ForestManagement.psm1

$script:ModuleRoot = $PSScriptRoot
$script:ModuleVersion = (Import-PowerShellDataFile -Path "$($script:ModuleRoot)\ForestManagement.psd1").ModuleVersion

# Detect whether at some level dotsourcing was enforced
$script:doDotSource = Get-PSFConfigValue -FullName ForestManagement.Import.DoDotSource -Fallback $false
if ($ForestManagement_dotsourcemodule) { $script:doDotSource = $true }

<#
Note on Resolve-Path:
All paths are sent through Resolve-Path/Resolve-PSFPath in order to convert them to the correct path separator.
This allows ignoring path separators throughout the import sequence, which could otherwise cause trouble depending on OS.
Resolve-Path can only be used for paths that already exist, Resolve-PSFPath can accept that the last leaf my not exist.
This is important when testing for paths.
#>


# Detect whether at some level loading individual module files, rather than the compiled module was enforced
$importIndividualFiles = Get-PSFConfigValue -FullName ForestManagement.Import.IndividualFiles -Fallback $false
if ($ForestManagement_importIndividualFiles) { $importIndividualFiles = $true }
if (Test-Path (Resolve-PSFPath -Path "$($script:ModuleRoot)\..\.git" -SingleItem -NewChild)) { $importIndividualFiles = $true }
if ("<was compiled>" -eq '<was not compiled>') { $importIndividualFiles = $true }
    
function Import-ModuleFile
{
    <#
        .SYNOPSIS
            Loads files into the module on module import.
         
        .DESCRIPTION
            This helper function is used during module initialization.
            It should always be dotsourced itself, in order to proper function.
             
            This provides a central location to react to files being imported, if later desired
         
        .PARAMETER Path
            The path to the file to load
         
        .EXAMPLE
            PS C:\> . Import-ModuleFile -File $function.FullName
     
            Imports the file stored in $function according to import policy
    #>

    [CmdletBinding()]
    Param (
        [string]
        $Path
    )
    
    $resolvedPath = $ExecutionContext.SessionState.Path.GetResolvedPSPathFromPSPath($Path).ProviderPath
    if ($doDotSource) { . $resolvedPath }
    else { $ExecutionContext.InvokeCommand.InvokeScript($false, ([scriptblock]::Create([io.file]::ReadAllText($resolvedPath))), $null, $null) }
}

#region Load individual files
if ($importIndividualFiles)
{
    # Execute Preimport actions
    . Import-ModuleFile -Path "$ModuleRoot\internal\scripts\preimport.ps1"
    
    # Import all internal functions
    foreach ($function in (Get-ChildItem "$ModuleRoot\internal\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
    {
        . Import-ModuleFile -Path $function.FullName
    }
    
    # Import all public functions
    foreach ($function in (Get-ChildItem "$ModuleRoot\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
    {
        . Import-ModuleFile -Path $function.FullName
    }
    
    # Execute Postimport actions
    . Import-ModuleFile -Path "$ModuleRoot\internal\scripts\postimport.ps1"
    
    # End it here, do not load compiled code below
    return
}
#endregion Load individual files

#region Load compiled code
<#
This file loads the strings documents from the respective language folders.
This allows localizing messages and errors.
Load psd1 language files for each language you wish to support.
Partial translations are acceptable - when missing a current language message,
it will fallback to English or another available language.
#>

Import-PSFLocalizedString -Path "$($script:ModuleRoot)\en-us\*.psd1" -Module 'ForestManagement' -Language 'en-US'

function Assert-ADConnection
{
    <#
    .SYNOPSIS
        Ensures connection to AD is possible before performing actions.
     
    .DESCRIPTION
        Ensures connection to AD is possible before performing actions.
        Should be the first things all commands connecting to AD should call.
        Do this before invoking callbacks, as the configuration change becomes pointless if the forest is unavailable to begin with,
     
    .PARAMETER Server
        The server / domain to work with.
     
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .PARAMETER Cmdlet
        The $PSCmdlet variable of the calling command.
        Used to safely terminate the calling command in case of failure.
     
    .EXAMPLE
        PS C:\> Assert-ADConnection @parameters -Cmdlet $PSCmdlet
 
        Kills the calling command if AD is not available.
    #>

    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCmdlet]
        $Cmdlet
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
    }
    process
    {
        # A domain being unable to retrieve its own object can really only happen if the service is down
        try { $null = Get-ADDomain @parameters -ErrorAction Stop }
        catch {
            Write-PSFMessage -Level Warning -String 'Assert-ADConnection.Failed' -StringValues $Server -Tag 'failed' -ErrorRecord $_
            $Cmdlet.ThrowTerminatingError($_)
        }
    }
}


function Assert-Configuration
{
    <#
    .SYNOPSIS
        Ensures a set of configuration settings has been provided for the specified setting type.
     
    .DESCRIPTION
        Ensures a set of configuration settings has been provided for the specified setting type.
        This maps to the configuration variables defined in variables.ps1
        Note: Not ALL variables defined in that file should be mapped, only those storing individual configuration settings!
     
    .PARAMETER Type
        The setting type to assert.
     
    .PARAMETER Cmdlet
        The $PSCmdlet variable of the calling command.
        Used to terminate said calling command if relevant settings are missing
     
    .EXAMPLE
        PS C:\> Assert-Configuration -Type Users
 
        Asserts, that users have already been specified.
    #>

    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true)]
        [string]
        $Type,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCmdlet]
        $Cmdlet
    )
    
    process
    {
        if ((Get-Variable -Name $Type -Scope Script -ValueOnly).Count -gt 0) { return }
        
        Write-PSFMessage -Level Warning -String 'Assert-Configuration.NotConfigured' -StringValues $Type -FunctionName $Cmdlet.CommandRuntime

        $exception = New-Object System.Data.DataException("No configuration data provided for: $Type")
        $errorID = 'NotConfigured'
        $category = [System.Management.Automation.ErrorCategory]::NotSpecified
        $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Type)
        $cmdlet.ThrowTerminatingError($recordObject)
    }
}


function Compare-SchemaProperty {
    <#
    .SYNOPSIS
        Compares configuration vs. adobject of schema attributes.
     
    .DESCRIPTION
        Compares configuration vs. adobject of schema attributes.
        Designed for use when comparing schema attributes, for example in Test-FMSchemaLdif.
 
        Returns $true when the values are INEQUAL.
     
    .PARAMETER Setting
        The settings object containing the desired state for an attribute.
     
    .PARAMETER ADObject
        The ADObject of the attribute to compare.
     
    .PARAMETER PropertyName
        The property to compare.
     
    .PARAMETER RootDSE
        The RootDSE object connected to.
        Used for objectCategory comparisons.
 
    .PARAMETER Add
        Is satisfied with the defined items being part of the AD object property, without requiring an exact match between configuration and ad.
     
    .EXAMPLE
        PS C:\> Compare-SchemaProperty -Setting $setting -ADObject $adObject -PropertyName attributeSecurityGUID -RootDSE $rootDSE
 
        Returns, whether the values found in $setting and $adObject are different from each other.
    #>

    [OutputType([System.Boolean])]
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$true)]
        $Setting,
        [Parameter(Mandatory=$true)]
        $ADObject,
        [Parameter(Mandatory=$true)]
        $PropertyName,
        [Parameter(Mandatory=$true)]
        $RootDSE,
        [switch]
        $Add
    )

    switch ($PropertyName) {
        'schemaIDGUID' {
            return (($Setting.$PropertyName.GuidData -join '|') -ne ($ADObject.$PropertyName -join '|'))
        }
        'attributeSecurityGUID' {
            return (($Setting.$PropertyName.GuidData -join '|') -ne ($ADObject.$PropertyName -join '|'))
        }
        'objectCategory' {
            return (($Setting.$PropertyName -replace '<SchemaContainerDN>',$RootDSE.schemaNamingContext) -ne ($ADObject.$PropertyName -join '|'))
        }
        'DistinguishedName' {
            # Don't compare identifiers!
            return $false
        }
        'Description' {
            # Prevent encoding errors / issues from falsifying the results
            if (($null -eq $Setting.$PropertyName) -and ($null -eq ($ADObject.$PropertyName | Select-Object -Unique))) { return $false }
            if ($null -eq $Setting.$PropertyName) { return $true }
            if ($null -eq ($ADObject.$PropertyName | Select-Object -Unique)) { return $true }
            return (($Setting.$PropertyName -replace "[^\d\w]","_") -ne ($ADObject.$PropertyName -replace "[^\d\w]","_"))
        }
        'mayContain' {
            if (($null -eq $Setting.$PropertyName) -and ($null -eq ($ADObject.$PropertyName | Select-Object -Unique))) { return $false }
            if ($null -eq $Setting.$PropertyName) { return $true }
            if ($null -eq ($ADObject.$PropertyName | Select-Object -Unique)) { return $true }
            return [bool](Compare-Object ($Setting.$PropertyName | Select-Object -Unique) ($ADObject.$PropertyName | Select-Object -Unique) | Where-Object SideIndicator -eq '<=')
        }
        default {
            if (($null -eq $Setting.$PropertyName) -and ($null -eq ($ADObject.$PropertyName | Select-Object -Unique))) { return $false }
            if ($null -eq $Setting.$PropertyName) { return $true }
            if ($null -eq ($ADObject.$PropertyName | Select-Object -Unique)) { return $true }
            if ($Add) { return [bool](Compare-Object ($Setting.$PropertyName | Select-Object -Unique) ($ADObject.$PropertyName | Select-Object -Unique) | Where-Object SideIndicator -eq '<=') }
            return [bool](Compare-Object $Setting.$PropertyName $ADObject.$PropertyName)
        }
    }
}

function Compare-SiteLink
{
    <#
    .SYNOPSIS
        Compares two sitelink objects.
     
    .DESCRIPTION
        Compares two sitelink objects.
        Returns the DifferenceSiteLink if it uses the same sites as the reference sitelink, no matter the order.
     
    .PARAMETER ReferenceSiteLink
        The sitelink to compare to input with.
     
    .PARAMETER DifferenceSiteLink
        The sitelink(s) to compare.
     
    .EXAMPLE
        $script:sitelinks.Values | Compare-SiteLink $refSiteLink
 
        Returns any registered sitelinks that span the same sites as $refSiteLink (Should never be more than 1!)
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(Position = 0)]
        $ReferenceSiteLink,

        [Parameter(ValueFromPipeline = $true)]
        $DifferenceSiteLink
    )
    
    process
    {
        foreach ($diffSiteLink in $DifferenceSiteLink) {
            if (($diffSiteLink.Site1 -eq $ReferenceSiteLink.Site1) -and ($diffSiteLink.Site2 -eq $ReferenceSiteLink.Site2)) {
                $diffSiteLink
                continue
            }
            if (($diffSiteLink.Site1 -eq $ReferenceSiteLink.Site2) -and ($diffSiteLink.Site2 -eq $ReferenceSiteLink.Site1)) {
                $diffSiteLink
                continue
            }
        }
    }
}


function ConvertTo-SchemaLdifPhase
{
    <#
    .SYNOPSIS
        Converts ldif files into a phased state index.
 
    .DESCRIPTION
        Converts ldif files into a phased state index.
        For each phase/file for each object it calculates the resulting state after ALL commands in the file have been executed.
        This allows stepping through the individual ldif files in the order they are to be applied and figure out the last applied deployment state.
         
