[]]
        $DesiredMembers,

        [Parameter(Mandatory = $true)]
        [AllowNull()]
        [AllowEmptyCollection()]
        [System.String[]]
        $CurrentMembers
    )

    $principalsToRemove = foreach ($memberName in $CurrentMembers)
    {
        if ($memberName -notin $DesiredMembers)
        {
            New-Object -TypeName Microsoft.ActiveDirectory.Management.ADPrincipal -ArgumentList $memberName
        }
    }

    $principalsToAdd = foreach ($memberName in $DesiredMembers)
    {
        if ($memberName -notin $CurrentMembers)
        {
            New-Object -TypeName Microsoft.ActiveDirectory.Management.ADPrincipal -ArgumentList $memberName
        }
    }

    return @{
        MembersToAdd    = [Microsoft.ActiveDirectory.Management.ADPrincipal[]] $principalsToAdd
        MembersToRemove = [Microsoft.ActiveDirectory.Management.ADPrincipal[]] $principalsToRemove
    }
}

Export-ModuleMember -Function *-TargetResource