    .PARAMETER LdifData
        The set of Ldif file definitions as returned by Get-FMSchemaLdif
 
    .EXAMPLE
        PS C:\> $ldifPhases = ConvertTo-SchemaLdifPhase -LdifData (Get-FMSchemaLdif)
 
        Returns the hashtable containing the different phases of all registered ldif files.
    #>

    [OutputType([Hashtable])]
    [CmdletBinding()]
    param (
        $LdifData
    )

    #region Utility Functions
    function Add-Node {
        [CmdletBinding()]
        param (
            [string]
            $DistinguishedName,

            [string]
            $LdifName,

            [Hashtable]
            $MappingTable
        )

        if (-not $MappingTable.ContainsKey($DistinguishedName)) {
            $MappingTable[$DistinguishedName] = @{ }
        }
        if (-not $MappingTable[$DistinguishedName][$LdifName]) {
            $MappingTable[$DistinguishedName][$LdifName] = @{
                State = @{ }
                Add = @{ }
                Replace = @{ }
            }
        }
    }
    function Write-Change {
        [CmdletBinding()]
        param (
            [string]
            $DistinguishedName,

            [string]
            $LdifName,

            $Change,

            [Hashtable]
            $MappingTable
        )

        Add-Node -DistinguishedName $DistinguishedName -LdifName $LdifName -MappingTable $MappingTable
        $datasheet = $MappingTable[$DistinguishedName][$LdifName]

        switch -regex ($Change.changetype) {
            'add' {
                $datasheet.State = @{ }
                foreach ($propertyName in $Change.PSObject.Properties.Name) {
                    if ($propertyName -in 'changeType', 'FM_OrderCount') { continue }
                    $datasheet.State[$propertyName] = $Change.$propertyName
                }
            }
            'modify' {
                #region We already have a defined state
                if ($datasheet.State.Count -gt 0) {
                    if ($Change.add) {
                        if ($datasheet.State.$($Change.add)) {
                            $datasheet.State.$($Change.add) = @($datasheet.State.$($Change.add)) + @($Change.$($Change.add))
                        }
                        else {
                            $datasheet.State[$Change.add] = $Change.$($Change.add)
                        }
                    }
                    elseif ($Change.replace) {
                        $datasheet.State[$Change.replace] = $Change.$($Change.replace)
                    }
                    else {
                        foreach ($propertyName in $Change.PSObject.Properties.Name) {
                            if ($propertyName -in 'DistinguishedName','changetype','FM_OrderCount') { continue }
                            $datasheet.State[$propertyName] = $Change.$propertyName
                        }
                    }
                }
                #endregion We already have a defined state

                #region Undefined state
                else {
                    if ($Change.add) {
                        if ($datasheet.Add.$($Change.add)) {
                            $datasheet.Add.$($Change.add) = @($datasheet.Add.$($Change.add)) + @($Change.$($Change.add))
                        }
                        else {
                            $datasheet.Add[$Change.add] = $Change.$($Change.add)
                        }
                    }
                    elseif ($Change.replace) {
                        $datasheet.Replace[$Change.replace] = $Change.$($Change.replace)
                    }
                    else {
                        foreach ($propertyName in $Change.PSObject.Properties.Name) {
                            if ($propertyName -in 'DistinguishedName','changetype','FM_OrderCount') { continue }
                            $datasheet.Replace[$propertyName] = $Change.$propertyName
                        }
                    }
                }
                #endregion Undefined state
            }
        }
    }

    function Copy-State {
        [CmdletBinding()]
        param (
            [Hashtable]
            $MappingTable,

            [string]
            $OldLdif,

            [string]
            $NewLdif
        )

        foreach ($name in $MappingTable.Keys) {
            Add-Node -DistinguishedName $name -LdifName $NewLdif -MappingTable $MappingTable

            foreach ($key in $MappingTable[$name][$OldLdif].State.Keys) {
                $MappingTable[$name][$NewLdif].State[$key] = $MappingTable[$name][$OldLdif].State[$key] | Write-Output
            }
            foreach ($key in $MappingTable[$name][$OldLdif].Add.Keys) {
                $MappingTable[$name][$NewLdif].Add[$key] = $MappingTable[$name][$OldLdif].Add[$key] | Write-Output
            }
            foreach ($key in $MappingTable[$name][$OldLdif].Replace.Keys) {
                $MappingTable[$name][$NewLdif].Replace[$key] = $MappingTable[$name][$OldLdif].Replace[$key] | Write-Output
            }
        }
    }

    function Remove-NoOp {
        [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
        [CmdletBinding()]
        param (
            $LdifData,

            [Hashtable]
            $MappingTable
        )

        $identities = $MappingTable.Keys | Write-Output
        foreach ($identity in $identities) {
            foreach ($ldifFile in $LdifData) {
                if (-not $MappingTable[$identity][$ldifFile.Name]) { continue }
                if ($ldifFile.Settings.DistinguishedName -contains $identity) { continue }
                $MappingTable[$identity].Remove($ldifFile.Name)
            }
        }
    }
    #endregion Utility Functions

    $mappingTable = @{ }

    $sortedLdif = $ldifData | Sort-Object Weight
    $previousLdif = ''
    foreach ($ldifItem in $sortedLdif) {
        if ($previousLdif) {
            Copy-State -MappingTable $mappingTable -OldLdif $previousLdif -NewLdif $ldifItem.Name
        }

        foreach ($setting in ($ldifItem.Settings | Sort-Object FM_OrderCount)) {
            Write-Change -DistinguishedName $setting.DistinguishedName -LdifName $ldifItem.Name -Change $setting -MappingTable $mappingTable
        }

        $previousLdif = $ldifItem.Name
    }

    Remove-NoOp -LdifData $sortedLdif -MappingTable $mappingTable
    $mappingTable
}

function Get-ADCertificate
{
<#
    .SYNOPSIS
        Returns forest certificates.
     
    .DESCRIPTION
        Returns forest certificates.
     
    .PARAMETER Parameters
        Hashtable containing AD connection values.
        May contain Server and Credential nodes but nothing else.
     
    .PARAMETER Type
        The kind of certificate to retrieve
     
    .EXAMPLE
        PS C:\> Get-ADCertificate -Parameters $parameters -Type NTAuthCA
     
        Returns all NTAuth certificates in the targeted forest.
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [hashtable]
        $Parameters,
        
        [Parameter(Mandatory = $true)]
        [ValidateSet('NTAuthCA', 'RootCA', 'SubCA', 'CrossCA', 'KRA')]
        [string]
        $Type
    )
    
    begin
    {
        #region Utility Functions
        function Get-CertificateInternal
        {
            [CmdletBinding()]
            param (
                [string]
                $Object,
                
                [string]
                $Path,
                
                [string]
                $AltPath,
                
                [string]
                $NotInPath,
                
                [string]
                $AttributeName = 'cACertificate',
                
                [System.Collections.Hashtable]
                $Parameters
            )
            
            #region Single Object Processing
            if ($Object -eq 'Single')
            {
                try { $adObject = Get-ADObject @Parameters -Identity $Path -ErrorAction Stop -Properties $AttributeName }
                catch { return } # Object doesn't exist
                
                foreach ($certData in $adObject.$AttributeName)
                {
                    $certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certData)
                    [pscustomobject]@{
                        Certificate = $certificate
                        Subject        = $certificate.Subject
                        Thumbprint  = $certificate.Thumbprint
                        ADObject    = $adObject
                        AltADObject = $null
                        AttributeName = $AttributeName
                    } | Add-Member -MemberType ScriptMethod -Name ToString -Value { '{0} (<{1:yyyy-MM-dd})' -f $this.Subject, $this.Certificate.NotAfter } -Force -PassThru
                }
                return
            }
            #endregion Single Object Processing
            
            $adObjects = Get-ADObject @Parameters -SearchBase $Path -SearchScope OneLevel -Filter * -ErrorAction Stop -Properties $AttributeName
            $existingCerts = foreach ($adObject in $adObjects)
            {
                foreach ($certData in $adObject.$AttributeName)
                {
                    if (-not $certData) { continue }
                    $certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certData)
                    [pscustomobject]@{
                        Certificate = $certificate
                        Subject        = $certificate.Subject
                        Thumbprint  = $certificate.Thumbprint
                        ADObject    = $adObject
                        AltADObject = $null
                        AttributeName = $AttributeName
                    } | Add-Member -MemberType ScriptMethod -Name ToString -Value { '{0} (<{1:yyyy-MM-dd})' -f $this.Subject, $this.Certificate.NotAfter } -Force -PassThru
                }
            }
            
            #region AltPath
            # Contained in the original container and ALSO in the alternative container (e.g. RootCA Certificate)
            if ($AltPath)
            {
                $altAdObjects = Get-ADObject @Parameters -SearchBase $AltPath -SearchScope OneLevel -Filter * -ErrorAction Stop -Properties $AttributeName
                foreach ($adObject in $altAdObjects)
                {
                    $certificates = foreach ($certData in $adObject.$AttributeName)
                    {
                        if (-not $certData) { continue }
                        [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certData)
                    }
                    foreach ($existingCert in $existingCerts)
                    {
                        if ($existingCert.Thumbprint -notin $certificates.Thumbprint) { continue }
                        $existingCert.AltADObject = $adObject
                    }
                }
                $existingCerts = $existingCerts | Where-Object AltADObject
            }
            #endregion AltPath
            
            #region NotInPath
            # Contained in the original container and NOT in the alternative container (e.g. SubCA Certificate)
            if ($NotInPath)
            {
                $notInAdObjects = Get-ADObject @Parameters -SearchBase $NotInPath -SearchScope OneLevel -Filter * -ErrorAction Stop -Properties $AttributeName
                $certificates = foreach ($adObject in $notInAdObjects)
                {
                    foreach ($certData in $adObject.$AttributeName)
                    {
                        if (-not $certData) { continue }
                        [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certData)
                    }
                }
                $existingCerts = $existingCerts | Where-Object Thumbprint -NotIn $certificates.Thumbprint
            }
            #endregion NotInPath
            
            $existingCerts
        }
        #endregion Utility Functions
        
        $rootDSE = Get-ADRootDSE @parameters
        
        $mapping = @{
            NTAuthCA = @{
                Object = 'Single'
                Path   = "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)"
            }
            RootCA   = @{
                Object = 'Multi'
                Path   = "CN=Certification Authorities,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)"
                AltPath = "CN=AIA,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)"
            }
            SubCA    = @{
                Object = 'Multi'
                Path   = "CN=AIA,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)"
                NotInPath = "CN=Certification Authorities,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)"
            }
            CrossCA  = @{
                Object = 'Multi'
                Path   = "CN=AIA,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)"
                AttributeName = 'crossCertificatePair'
            }
            KRA         = @{
                Object = 'Multi'
                Path   = "CN=KRA,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)"
                AttributeName = 'userCertificate'
            }
        }
    }
    process
    {
        $table = $mapping[$type]
        Get-CertificateInternal -Parameters $parameters @table
    }
}

function Get-ExchangeVersion
{
<#
    .SYNOPSIS
        Return Exchange Version Information.
     
    .DESCRIPTION
        Return Exchange Version Information.
     
    .PARAMETER Binding
        The Binding to use.
     
    .PARAMETER Name
        The name to filter by.
     
    .EXAMPLE
        PS C:\> Get-ExchangeVersion
     
        Return a list of all Exchange Versions
#>

    [CmdletBinding()]
    param (
        [string]
        $Binding,
        
        [string]
        $Name = '*'
    )
    
    begin
    {
        # Useful source: https://eightwone.com/references/schema-versions/
        $versionMapping = @{
            '2013RTM' = [PSCustomObject]@{ Name = 'Exchange 2013 RTM'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15449; RangeUpper = 15137; Binding = '2013RTM' }
            '2013CU1' = [PSCustomObject]@{ Name = 'Exchange 2013 CU1'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15614; RangeUpper = 15254; Binding = '2013CU1' }
            '2013CU2' = [PSCustomObject]@{ Name = 'Exchange 2013 CU2'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15688; RangeUpper = 15281; Binding = '2013CU2' }
            '2013CU3' = [PSCustomObject]@{ Name = 'Exchange 2013 CU3'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15763; RangeUpper = 15283; Binding = '2013CU3' }
            '2013SP1' = [PSCustomObject]@{ Name = 'Exchange 2013 SP1'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15844; RangeUpper = 15292; Binding = '2013SP1' }
            '2013CU5' = [PSCustomObject]@{ Name = 'Exchange 2013 CU5'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15870; RangeUpper = 15300; Binding = '2013CU5' }
            '2013CU6' = [PSCustomObject]@{ Name = 'Exchange 2013 CU6'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15965; RangeUpper = 15303; Binding = '2013CU6' }
            '2013CU7' = [PSCustomObject]@{ Name = 'Exchange 2013 CU7'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15965; RangeUpper = 15312; Binding = '2013CU7' }
            '2013CU8' = [PSCustomObject]@{ Name = 'Exchange 2013 CU8'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15965; RangeUpper = 15312; Binding = '2013CU8' }
            '2013CU9' = [PSCustomObject]@{ Name = 'Exchange 2013 CU9'; ObjectVersionDefault = 13236; ObjectVersionConfig = 15965; RangeUpper = 15312; Binding = '2013CU9' }
            '2013CU10' = [PSCustomObject]@{ Name = 'Exchange 2013 CU10'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU10' }
            '2013CU11' = [PSCustomObject]@{ Name = 'Exchange 2013 CU11'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU11' }
            '2013CU12' = [PSCustomObject]@{ Name = 'Exchange 2013 CU12'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU12' }
            '2013CU13' = [PSCustomObject]@{ Name = 'Exchange 2013 CU13'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU13' }
            '2013CU14' = [PSCustomObject]@{ Name = 'Exchange 2013 CU14'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU14' }
            '2013CU15' = [PSCustomObject]@{ Name = 'Exchange 2013 CU15'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU15' }
            '2013CU16' = [PSCustomObject]@{ Name = 'Exchange 2013 CU16'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU16' }
            '2013CU17' = [PSCustomObject]@{ Name = 'Exchange 2013 CU17'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU17' }
            '2013CU18' = [PSCustomObject]@{ Name = 'Exchange 2013 CU18'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU18' }
            '2013CU19' = [PSCustomObject]@{ Name = 'Exchange 2013 CU19'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU19' }
            '2013CU20' = [PSCustomObject]@{ Name = 'Exchange 2013 CU20'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU20' }
            '2013CU21' = [PSCustomObject]@{ Name = 'Exchange 2013 CU21'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16130; RangeUpper = 15312; Binding = '2013CU21' }
            '2013CU22' = [PSCustomObject]@{ Name = 'Exchange 2013 CU22'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16131; RangeUpper = 15312; Binding = '2013CU22' }
            '2013CU23' = [PSCustomObject]@{ Name = 'Exchange 2013 CU23'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16133; RangeUpper = 15312; Binding = '2013CU23' }
            '2016Preview' = [PSCustomObject]@{ Name = 'Exchange 2016 Preview'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16041; RangeUpper = 15317; Binding = '2016Preview' }
            '2016RTM' = [PSCustomObject]@{ Name = 'Exchange 2016 RTM'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16210; RangeUpper = 15317; Binding = '2016RTM' }
            '2016CU1' = [PSCustomObject]@{ Name = 'Exchange 2016 CU1'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16211; RangeUpper = 15323; Binding = '2016CU1' }
            '2016CU2' = [PSCustomObject]@{ Name = 'Exchange 2016 CU2'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16212; RangeUpper = 15325; Binding = '2016CU2' }
            '2016CU3' = [PSCustomObject]@{ Name = 'Exchange 2016 CU3'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16212; RangeUpper = 15326; Binding = '2016CU3' }
            '2016CU4' = [PSCustomObject]@{ Name = 'Exchange 2016 CU4'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15326; Binding = '2016CU4' }
            '2016CU5' = [PSCustomObject]@{ Name = 'Exchange 2016 CU5'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15326; Binding = '2016CU5' }
            '2016CU6' = [PSCustomObject]@{ Name = 'Exchange 2016 CU6'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15330; Binding = '2016CU6' }
            '2016CU7' = [PSCustomObject]@{ Name = 'Exchange 2016 CU7'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15332; Binding = '2016CU7' }
            '2016CU8' = [PSCustomObject]@{ Name = 'Exchange 2016 CU8'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15332; Binding = '2016CU8' }
            '2016CU9' = [PSCustomObject]@{ Name = 'Exchange 2016 CU9'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15332; Binding = '2016CU9' }
            '2016CU10' = [PSCustomObject]@{ Name = 'Exchange 2016 CU10'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15332; Binding = '2016CU10' }
            '2016CU11' = [PSCustomObject]@{ Name = 'Exchange 2016 CU11'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16214; RangeUpper = 15332; Binding = '2016CU11' }
            '2016CU12' = [PSCustomObject]@{ Name = 'Exchange 2016 CU12'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16215; RangeUpper = 15332; Binding = '2016CU12' }
            '2016CU13' = [PSCustomObject]@{ Name = 'Exchange 2016 CU13'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16217; RangeUpper = 15332; Binding = '2016CU13' }
            '2016CU14' = [PSCustomObject]@{ Name = 'Exchange 2016 CU14'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16217; RangeUpper = 15332; Binding = '2016CU14' }
            '2016CU15' = [PSCustomObject]@{ Name = 'Exchange 2016 CU15'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16217; RangeUpper = 15332; Binding = '2016CU15' }
            '2016CU16' = [PSCustomObject]@{ Name = 'Exchange 2016 CU16'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16217; RangeUpper = 15332; Binding = '2016CU16' }
            '2016CU17' = [PSCustomObject]@{ Name = 'Exchange 2016 CU17'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16217; RangeUpper = 15332; Binding = '2016CU17' }
            '2019Preview' = [PSCustomObject]@{ Name = 'Exchange 2019 Preview'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16213; RangeUpper = 15332; Binding = '2019Preview' }
            '2019RTM' = [PSCustomObject]@{ Name = 'Exchange 2019 RTM'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16751; RangeUpper = 17000; Binding = '2019RTM' }
            '2019CU1' = [PSCustomObject]@{ Name = 'Exchange 2019 CU1'; ObjectVersionDefault = 13236; ObjectVersionConfig = 16752; RangeUpper = 17000; Binding = '2019CU1' }
            '2019CU2' = [PSCustomObject]@{ Name = 'Exchange 2019 CU2'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16754; RangeUpper = 17001; Binding = '2019CU2' }
            '2019CU3' = [PSCustomObject]@{ Name = 'Exchange 2019 CU3'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16754; RangeUpper = 17001; Binding = '2019CU3' }
            '2019CU4' = [PSCustomObject]@{ Name = 'Exchange 2019 CU4'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16754; RangeUpper = 17001; Binding = '2019CU4' }
            '2019CU5' = [PSCustomObject]@{ Name = 'Exchange 2019 CU5'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16754; RangeUpper = 17001; Binding = '2019CU5' }
            '2019CU6' = [PSCustomObject]@{ Name = 'Exchange 2019 CU6'; ObjectVersionDefault = 13237; ObjectVersionConfig = 16754; RangeUpper = 17001; Binding = '2019CU6' }
        }
    }
    process
    {
        if ($Binding) { return $versionMapping[$Binding] }
        $versionMapping.Values | Where-Object Name -Like $Name
    }
}

function Get-SchemaAdminCredential
{
    <#
    .SYNOPSIS
        Returns the credentials for the account to use for schema administration.
     
    .DESCRIPTION
        Returns the credentials for the account to use for schema administration.
        The behavior of this command is heavily controlled by the configuration system:
        ForestManagement.Schema.*
     
    .PARAMETER Server
        The server / domain to work with.
     
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .EXAMPLE
        PS C:\> Get-SchemaAdminCredential @parameters
 
        Returns the configured schema credentials
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseDeclaredVarsMoreThanAssignments", "")]
    [OutputType([PSCredential])]
    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        $script:temporarySchemaUpdateUser = $null
    }
    process
    {
        #region Case: Explicit Credentials
        if (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.Credential') {
            Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.Credential'
            return
        }
        #endregion Case: Explicit Credentials

        #region Case: Temporary Schema Admin Account
        if (Get-PSFConfigValue -FullName 'ForestManagement.Schema.AutoCreate.TempAdmin') {
            do
            {
                $newName = "$(Get-Random -Minimum 100000 -Maximum 999999)_$($env:USERNAME)"
            }
            while (Get-ADUser @parameters -LDAPFilter "(name=$newName)")
            $password = New-Password -Length 128 -AsSecureString

            Invoke-PSFProtectedCommand -ActionString 'Get-SchemaAdminCredential.Account.Creation' -Target $newName -ScriptBlock {
                $newUser = New-ADUser @parameters -Name $newName -Description 'Temporary Admin account used to update the schema' -AccountPassword $password -PassThru -Enabled $true -ErrorAction Stop
            } -EnableException $true -PSCmdlet $PSCmdlet
            if (-not $newUser) { return }

            $script:temporarySchemaUpdateUser = $newUser
            $domain = Get-ADDomain @parameters
            try { Get-ADGroup @parameters -Identity "$($domain.DomainSID)-518" | Add-ADGroupMember @parameters -Members $newUser -ErrorAction Stop }
            catch {
                Remove-ADUser -Identity $userObject @parameters
                $script:temporarySchemaUpdateUser = $null
                Stop-PSFFunction -String 'Get-SchemaAdminCredential.Account.Assignment.Failure' -StringValues $newName -EnableException $true -Cmdlet $PSCmdlet -ErrorRecord $_
            }
            New-Object System.Management.Automation.PSCredential("$($domain.NetBIOSName)\$($newName)", $password)
            return
        }
        #endregion Case: Temporary Schema Admin Account

        #region Case: Explicit Schema Admin Account
        if (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.Name') {
            $accountName = Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.Name'
            if ($accountName -like "*\*") { $accountName = $account.Split("\")[1] }
            $domain = Get-ADDomain @parameters
            
            $accountObject = Get-ADUser @parameters -LDAPFilter "(name=$accountName)"
            $schemaAdmins = Get-ADGroup @parameters -Identity "$($domain.DomainSID)-518" -Properties Members

            #region Scenario: Account does not exist
            if (-not $accountObject)
            {
                if (-not (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.AutoCreate')) {
                    Stop-PSFFunction -String 'Get-SchemaAdminCredential.Account.ExistsNot' -StringValues $accountName -EnableException $true -Cmdlet $PSCmdlet -Category ObjectNotFound
                }

                $password = New-Password -Length 128 -AsSecureString
                Invoke-PSFProtectedCommand -ActionString 'Get-SchemaAdminCredential.Account.Creation' -Target $accountName -ScriptBlock {
                    $userObject = New-ADUser @parameters -Name $accountName -AccountPassword $password -Enabled $true -Description "Admin account for updating the schema. Created by $($env:USERDOMAIN)\$($env:USERNAME)" -PassThru -ErrorAction Stop
                } -EnableException $true -PSCmdlet $PSCmdlet
                if (-not $userObject) { return }
                
                try { Get-ADGroup @parameters -Identity "$($domain.DomainSID)-518" | Add-ADGroupMember @parameters -Members $userObject -ErrorAction Stop }
                catch {
                    Remove-ADUser -Identity $userObject @parameters
                    Stop-PSFFunction -String 'Get-SchemaAdminCredential.Account.GroupAssignment.Failure' -StringValues $accountName -EnableException $true -Cmdlet $PSCmdlet -ErrorRecord $_
                }
                New-Object System.Management.Automation.PSCredential("$($domain.NetBIOSName)\$($accountName)", $password)
                return
            }
            #endregion Scenario: Account does not exist
            
            #region Fail Fast
            if ($schemaAdmins.Members -notcontains $accountObject.DistinguishedName) {
                if (-not (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.AutoGrant')) {
                    Stop-PSFFunction -String 'Get-SchemaAdminCredential.Account.Unprivileged' -StringValues $accountName -EnableException $true -Category ResourceUnavailable -Cmdlet $PSCmdlet
                }
            }
            if (-not $accountObject.Enabled) {
                if (-not (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.AutoEnable')) {
                    Stop-PSFFunction -String 'Get-SchemaAdminCredential.Account.Disabled' -StringValues $accountName -EnableException $true -Category ResourceUnavailable -Cmdlet $PSCmdlet
                }
            }
            #endregion Fail Fast

            #region Prepare account for schema administration
            if ($schemaAdmins.Members -notcontains $accountObject.DistinguishedName) {
                Invoke-PSFProtectedCommand -ActionString 'Get-SchemaAdminCredential.Account.Group.Assignment' -Target $accountName -ScriptBlock {
                    $null = $schemaAdmins | Add-ADGroupMember @parameters -Members $accountObject -ErrorAction Stop
                } -EnableException $true -PSCmdlet $PSCmdlet
            }

            if (-not $accountObject.Enabled) {
                Invoke-PSFProtectedCommand -ActionString 'Get-SchemaAdminCredential.Account.Enable' -Target $accountName -ScriptBlock {
                    $null = Enable-ADAccount @parameters -Identity $accountObject -ErrorAction Stop
                } -EnableException $true -PSCmdlet $PSCmdlet
            }
            #endregion Prepare account for schema administration

            #region Handle Password
            if (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Password.AutoReset') {
                $password = New-Password -Length 128 -AsSecureString
                try {
                    Write-PSFMessage -String 'Get-SchemaAdminCredential.Password.Reset' -StringValues $accountName
                    $null = Set-ADAccountPassword @parameters -Identity $accountObject -NewPassword $password -ErrorAction Stop -Reset
                }
                catch { Stop-PSFFunction -String 'Get-SchemaAdminCredential.Password.Reset.Failed' -StringValues $accountName -EnableException $true -ErrorRecord $_ -Cmdlet $PSCmdlet }

                New-Object System.Management.Automation.PSCredential("$($domain.NetBIOSName)\$($accountName)", $password)
                return
            }
            else {
                try { $password = Read-Host -Prompt "Specify password for schema admin $accountName" -AsSecureString -ErrorAction Stop }
                catch { Stop-PSFFunction -String 'Get-SchemaAdminCredential.Password.InteractiveRead.Failed' -StringValues $accountName -EnableException $true -ErrorRecord $_ -Cmdlet $PSCmdlet }

                New-Object System.Management.Automation.PSCredential("$($domain.NetBIOSName)\$($accountName)", $password)
                return
            }
            #endregion Handle Password
        }
        #endregion Case: Explicit Schema Admin Account

        # Case: Current User Credential
        $Credential
    }
}


function Import-LdifFile
{
    <#
    .SYNOPSIS
        Parses an LDIF file and returns the changes it applies.
     
    .DESCRIPTION
        Parses an LDIF file and returns the changes it applies.
        Note: schemaupdatenow commands are skipped.
     
    .PARAMETER Path
        The path to the LDIF file to parse.
     
    .EXAMPLE
        PS C:\> Import-LdifFile -Path $ldifFile
 
        Parses the ldif file and returns changes it applies.
    #>

    [CmdletBinding()]
    param (
        [string]
        $Path
    )
    
    begin
    {
        #region Utility Functions
        function Resolve-AttributeName
        {
            [OutputType([string])]
            [CmdletBinding()]
            param (
                [string]
                $Name
            )
            
            switch ($Name)
            {
                'dn' { 'DistinguishedName' }
                default { $Name }
            }
        }
        function Resolve-AttributeValue
        {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]
            [CmdletBinding()]
            param (
                [string]
                $Value,
                
                [bool]
                $IsBase64,
                
                [string]
                $AttributeName
            )
            
            if ($IsBase64)
            {
                switch ($AttributeName)
                {
                    'schemaIDGUID' {
                        [PSCustomObject]@{
                            Guid = [System.Guid]::new([System.Convert]::FromBase64String($Value))
                            GuidData = [System.Convert]::FromBase64String($Value)
                        }
                    }
                    'attributeSecurityGUID' {
                        [PSCustomObject]@{
                            Guid = [System.Guid]::new([System.Convert]::FromBase64String($Value))
                            GuidData = [System.Convert]::FromBase64String($Value)
                        }
                    }
                    'omObjectClass' {
                        [System.Convert]::FromBase64String($Value)
                    }
                    default { [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Value)) }
                }
            }
            else
            {
                if ($Value -eq "TRUE") { return $true }
                if ($Value -eq "FALSE") { return $false }
                if ($Value -eq "") { return '' }
                if ($null -ne ($Value -as [int])) { return ($Value -as [int]) }
                $Value
            }
        }
        #endregion Utility Functions
        
        $lines = Get-Content -Path $Path
        $currentObject = @{ }
        $lastKey = ''
        $orderCount = 0
    }
    process
    {
        $isBase64 = $false
        foreach ($line in $lines)
        {
            if (-not $line) { continue }
            if ($line -like '#*') { continue }
            if ($line -like 'dn:*')
            {
                if (($currentObject.Keys.Count -gt 1) -and ($currentObject['replace'] -ne 'schemaupdatenow')) { [pscustomobject]$currentObject }
                $currentObject = @{
                    PSTypeName          = 'ForestManagement.Schema.Ldif.Setting'
                    DistinguishedName = ($line -replace '^dn:', '').Trim() -replace ',DC=X$' -replace ',CN=Schema,CN=Configuration$'
                    FM_OrderCount     = $orderCount
                }
                $orderCount++
                $lastKey = 'DistinguishedName'
                continue
            }
            if ($line -match '^([^:]+):(?<colon>:*) (.*)$')
            {
                $isBase64 = $matches['colon'] -eq ':'
                $attributeName = Resolve-AttributeName -Name $matches[1]
                $attributeValue = Resolve-AttributeValue -Value $matches[2] -IsBase64 $isBase64 -AttributeName $attributeName
                # Prevent duplicate object classes - top is redundant and not listed in AD
                if (($attributeName -eq 'ObjectClass') -and ($attributeValue -eq 'Top')) { continue }
                if ($currentObject.ContainsKey($attributeName))
                {
                    $values = @($currentObject[$attributeName])
                    $values += $attributeValue
                    $currentObject[$attributeName] = $values
                }
                else
                {
                    $currentObject[$attributeName] = $attributeValue
                }
                $lastKey = $attributeName
            }
            # Handle value continuation on the next line
            # Values break line when exceeding a total width of 80 characters
            elseif ($line -match '^ (.+)$')
            {
                $currentObject[$lastKey] = $currentObject[$lastKey] + (Resolve-AttributeValue -Value $matches[1] -IsBase64 $isBase64 -AttributeName $lastKey)
            }
        }
    }
    end
    {
        # Process last item
        if ($currentObject.Keys.Count -gt 0)
        {
            if ($currentObject['replace'] -ne 'schemaupdatenow') { [pscustomobject]$currentObject }
        }
    }
}


function Invoke-Callback
{
    <#
    .SYNOPSIS
        Invokes registered callbacks.
     
    .DESCRIPTION
        Invokes registered callbacks.
        Should be placed inside the begin block of every single Test-* and Invoke-* command.
 
        For more details on this system, call:
        Get-Help about_FM_callbacks
     
    .PARAMETER Server
        The server / domain to work with.
     
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .PARAMETER Cmdlet
        The $PSCmdlet variable of the calling command
     
    .EXAMPLE
        PS C:\> Invoke-Callback @parameters -Cmdlet $PSCmdlet
 
        Executes all callbacks against the specified server using the specified credentials.
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingEmptyCatchBlock", "")]
    [CmdletBinding()]
    Param (
        [string]
        $Server,

        [PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCmdlet]
        $Cmdlet
    )
    
    begin
    {
        if (-not $script:callbacks) { return }

        if (-not $script:callbackDomains) { $script:callbackDomains = @{ } }
        if (-not $script:callbackForests) { $script:callbackForests = @{ } }

        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false

        $serverName = '<Default Domain>'
        if ($Server) { $serverName = $Server }
    }
    process
    {
        if (-not $script:callbacks) { return }

        if (-not $script:callbackDomains[$serverName]) {
            try { $script:callbackDomains[$serverName] = Get-ADDomain @parameters -ErrorAction Stop }
            catch { } # Ignore errors, might not work yet
        }
        if (-not $script:callbackForests[$serverName]) {
            try { $script:callbackForests[$serverName] = Get-ADForest @parameters -ErrorAction Stop }
            catch { } # Ignore errors, might not work yet
        }

        foreach ($callback in $script:callbacks.Values) {
            Write-PSFMessage -Level Debug -String 'Invoke-Callback.Invoking' -StringValues $callback.Name
            try {
                $param = @($serverName, $Credential, $script:callbackDomains[$serverName], $script:callbackForests[$serverName])
                $callback.Scriptblock.Invoke($param)
                Write-PSFMessage -Level Debug -String 'Invoke-Callback.Invoking.Success' -StringValues $callback.Name
            }
            catch {
                Write-PSFMessage -Level Debug -String 'Invoke-Callback.Invoking.Failed' -StringValues $callback.Name -ErrorRecord $_
                $Cmdlet.ThrowTerminatingError($_)
            }
        }
    }
}


function Invoke-LdifFile
{
    <#
        .SYNOPSIS
            Invokes a LDIF file against a target server / forest.
         
        .DESCRIPTION
            Invokes a LDIF file against a target server / forest.
            Note: This command assumes schema updates executed against the schema master (and will automatically switch to target that server).
            LDIF files are not technically constrained to performing schema updates however.
            Thus this function is not suitable to performing domain NC changes in a subdomain.
         
        .PARAMETER Path
            Path to the ldif file to import
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
 
        .PARAMETER Confirm
            If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
         
        .PARAMETER WhatIf
            If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
         
        .EXAMPLE
            PS C:\> Invoke-LdifFile -Path .\schema.ldif
 
            Imports the schema.ldif file into the current forest's schema.
    #>

    
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    param (
        [Parameter(Mandatory = $true)]
        [PsfValidateScript('ForestManagement.Validate.Path.SingleFile', ErrorString = 'ForestManagement.Validate.Path.SingleFile.Failed')]
        [string]
        $Path,

        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        $parameters['Server'] = (Get-ADForest @parameters).SchemaMaster
        $domain = Get-ADDomain @parameters
        
        $arguments = @()
        if ($Credential) {
            $arguments += "-b"
            $networkCredential = $Credential.GetNetworkCredential()
            $userName = $networkCredential.UserName
            $domain = $networkCredential.Domain
            if (-not $domain -and $userName -match '@') {
                $userName, $domain = $userName -split '@',2
            }
            $arguments += $userName
            if ($domain) { $arguments += $domain }
            $arguments += $networkCredential.Password
        }
        # Load target server
        $arguments += '-s'
        $arguments += "$Server"

        # Other settings
        $arguments += '-i' # Import
        $arguments += '-k' # Ignore errors for items that already exist
        $arguments += '-c'
        $arguments += 'DC=X'
        $arguments += $domain.DistinguishedName

        # Load File
        $arguments += '-f'
        $arguments += (Resolve-PSFPath -Path $Path -Provider FileSystem -SingleItem)
    }
    process
    {
        Invoke-PSFProtectedCommand -ActionString 'Invoke-LdifFile.Invoking.File' -ActionStringValues $Path -ScriptBlock {
            $procInfo = Start-Process -FilePath ldifde.exe -ArgumentList $arguments -Wait -PassThru -ErrorAction Stop -WindowStyle Hidden
            if ($procInfo.ExitCode) {
                $winError = [System.ComponentModel.Win32Exception]::new($procInfo.ExitCode)
                switch ($procInfo.ExitCode) {
                    8224 { $outerError = [System.InvalidOperationException]::new("Failed to apply ldif file. Validate domain health, especially FSMO assignment and replication health. $($winError.Message)", $winError) }
                    default { $outerError = [System.InvalidOperationException]::new("Failed to apply ldif file: $($winError.Message)", $winError) }
                }
                throw $outerError
            }
        } -EnableException $true -Target $Server -PSCmdlet $PSCmdlet
    }
}


function New-Password
{
    <#
        .SYNOPSIS
            Generate a new, complex password.
         
        .DESCRIPTION
            Generate a new, complex password.
         
        .PARAMETER Length
            The length of the password calculated.
            Defaults to 32
 
        .PARAMETER AsSecureString
            Returns the password as secure string.
         
        .EXAMPLE
            PS C:\> New-Password
 
            Generates a new 32v character password.
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingConvertToSecureStringWithPlainText", "")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    [CmdletBinding()]
    Param (
        [int]
        $Length = 32,

        [switch]
        $AsSecureString
    )
    
    begin
    {
        $characters = @{
            0 = @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z')
            1 = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z')
            2 = @(0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9)
            3 = @('#','$','%','&',"'",'(',')','*','+',',','-','.','/',':',';','<','=','>','?','@')
            4 = @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z')
            5 = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z')
            6 = @(0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9)
            7 = @('#','$','%','&',"'",'(',')','*','+',',','-','.','/',':',';','<','=','>','?','@')
        }
    }
    process
    {
        $letters = foreach ($number in (1..$Length)) {
            $characters[(($number % 4) + (1..4 | Get-Random))] | Get-Random
        }
        if ($AsSecureString) { $letters -join "" | ConvertTo-SecureString -AsPlainText -Force }
        else { $letters -join "" }
    }
}


function New-TestResult
{
    <#
    .SYNOPSIS
        Generates a new test result object.
     
    .DESCRIPTION
        Generates a new test result object.
        Helper function that slims down the Test- commands.
     
    .PARAMETER ObjectType
        What kind of object is being processed (e.g.: User, OrganizationalUnit, Group, ...)
     
    .PARAMETER Type
        What kind of change needs to be performed
     
    .PARAMETER Identity
        Identity of the change item
     
    .PARAMETER Changed
        What properties - if any - need to be changed
     
    .PARAMETER Server
        The server the test was performed against
     
    .PARAMETER Configuration
        The configuration object containing the desired state.
     
    .PARAMETER ADObject
        The AD Object(s) containing the actual state.
 
    .PARAMETER Properties
        Additional properties to include in the testresult object.
     
    .EXAMPLE
        PS C:\> New-TestResult -ObjectType User -Type Changed -Identity $resolvedDN -Changed Description -Server $Server -Configuration $userDefinition -ADObject $adObject
 
        Creates a new test result object using the specified information.
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]
        $ObjectType,
        
        [Parameter(Mandatory = $true)]
        [string]
        $Type,
        
        [Parameter(Mandatory = $true)]
        [string]
        $Identity,
        
        [object[]]
        $Changed,
        
        [Parameter(Mandatory = $true)]
        [AllowNull()]
        [PSFComputer]
        $Server,
        
        $Configuration,
        
        $ADObject,

        [hashtable]
        $Properties = @{ }
    )
    
    process
    {
        $object = [PSCustomObject](@{
            PSTypeName = "ForestManagement.$ObjectType.TestResult"
            Type       = $Type
            ObjectType = $ObjectType
            Identity   = $Identity
            Changed    = $Changed
            Server       = $Server
            Configuration = $Configuration
            ADObject   = $ADObject
        } + $Properties)
        Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Value { $this.Identity } -Force
        $object
    }
}

function Remove-SchemaAdminCredential
{
    <#
        .SYNOPSIS
            Implements the post processing of schema admin credentials.
         
        .DESCRIPTION
            Implements the post processing of schema admin credentials.
            This command is responsible for applying the schema admin credential configuration policies.
            For example, it will remove temporary admin accounts or perform the auto-reset auf admin credentials.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
         
        .PARAMETER SchemaAccountCredential
            The credential object of the schema admin that was returned by Get-SchemaAdminCredential.
 
        .PARAMETER Confirm
            If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
         
        .PARAMETER WhatIf
            If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
         
        .EXAMPLE
            PS C:\> Remove-SchemaAdminCredential @removeParameters
 
            Cleans up the credentials according to policy.
    #>

    
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [PSCredential]
        $SchemaAccountCredential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        $domain = Get-ADDomain @parameters
    }
    process
    {
        if ($SchemaAccountCredential) {
            $userName = $SchemaAccountCredential.GetNetworkCredential().UserName
            try {
                Write-PSFMessage -String 'Remove-SchemaAdminCredential.SchemaAccount.Resolve' -StringValues $userName
                $accountObject = Get-ADUser @parameters -Identity $userName -ErrorAction Stop
            }
            catch { Stop-PSFFunction -String 'Remove-SchemaAdminCredential.SchemaAccount.Resolve.Failed' -StringValues $userName -EnableException $true -Cmdlet $PSCmdlet -ErrorRecord $_ }
        }
        if ((Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.AutoRevoke') -and ($accountObject)) {
            Invoke-PSFProtectedCommand -ActionString 'Remove-SchemaAdminCredential.Account.Group.Revoke' -Target $username -ScriptBlock {
                "$($domain.DomainSID)-518" | Remove-ADGroupMember @parameters -Members $accountObject -ErrorAction Stop -Confirm:$false
            } -EnableException $true -PSCmdlet $PSCmdlet
        }
        if ((Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.AutoDisable') -and ($accountObject)) {
            $null = Invoke-PSFProtectedCommand -ActionString 'Remove-SchemaAdminCredential.SchemaAccount.Disable' -Target $username -ScriptBlock {
                Disable-ADAccount @parameters -Identity $accountObject -ErrorAction Stop -Confirm:$false
            } -EnableException $true -PSCmdlet $PSCmdlet
        }
        if ((Get-PSFConfigValue -FullName 'ForestManagement.Schema.Password.AutoReset') -and ($accountObject)) {
            $null = Invoke-PSFProtectedCommand -ActionString 'Remove-SchemaAdminCredential.SchemaAccount.PasswordReset' -Target $username -ScriptBlock {
                $password = New-Password -Length 128 -AsSecureString
                Set-ADAccountPassword @parameters -Identity $accountObject -ErrorAction Stop -NewPassword $password -Reset -Confirm:$false
            } -EnableException $true -PSCmdlet $PSCmdlet
        }
        if ((Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.AutoDescription') -and ($accountObject)) {
            $null = Invoke-PSFProtectedCommand -ActionString 'Remove-SchemaAdminCredential.Account.AutoDescription' -Target $username -ScriptBlock {
                Set-ADUser @parameters -Identity $accountObject -Description (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.AutoDescription') -ErrorAction Stop
            } -EnableException $true -PSCmdlet $PSCmdlet
        }
        if ($script:temporarySchemaUpdateUser) {
            try {
                Write-PSFMessage -String 'Remove-SchemaAdminCredential.TemporaryAccount.Remove' -StringValues $script:temporarySchemaUpdateUser.Name
                Remove-ADUser @parameters -Identity $script:temporarySchemaUpdateUser -ErrorAction Stop -Confirm:$false
                $script:temporarySchemaUpdateUser = $null
            }
            catch { Stop-PSFFunction -String 'Remove-SchemaAdminCredential.TemporaryAccount.Remove.Failed' -StringValues $script:temporarySchemaUpdateUser.Name -EnableException $true -Cmdlet $PSCmdlet -ErrorRecord $_ }
        }
    }
}

function Resolve-SchemaAttribute {
    <#
    .SYNOPSIS
        Combines configuration and adobject into an attributes hashtable.
     
    .DESCRIPTION
        Combines configuration and adobject into an attributes hashtable.
        This is a helper function that allows to simplify the code used to create and update schema attributes.
     
    .PARAMETER Configuration
        The configuration object containing the desired schema attribute name.
     
    .PARAMETER ADObject
        The ADObject - if present - containing the current schema attribute configuration.
        Specifying this will cause it to return a delta hashtable useful for updating attributes.
     
    .PARAMETER Changes
        Changes to be applied to an existing attribute.
 
    .EXAMPLE
        PS C:\> Resolve-SchemaAttribute -Configuration $testItem.Configuration
 
        Returns the attributes hashtable for a new schema attribute.
         
    .EXAMPLE
        PS C:\> Resolve-SchemaAttribute -Configuration $testItem.Configuration -ADObject $testItem.ADObject
 
        Returns the attributes hashtable for attributes to update.
    #>

    [OutputType([hashtable])]
    [CmdletBinding()]
    param (
        $Configuration,
        
        $ADObject,

        $Changes
    )

    begin {
        function Convert-AttributeName {
            [OutputType([string])]
            [CmdletBinding()]
            param (
                [Parameter(ValueFromPipeline = $true)]
                [AllowEmptyCollection()]
                [AllowEmptyString()]
                [AllowNull()]
                [string[]]
                $Name
            )

            process {
                foreach ($entry in $Name) {
                    if ($null -eq $entry) { continue }

                    switch ($entry) {
                        SingleValued { 'isSingleValued' }
                        OID { 'attributeID' }
                        PartialAttributeSet { 'isMemberOfPartialAttributeSet' }
                        AdvancedView { 'showInAdvancedViewOnly' }
                        default { $_ }
                    }
                }
            }
        }
    }
    
    process {
        #region Build out basic attribute hashtable
        $attributes = @{
            adminDisplayName              = $Configuration.AdminDisplayName
            lDAPDisplayName               = $Configuration.LdapDisplayName
            attributeId                   = $Configuration.OID
            oMSyntax                      = $Configuration.OMSyntax
            attributeSyntax               = $Configuration.AttributeSyntax
            isSingleValued                = ($Configuration.SingleValued -as [bool])
            adminDescription              = $Configuration.AdminDescription
            searchflags                   = $Configuration.SearchFlags
            isMemberOfPartialAttributeSet = $Configuration.PartialAttributeSet
            showInAdvancedViewOnly        = $Configuration.AdvancedView
        }
        #endregion Build out basic attribute hashtable

        #region Case: New Attribute
        if (-not $ADObject) {
            $badProperties = foreach ($pair in $attributes.GetEnumerator()) {
                if ($null -eq $pair.Value) { $pair.Key }
            }
            if ($null -eq $Configuration.SingleValued) { $badProperties = @($badProperties) + @('SingleValued') }
            if ($badProperties) {
                throw "Cannot create new attribute $($Configuration.AdminDisplayName), missing attributes: $($badProperties -join ',')"
            }

            return $attributes
        }
        #endregion Case: New Attribute

        #region Case: Update Settings
        $updates = @{ }
        foreach ($change in $Changes) {
            if ('ObjectClass' -eq $change.Property) { continue }
            $updates[($change.Property | Convert-AttributeName)] = $change.New
        }
        
        $systemOnly = @(
            'isSingleValued'
            'oMSyntax'
            'attributeId'
            'attributeSyntax'
        )

        foreach ($attributeName in ($updates.Keys | Write-Output)) {
            
            if ($systemOnly -contains $attributeName) {
                Write-PSFMessage -Level Warning -String 'Resolve-SchemaAttribute.Update.SystemOnlyError' -StringValues $attributeName, $attributes.$attributeName, $ADObject
                $updates.Remove($attributeName)
            }
        }
        #endregion Case: Update Settings
        
        $updates
    }
}

function Set-FMDomainContext
{
    <#
        .SYNOPSIS
            Updates the domain settings for string replacement.
         
        .DESCRIPTION
            Updates the domain settings for string replacement.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
         
        .EXAMPLE
            PS C:\> Set-FMDomainContext @parameters
 
            Updates the current domain context
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    [CmdletBinding()]
    param (
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
    }
    process
    {
        $domainObject = Get-ADDomain @parameters
        $forestObject = Get-ADForest @parameters
        if ($forestObject.RootDomain -eq $domainObject.DNSRoot)
        {
            $forestRootDomain = $domainObject
            $forestRootSID = $forestRootDomain.DomainSID.Value
        }
        else
        {
            try
            {
                $cred = $PSBoundParameters | ConvertTo-PSFHashtable -Include Credential
                $forestRootDomain = Get-ADDomain @cred -Server $forestObject.RootDomain -ErrorAction Stop
                $forestRootSID = $forestRootDomain.DomainSID.Value
            }
            catch
            {
                $forestRootDomain = [PSCustomObject]@{
                    Name = $forestObject.RootDomain.Split(".", 2)[0]
                    DNSRoot = $forestObject.RootDomain
                    DistinguishedName = 'DC={0}' -f ($forestObject.RootDomain.Split(".") -join ",DC=")
                }
                $forestRootSID = (Get-ADObject @parameters -SearchBase "CN=System,$($domainObject.DistinguishedName)" -SearchScope OneLevel -LDAPFilter "(&(objectClass=trustedDomain)(trustPartner=$($forestObject.RootDomain)))" -Properties securityIdentifier).securityIdentifier.Value
            }
        }
        
        Register-StringMapping -Name '%DomainName%' -Value $domainObject.Name
        Register-StringMapping -Name '%DomainNetBIOSName%' -Value $domainObject.NetbiosName
        Register-StringMapping -Name '%DomainFqdn%' -Value $domainObject.DNSRoot
        Register-StringMapping -Name '%DomainDN%' -Value $domainObject.DistinguishedName
        Register-StringMapping -Name '%DomainSID%' -Value $domainObject.DomainSID.Value
        Register-StringMapping -Name '%RootDomainName%' -Value $forestRootDomain.Name
        Register-StringMapping -Name '%RootDomainFqdn%' -Value $forestRootDomain.DNSRoot
        Register-StringMapping -Name '%RootDomainDN%' -Value $forestRootDomain.DistinguishedName
        Register-StringMapping -Name '%RootDomainSID%' -Value $forestRootSID
        Register-StringMapping -Name '%ForestFqdn%' -Value $forestObject.Name
    }
}

function Test-ADObject
{
    <#
    .SYNOPSIS
        Tests, whether a given AD object already exists.
     
    .DESCRIPTION
        Tests, whether a given AD object already exists.
     
    .PARAMETER Identity
        Identity of the object to test.
        Must be a unique identifier accepted by Get-ADObject.
     
    .PARAMETER Server
        The server / domain to work with.
     
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .EXAMPLE
        PS C:\> Test-ADObject -Identity $distinguishedName
 
        Tests whether the object referenced in $distinguishedName exists in the current domain.
    #>

    [OutputType([bool])]
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true)]
        [string]
        $Identity,

        [string]
        $Server,

        [pscredential]
        $Credential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
    }
    process
    {
        try {
            $null = Get-ADObject -Identity $Identity @parameters -ErrorAction Stop
            return $true
        }
        catch {
            return $false
        }
    }
}


function Test-SchemaAdminCredential {
    <#
    .SYNOPSIS
        Validates, whether the schema admin credential workflow should be executed.
     
    .DESCRIPTION
        Validates, whether the schema admin credential workflow should be executed.
        This is done using two checks:
        - Is the ForestManagement.Schema.Account.IgnoreOnCredentialProvider config setting set?
        - Is the command calling the caller of this command anything other than Invoke-AdmfForest with the CredentialProvider parameter set
        If the configuration is set and a crededntial provider was specified, it will return false.
     
    .EXAMPLE
        PS C:\> Test-SchemaAdminCredential
 
        Validates, whether the schema admin credential workflow should be executed.
    #>

    [OutputType([bool])]
    [CmdletBinding()]
    param ()

    if (Get-PSFConfigValue -FullName 'ForestManagement.Schema.Account.IgnoreOnCredentialProvider') {
        return $true
    }

    $invocation = (Get-PSCallstack)[2]
    -not ($invocation.Command -eq 'Invoke-AdmfForest' -and $invocation.InvocationInfo.BoundParameters.Keys -contains 'CredentialProvider')
}

function Update-Schema {
    <#
    .SYNOPSIS
        Forces a schema update.
     
    .DESCRIPTION
        Forces a schema update.
        This allows immediately assigning new attributes in schema.
        Generally, it is recommended targeting the schema master dc.
     
    .PARAMETER Server
        The server / domain to work with.
     
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .EXAMPLE
        PS C:\> Update-Schema -Server dc1.contoso.com
 
        Forces a schema update on dc1.contoso.com
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    [CmdletBinding()]
    param (
        [string]
        $Server,

        [PSCredential]
        $Credential
    )

    $path = "LDAP://RootDSE"
    if ($Server) { $path = "LDAP://$Server/RootDSE" }
    if ($Credential) { $rootDSE = [adsi]::new($path, $Credential.UserName, $Credential.GetNetworkCredential().Password) }
    else { $rootDSE = [adsi]::new($path) }

    $null = $rootDSE.put("schemaUpdateNow", 1)
    $null = $rootDSE.SetInfo()
}

function ConvertTo-SubnetMask
{
    <#
        .SYNOPSIS
            Converts the size of a mask into the mask as IPAddress
         
        .DESCRIPTION
            Converts the size of a mask into the mask as IPAddress
         
        .PARAMETER MaskSize
            The size of the subnet. Valid between 1 and 32
         
        .EXAMPLE
            PS C:\> ConvertTo-SubnetMask -MaskSize 30
 
            Converts the size (30) into the mask as IPAddress
    #>

    [OutputType([IPAddress])]
    [CmdletBinding()]
    param (
        [ValidateRange(1, 32)]
        [int]
        $MaskSize
    )
    
    process
    {
        $binaryString = ("1") * $MaskSize + ("0") * (32 - $MaskSize)
        $bytes = foreach ($number in (0 .. 3))
        {
            [convert]::ToByte($binaryString.SubString(($number * 8), 8), 2)
        }
        [IPAddress]::new($bytes)
    }
}


function Test-Subnet
{
    <#
    .SYNOPSIS
        Tests whether a host fits into the specified subnet.
     
    .DESCRIPTION
        Tests whether a host fits into the specified subnet.
     
    .PARAMETER NetworkAddress
        The address of the subnet.
     
    .PARAMETER MaskAddress
        The subnet mask of the subnet.
     
    .PARAMETER MaskSize
        The size of the mask of the subnet.
     
    .PARAMETER HostAddress
        The address of the host to test
     
    .EXAMPLE
        PS C:\> Test-Subnet -NetworkAddress '192.168.2.0' -MaskSize 24 -HostAddress '192.168.20.255'
 
        Checks whether the address '192.168.20.255' is part of the subnet '192.168.2.0/24'
    #>

    
    [CmdletBinding()]
    Param (
        [IPAddress]
        $NetworkAddress,

        [IPAddress]
        $MaskAddress,

        [int]
        $MaskSize,

        [IPAddress]
        $HostAddress
    )
    
    process
    {
        if ($MaskSize) {
            $MaskAddress = ConvertTo-SubnetMask -MaskSize $MaskSize
        }
        $NetworkAddress.Address -eq ($MaskAddress.Address -band $HostAddress.Address)
    }
}


function Get-FMCertificate {
    <#
    .SYNOPSIS
        Returns registered Certificates.
     
    .DESCRIPTION
        Returns registered Certificates.
     
    .PARAMETER Thumbprint
        The thumbprint of the certificate to filter by.
     
    .PARAMETER Name
        The name of the certificate to filter by.
     
    .PARAMETER Type
        The type of certificate to look for
     
    .EXAMPLE
        PS C:\> Get-FMCertificate
 
        Returns all registered certificates intended for any of the forest certificate stores
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
    [CmdletBinding()]
    Param (
        [string]
        $Thumbprint = '*',

        [string]
        $Name = '*',
        
        [string]
        $Type = '*'
    )
    
    process {
        ($script:dsCertificates.Values) | Where-Object { $_.Certificate.Thumbprint -like $Thumbprint } | Where-Object {
            $_.Certificate.Subject -like $Name -or
            $_.Certificate.Subject -like "CN=$Name" -or
            $_.Certificate.FriendlyName -like $Name
        } | Where-Object Type -Like $Type
    }
}



function Invoke-FMCertificate
{
<#
    .SYNOPSIS
        Applies the desired certificates to the NTAuth store.
     
    .DESCRIPTION
        Applies the desired certificates to the NTAuth store.
        This allows distributing certificates that are trusted across the entire forest.
     
    .PARAMETER InputObject
        The test results to apply.
        Only specify objects returned by Test-FMCertificate.
        By default, if you do not specify this parameter it will run the test and apply all deltas found.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
     
    .PARAMETER Confirm
        If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
     
    .PARAMETER WhatIf
        If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
     
    .EXAMPLE
        PS C:\> Invoke-FMCertificate -Server contoso.com
     
        Applies the defined NTAuthStore configuration to the contoso.com domain.
#>

    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential,
        
        [switch]
        $EnableException
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type dsCertificates -Cmdlet $PSCmdlet
        
        $computerName = (Get-ADDomain @parameters).PDCEmulator
        $psParameter = $PSBoundParameters | ConvertTo-PSFHashtable -Include ComputerName, Credential -Inherit
        try { $session = New-PSSession @psParameter -ErrorAction Stop }
        catch
        {
            Stop-PSFFunction -String 'Invoke-FMCertificate.WinRM.Failed' -StringValues $computerName -ErrorRecord $_ -EnableException $EnableException -Cmdlet $PSCmdlet -Target $computerName
            return
        }
        
        #region Add Certificate Scriptblock
        $addCertificateScript = {
            param (
                $Certificate
            )
            
            $certPath = "$env:temp\cert_$(Get-Random -Minimum 10000 -Maximum 99999).cer"
            
            try { $Certificate.Certificate.GetRawCertData() | Set-Content $certPath -Encoding Byte -ErrorAction Stop }
            catch
            {
                [pscustomobject]@{
                    Success = $false
                    Stage   = 'Writing certificate file'
                    Error   = $_
                }
                return
            }
            
            $res = certutil.exe -dspublish -f $certPath $Certificate.Type 2>&1
            if ($LASTEXITCODE -gt 0)
            {
                [pscustomobject]@{
                    Success = $false
                    Stage   = 'Applying certificate using certutil'
                    Output  = $res
                }
                Remove-Item -Path $certPath -ErrorAction Ignore
                return
            }
            Remove-Item -Path $certPath -ErrorAction Ignore
            
            [pscustomobject]@{
                Success = $true
                Stage   = 'Done'
                Output  = $null
            }
        }
        #endregion Add Certificate Scriptblock
    }
    process
    {
        if (Test-PSFFunctionInterrupt) { return }
        
        # Test All Certificates if no specific test result was specified
        if (-not $InputObject)
        {
            $InputObject = Test-FMCertificate @parameters
        }
        
        :main foreach ($testResult in $InputObject)
        {
            # Catch invalid input - can only process test results
            if ($testResult.PSObject.TypeNames -notcontains 'ForestManagement.Certificate.TestResult')
            {
                Stop-PSFFunction -String 'Invoke-FMCertificate.Invalid.Input' -StringValues $testResult -Target $testResult -Continue -EnableException $EnableException
            }
            
            switch ($testResult.Type)
            {
                'Add' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMCertificate.Add' -ActionStringValues $testResult.Configuration.Certificate.Subject, $testResult.Configuration.Type -Target $testResult -ScriptBlock {
                        $result = Invoke-Command -Session $session -ArgumentList $testResult.Configuration -ScriptBlock $addCertificateScript
                        if (-not $result.Success)
                        {
                            throw "Error executing $($result.Stage) : $($result.Error)"
                        }
                        
                        $certificates = Get-ADCertificate -Parameters $parameters -Type $testResult.Configuration.Type
                        if ($testResult.Configuration.Certificate.Thumbprint -notin $certificates.Thumbprint)
                        {
                            throw "Certificate could not be applied successfully! Ensure you have the permissions needed for this operation. Certutil output:`n$($result.Output)"
                        }
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -ContinueLabel main
                }
                'Remove' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMCertificate.Remove' -ActionStringValues $testResult.ADObject.Subject, $testResult.ADObject.ADObject -Target $testResult -ScriptBlock {
                        try { Set-ADObject @parameters -Identity $testResult.ADObject.ADObject -Remove @{ $testResult.ADObject.AttributeName = $testResult.ADObject.Certificate.GetRawCertData() } -ErrorAction Stop }
                        catch
                        {
                            if ($_.Exception.ErrorCode -eq 8316) { Remove-ADObject @parameters -Identity $testResult.ADObject.ADObject -ErrorAction Stop -Confirm:$false }
                            else { throw }
                        }
                        
                        if ($testResult.ADObject.AltADObject)
                        {
                            try { Set-ADObject @parameters -Identity $testResult.ADObject.AltADObject -Remove @{ $testResult.ADObject.AttributeName = $testResult.ADObject.Certificate.GetRawCertData() } -ErrorAction Stop }
                            catch
                            {
                                if ($_.Exception.ErrorCode -eq 8316) { Remove-ADObject @parameters -Identity $testResult.ADObject.AltADObject -ErrorAction Stop -Confirm:$false }
                                else { throw }
                            }
                        }
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -ContinueLabel main
                }
            }
        }
    }
    end
    {
        if (Test-PSFFunctionInterrupt) { return }
        
        Remove-PSSession -Session $session -Confirm:$false -WhatIf:$false
    }
}



function Register-FMCertificate {
    <#
        .SYNOPSIS
            Register directory services certificates
         
        .DESCRIPTION
            Register directory services certificates
         
        .PARAMETER Certificate
            The certifcate to apply.
     
        .PARAMETER Type
            The kind of certificate this is.
            Can be: NTAuthCA, RootCA, SubCA, CrossCA or KRA.
         
        .PARAMETER Authorative
            Should the certificate configuration overwrite the existing configuration, rather than adding to it (default).
     
        .PARAMETER Remove
            Thumbprint of a certificate to remove rather than add.
 
        .PARAMETER ContextName
            The name of the context defining the setting.
            This allows determining the configuration set that provided this setting.
            Used by the ADMF, available to any other configuration management solution.
 
        .EXAMPLE
            PS C:\> Register-FMCertificate -Certificate $certificate -Type RootCA
 
            Register a certiciate as RootCA certificate.
         
        .EXAMPLE
            PS C:\> Register-FMCertificate -Authorative -Type RootCA
             
            Sets our current configuration as authorative, removing all non-listed certificates from the store.
     
        .EXAMPLE
            PS C:\> Register-FMCertificate -Remove $cert.Thumbprint -Type SubCA
     
            Registers a certificate for removal from the SubCA list.
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [ValidateSet('NTAuthCA', 'RootCA', 'SubCA', 'CrossCA', 'KRA')]
        [string]
        $Type,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Certificate")]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Authorative")]
        [bool]
        $Authorative,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Remove')]
        [string]
        $Remove,

        [string]
        $ContextName = '<Undefined>'
    )
    
    process {
        switch ($pscmdlet.ParameterSetName) {
            Certificate {
                $object = [pscustomobject]@{
                    Certificate = $Certificate
                    Type        = $Type
                    Action      = 'Add'
                    ContextName = $ContextName
                }
                Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Value {
                    '+ {0} > {1}' -f $this.Type, $this.Certificate.Subject
                } -Force
                $script:dsCertificates[$Certificate.Thumbprint] = $object
            }
            Authorative { $script:dsCertificatesAuthorative[$Type] = $Authorative }
            Remove {
                $object = [pscustomobject]@{
                    Thumbprint  = $Remove
                    Type        = $Type
                    Action      = 'Remove'
                    ContextName = $ContextName
                }
                Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Value {
                    '- {0} > {1}' -f $this.Type, $this.Thumbprint
                } -Force
                $script:dsCertificates[$Remove] = $object
            }
        }
    }
}


function Test-FMCertificate
{
    <#
        .SYNOPSIS
            Tests, whether the certificate stores are in the desired state.
         
        .DESCRIPTION
            Tests, whether the certificate stores are in the desired state, that is, all defined certificates are already in place.
            Use Register-FMCertificate to define desired the desired state.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
     
        .EXAMPLE
            PS C:\> Test-FMCertificate -Server contoso.com
 
            Checks whether the contoso.com forest has all the certificates it should
    #>

    [CmdletBinding()]
    param (
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type dsCertificates -Cmdlet $PSCmdlet
    }
    process
    {
        $resDefault = @{
            Server = $Server
            ObjectType = 'Certificate'
        }
        
        foreach ($type in 'NTAuthCA', 'RootCA', 'SubCA', 'CrossCA', 'KRA')
        {
            $certificates = Get-ADCertificate -Parameters $parameters -Type $type
            $desiredState = Get-FMCertificate -Type $type
            
            foreach ($desiredCert in $desiredState)
            {
                if ($desiredCert.Action -eq 'Add' -and $desiredCert.Certificate.Thumbprint -in $certificates.Thumbprint) { continue }
                if ($desiredCert.Action -eq 'Remove' -and $desiredCert.Thumbprint -notin $certificates.Thumbprint) { continue }
                
                $adObject = $null
                if ($desiredCert.Action -eq 'Remove') { $adObject = $certificates | Where-Object Thumbprint -EQ $desiredCert.Thumbprint }
                
                New-TestResult @resDefault -Type $desiredCert.Action -Identity $desiredCert -Configuration $desiredCert -ADObject $adObject
            }
            
            if (-not $script:dsCertificatesAuthorative[$type]) { continue }
            
            foreach ($certificate in $certificates)
            {
                if ($certificate.Thumbprint -in $desiredState.Certificate.Thumbprint) { continue }
                if ($certificate.Thumbprint -in $desiredState.Thumbprint) { continue }
                
                New-TestResult @resDefault -Type 'Remove' -Identity $certificate -ADObject $certificate
            }
        }
    }
}

function Unregister-FMCertificate
{
    <#
    .SYNOPSIS
        Removes a certificate definition for the NTAuthStore.
     
    .DESCRIPTION
        Removes a certificate definition for the NTAuthStore.
        See Register-FMCertificate tfor details on defining a certificate.
     
    .PARAMETER Thumbprint
        The thumbprint of the certificate to remove.
     
    .PARAMETER Certificate
        The certificate to remove.
     
    .EXAMPLE
        PS C:\> Get-FMCertificate | Unregister-FMCertificate
 
        Clears all certificates from the list of defined NTAuth certificates
    #>

    [CmdletBinding()]
    Param (
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string[]]
        $Thumbprint,
        
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2[]]
        $Certificate
    )
    
    process
    {
        foreach ($thumbprintString in $Thumbprint) {
            $script:dsCertificates.Remove($thumbprintString)
        }
        foreach ($certificateObject in $Certificate)
        {
            $script:dsCertificates.Remove($certificateObject.Thumbprint)
        }
    }
}



function Get-FMExchangeSchema
{
<#
    .SYNOPSIS
        Returns the defined Exchange Forest configuration to apply.
     
    .DESCRIPTION
        Returns the defined Exchange Forest configuration to apply.
     
    .EXAMPLE
        PS C:\> Get-FMExchangeSchema
     
        Returns the defined Exchange Forest configuration to apply.
#>

    [CmdletBinding()]
    Param (
    
    )
    
    process
    {
        $script:exchangeschema
    }
}


function Invoke-FMExchangeSchema {
    <#
    .SYNOPSIS
        Applies the desired Exchange version to the tareted Forest.
     
    .DESCRIPTION
        Applies the desired Exchange version to the tareted Forest.
        Requires Schema Admin & Enterprise Admin privileges.
     
    .PARAMETER InputObject
        Test results provided by the associated test command.
        Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
     
    .PARAMETER Confirm
        If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
     
    .PARAMETER WhatIf
        If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
     
    .EXAMPLE
        PS C:\> Invoke-FMExchangeSchema -Server contoso.com
     
        Applies the desired Exchange version to the contoso.com Forest.
#>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseUsingScopeModifierInNewRunspaces', '')]
    [CmdletBinding(SupportsShouldProcess = $true)]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential,
        
        [switch]
        $EnableException
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type ExchangeSchema -Cmdlet $PSCmdlet
        $forestObject = Get-ADForest @parameters
        
        $psParameter = $PSBoundParameters | ConvertTo-PSFHashtable -Include Credential
        $psParameter.ComputerName = $Server
        
        try { $session = New-PSSession @psParameter -ErrorAction Stop }
        catch {
            Stop-PSFFunction -String 'Invoke-FMExchangeSchema.WinRM.Failed' -StringValues $computerName -ErrorRecord $_ -EnableException $EnableException -Cmdlet $PSCmdlet -Target $computerName
            return
        }
        
        #region Functions
        function Test-ExchangeIsoPath {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
            [CmdletBinding()]
            param (
                [System.Management.Automation.Runspaces.PSSession]
                $Session,
                
                [string]
                $Path
            )
            
            Invoke-Command -Session $Session -ScriptBlock {
                Test-Path -Path $using:Path
            }
        }
        
        function Invoke-ExchangeSchemaUpdate {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingEmptyCatchBlock", "")]
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
            [CmdletBinding()]
            param (
                [System.Management.Automation.Runspaces.PSSession]
                $Session,
                
                [string]
                $Path,
                
                [string]
                $OrganizationName,
                
                [switch]
                $SchemaOnly,

                [ValidateSet('InstallSchema', 'UpdateSchema', 'Install', 'Update', 'EnableSplitP', 'DisableSplitP')]
                [string]
                $Mode,

                [bool]
                $SplitPermission,

                [bool]
                $AllDomains,

                [hashtable]
                $Parameters
            )
            
            $result = Invoke-Command -Session $Session -ScriptBlock {
                param (
                    $Parameters
                )
                $exchangeIsoPath = Resolve-Path -Path $Parameters.Path
                
                # Mount Volume
                $diskImage = Mount-DiskImage -ImagePath $exchangeIsoPath -PassThru
                $volume = Get-Volume -DiskImage $diskImage
                $limit = (Get-Date).AddMinutes(1)
                while (-not $volume.DriveLetter) {
                    $volume = Get-Volume -DiskImage $diskImage
                    if ($volume.DriveLetter) { break }
                    if ((Get-Date) -gt $limit) {
                        try { Dismount-DiskImage -ImagePath $exchangeIsoPath }
                        catch { }
                        throw "Timeout waiting for volume drive letter!"
                    }
                    Start-Sleep -Milliseconds 250
                }
                $installPath = "$($volume.DriveLetter):\setup.exe"
                
                #region Perform Installation
                $computerName = [System.Environment]::MachineName
                $resultText = switch ($Parameters.Mode) {
                    'InstallSchema' { & $installPath /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareSchema /dc:$computerName 2>&1 }
                    'UpdateSchema' { & $installPath /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareSchema /dc:$computerName 2>&1 }
                    'Install' {
                        if (-not $Parameters.SplitPermission) { & $installPath /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /OrganizationName:$($Parameters.OrganizationName) /dc:$computerName 2>&1 }
                        else { & $installPath /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /ActiveDirectorySplitPermissions:true /OrganizationName:$($Parameters.OrganizationName) /dc:$computerName 2>&1 }
                    }
                    'Update' { & $installPath /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /OrganizationName:$($Parameters.OrganizationName) /dc:$computerName 2>&1 }
                    'EnableSplitP' {
                        & $installPath /PrepareAD /ActiveDirectorySplitPermissions:true /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /dc:$computerName 2>&1
                        if (-not $Parameters.AllDomains) { & $installPath /PrepareDomain /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /dc:$computerName 2>&1 }
                        else { & $installPath /PrepareAllDomains /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /dc:$computerName 2>&1 }
                    }
                    'DisableSplitP' {
                        & $installPath /PrepareAD /ActiveDirectorySplitPermissions:false /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /dc:$computerName 2>&1
                        if (-not $Parameters.AllDomains) { & $installPath /PrepareDomain /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /dc:$computerName 2>&1 }
                        else { & $installPath /PrepareAllDomains /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /dc:$computerName 2>&1 }
                    }
                }
                $results = [pscustomobject]@{
                    Success = $LASTEXITCODE -lt 1
                    Message = $resultText -join "`n"
                }
                #endregion Perform Installation
                
                # Dismount Volume
                try { Dismount-DiskImage -ImagePath $exchangeIsoPath }
                catch { }
                
                # Report result
                $results
            } -ArgumentList ($PSBoundParameters | ConvertTo-PSFHashtable -Exclude Session)
            Write-PSFMessage -Message ($result.Message -join "`n") -Tag exchange, result
            if (-not $result.Success) {
                throw "Error applying exchange update: $($result.Message)"
            }

            # Exchange#s setup.exe is not always reliable in its exit codes, thus we need to retest
            $result = Test-FMExchangeSchema @Parameters
            if (-not $result) { return }
            if ($result.Type -contains $Mode) {
                throw "Error applying exchange update: $($result.Message)"
            }
        }
        #endregion Functions
    }
    process {
        if (Test-PSFFunctionInterrupt) { return }

        if (-not $InputObject) {
            $InputObject = Test-FMExchangeSchema @parameters
        }

        foreach ($testItem in $InputObject) {
            $commonParam = @{
                Session          = $session
                Path             = $testItem.Configuration.LocalImagePath
                OrganizationName = $testItem.Configuration.OrganizationName
                Parameters       = $parameters
                ErrorAction      = 'Stop'
            }
            #region Apply Updates if needed
            switch ($testItem.Type) {
                #region Install Exchange Schema
                'CreateSchema' {
                    if (-not (Test-ExchangeIsoPath -Session $session -Path $testItem.Configuration.LocalImagePath)) {
                        Stop-PSFFunction -String 'Invoke-FMExchangeSchema.IsoPath.Missing' -StringValues $testItem.Configuration.LocalImagePath -EnableException $EnableException -Continue -Category ResourceUnavailable -Target $Server
                    }
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMExchangeSchema.Installing' -ActionStringValues $testItem.Configuration -Target $forestObject -ScriptBlock {
                        Invoke-ExchangeSchemaUpdate @commonParam -Mode InstallSchema -SchemaOnly
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
                #endregion Install Exchange Schema
                
                #region Update Exchange Schema
                'UpdateSchema' {
                    if (-not (Test-ExchangeIsoPath -Session $session -Path $testItem.Configuration.LocalImagePath)) {
                        Stop-PSFFunction -String 'Invoke-FMExchangeSchema.IsoPath.Missing' -StringValues $testItem.Configuration.LocalImagePath -EnableException $EnableException -Continue -Category ResourceUnavailable -Target $Server
                    }
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMExchangeSchema.Updating' -ActionStringValues $testItem.ADObject, $testItem.Configuration -Target $forestObject -ScriptBlock {
                        Invoke-ExchangeSchemaUpdate @commonParam -Mode UpdateSchema -SchemaOnly
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
                #endregion Update Exchange Schema
                
                #region Install Exchange Schema & AD Objects
                'Create' {
                    if (-not (Test-ExchangeIsoPath -Session $session -Path $testItem.Configuration.LocalImagePath)) {
                        Stop-PSFFunction -String 'Invoke-FMExchangeSchema.IsoPath.Missing' -StringValues $testItem.Configuration.LocalImagePath -EnableException $EnableException -Continue -Category ResourceUnavailable -Target $Server
                    }
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMExchangeSchema.Installing' -ActionStringValues $testItem.Configuration -Target $forestObject -ScriptBlock {
                        Invoke-ExchangeSchemaUpdate @commonParam -Mode Install
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
                #endregion Install Exchange Schema & AD Objects
                
                #region Update Exchange Schema & AD Objects
                'Update' {
                    if (-not (Test-ExchangeIsoPath -Session $session -Path $testItem.Configuration.LocalImagePath)) {
                        Stop-PSFFunction -String 'Invoke-FMExchangeSchema.IsoPath.Missing' -StringValues $testItem.Configuration.LocalImagePath -EnableException $EnableException -Continue -Category ResourceUnavailable -Target $Server
                    }
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMExchangeSchema.Updating' -ActionStringValues $testItem.ADObject, $testItem.Configuration -Target $forestObject -ScriptBlock {
                        Invoke-ExchangeSchemaUpdate @commonParam -Mode Update
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
                #endregion Update Exchange Schema & AD Objects

                'DisableSplitP' {
                    if (-not (Test-ExchangeIsoPath -Session $session -Path $testItem.Configuration.LocalImagePath)) {
                        Stop-PSFFunction -String 'Invoke-FMExchangeSchema.IsoPath.Missing' -StringValues $testItem.Configuration.LocalImagePath -EnableException $EnableException -Continue -Category ResourceUnavailable -Target $Server
                    }
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMExchangeSchema.DisablingSplitPermissions' -ActionStringValues $testItem.Configuration -Target $Server -ScriptBlock {
                        Invoke-ExchangeSchemaUpdate @commonParam -Mode DisableSplitP -AllDomains $testItem.Configuration.AllDomains
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
                'EnableSplitP' {
                    if (-not (Test-ExchangeIsoPath -Session $session -Path $testItem.Configuration.LocalImagePath)) {
                        Stop-PSFFunction -String 'Invoke-FMExchangeSchema.IsoPath.Missing' -StringValues $testItem.Configuration.LocalImagePath -EnableException $EnableException -Continue -Category ResourceUnavailable -Target $Server
                    }
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMExchangeSchema.EnablingSplitPermissions' -ActionStringValues $testItem.Configuration -Target $Server -ScriptBlock {
                        Invoke-ExchangeSchemaUpdate @commonParam -Mode EnableSplitP -AllDomains $testItem.Configuration.AllDomains
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
            }
            #endregion Apply Updates if needed
        }
    }
    end {
        if ($session) { Remove-PSSession -Session $session -ErrorAction Ignore -Confirm:$false -WhatIf:$false }
    }
}


function Register-FMExchangeSchema {
    <#
    .SYNOPSIS
        Registers an exchange version to apply to the forest's schema and configuration.
     
    .DESCRIPTION
        Registers an exchange version to apply to the forest's schema and configuration.
        Updating both requires both Schema Admin and Enterprise Admin permissions.
         
        Domain-Level changes to Exchange are handled by the DomainManagement module.
     
    .PARAMETER LocalImagePath
        The path where to find the Exchange ISO file
        Must be local on the remote server connected to!
        Updating the Exchange AD settings is only supported when executed through the installer contained in that ISO file without exceptions.
     
    .PARAMETER ExchangeVersion
        The version of the Exchange server to apply.
        E.g. 2016CU6
        We map Exchange versions to their respective identifiers in AD:
        RangeUpper in schema and ObjectVersion in configuration.
        This parameter is to help avoiding to have to look up those values.
        If your version is not supported by us yet, look up those numbers and explicitly bind it to -RangeUpper and -ObjectVersion isntead.
     
    .PARAMETER RangeUpper
        The explicit RangeUpper schema attribute property, found on the ms-Exch-Schema-Version-Pt class in schema.
     
    .PARAMETER ObjectVersion
        The object version on the msExchOrganizationContainer type object in the configuration.
        Do NOT confuse that with the ObjectVersion of the exchange object in the default Naming Context (regular domain space).
     
    .PARAMETER OrganizationName
        The name of the Exchange Organization.
        Only used for CREATING a new Exchange deployment.
        Make sure to customize this if you are picky about names like that.
     
    .PARAMETER SchemaOnly
        Whether to only apply the schema updates.
        Enabling this will mean no configuration scope changes are applied and the root domain also will not be pre-configured for Exchange.
     
    .PARAMETER SplitPermission
        Whether the exchange installation should implement Active Directory Split Permissions.
        With Split Permissions, Exchange Administrators will be less able to affect Active Directory.
        This provides more security, but imposes more administrative effort.
 
        For more details on Split Permissions, see this documentation:
        https://docs.microsoft.com/en-us/exchange/permissions/split-permissions/configure-exchange-for-split-permissions?view=exchserver-2019
 
    .PARAMETER AllDomains
        Whether the domain content changes to the root domain should be applied to ALL domains.
        Only applies to the SplitPermission change.
 
    .PARAMETER ContextName
        The name of the context defining the setting.
        This allows determining the configuration set that provided this setting.
        Used by the ADMF, available to any other configuration management solution.
     
    .EXAMPLE
        PS C:\> Register-FMExchangeSchema -LocalImagePath 'C:\ISO\exchange-2019-cu6.iso' -ExchangeVersion '2019CU6'
         
        Registers the Exchange 2019 CU6 exchange version as exchange forest settings to be applied.
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]
        $LocalImagePath,
        
        [Parameter(Mandatory = $true, ParameterSetName = 'Version')]
        [PsfValidateSet(TabCompletion = 'ForestManagement.ExchangeVersion')]
        [PsfArgumentCompleter('ForestManagement.ExchangeVersion')]
        [string]
        $ExchangeVersion,
        
        [Parameter(Mandatory = $true, ParameterSetName = 'Details')]
        [int]
        $RangeUpper,
        
        [Parameter(ParameterSetName = 'Details')]
        [int]
        $ObjectVersion,
        
        [string]
        $OrganizationName = 'Exchange Organization',
        
        [switch]
        $SchemaOnly,

        [bool]
        $SplitPermission = $false,

        [switch]
        $AllDomains,
        
        [string]
        $ContextName = '<Undefined>'
    )
    
    process {
        $object = [pscustomobject]@{
            PSTypeName       = 'ForestManagement.Configuration.ExchangeSchema'
            RangeUpper       = $RangeUpper
            ObjectVersion    = $ObjectVersion
            LocalImagePath   = $LocalImagePath
            ExchangeVersion  = (Get-AdcExchangeVersion | Where-Object RangeUpper -EQ $RangeUpper | Where-Object ObjectVersionConfig -EQ $ObjectVersion | Sort-Object Name | Select-Object -Last 1).Name
            OrganizationName = $OrganizationName
            SchemaOnly       = $SchemaOnly.ToBool()
            SplitPermission  = $SplitPermission
            AllDomains       = $AllDomains
            ContextName      = $ContextName
        }
        
        if ($ExchangeVersion) {
            # Will always succeede, since the input validation prevents invalid exchange versions
            $exchangeVersionInfo = Get-AdcExchangeVersion -Binding $ExchangeVersion
            $object.RangeUpper = $exchangeVersionInfo.RangeUpper
            $object.ObjectVersion = $exchangeVersionInfo.ObjectVersionConfig
            $object.ExchangeVersion = $exchangeVersionInfo.Name
        }
        
        Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Value {
            if ($this.ExchangeVersion) { $this.ExchangeVersion }
            else { '{0} : {1}' -f $this.RangeUpper, $this.ObjectVersion }
        } -Force
        $script:exchangeschema = @($object)
    }
}


function Test-FMExchangeSchema {
    <#
    .SYNOPSIS
        Tests, whether the desired Exchange version has already been applied to the Forest.
     
    .DESCRIPTION
        Tests, whether the desired Exchange version has already been applied to the Forest.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .EXAMPLE
        PS C:\> Test-FMExchangeSchema -Server contoso.com
     
        Tests whether the desired Exchange version has already been applied to the contoso.com forest.
#>

    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type ExchangeSchema -Cmdlet $PSCmdlet
        
        #region Utility Functions
        function Get-ExchangeRangeUpper {
            [CmdletBinding()]
            param (
                [hashtable]
                $Parameters
            )
            
            $rootDSE = Get-ADRootDSE @parameters
            (Get-ADObject @parameters -SearchBase $rootDSE.schemaNamingContext -LDAPFilter "(name=ms-Exch-Schema-Version-Pt)" -Properties rangeUpper).rangeUpper
        }
        
        function Get-ExchangeObjectVersion {
            [CmdletBinding()]
            param (
                [hashtable]
                $Parameters
            )
            
            $rootDSE = Get-ADRootDSE @parameters
            (Get-ADObject @parameters -SearchBase $rootDSE.configurationNamingContext -LDAPFilter '(objectClass=msExchOrganizationContainer)' -Properties ObjectVersion).ObjectVersion
        }
        
        function Get-ExchangeOrganizationName {
            [CmdletBinding()]
            param (
                [hashtable]
                $Parameters
            )
            
            $rootDSE = Get-ADRootDSE @parameters
            (Get-ADObject @parameters -SearchBase $rootDSE.configurationNamingContext -LDAPFilter '(objectClass=msExchOrganizationContainer)').Name
        }
        #endregion Utility Functions
    }
    process {
        $forest = Get-ADForest @parameters
        $schemaVersion = Get-ExchangeRangeUpper -Parameters $parameters
        $objectVersion = Get-ExchangeObjectVersion -Parameters $parameters
        $displayName = (Get-AdcExchangeVersion | Where-Object RangeUpper -EQ $schemaVersion | Where-Object ObjectVersionConfig -EQ $objectVersion | Sort-Object Name | Select-Object -Last 1).Name
        $splitPermissionsEnabled = Test-ADObject @parameters -Identity ("OU=Microsoft Exchange Protected Groups,%DomainDN%" | Resolve-String)

        $adData = [pscustomobject]@{
            SchemaVersion    = $schemaVersion
            ObjectVersion    = $objectVersion
            DisplayName      = $displayName
            OrganizationName = Get-ExchangeOrganizationName -Parameters $parameters
            SplitPermissions = $splitPermissionsEnabled
        }
        Add-Member -InputObject $adData -MemberType ScriptMethod -Name ToString -Value {
            if ($this.DisplayName) { $this.DisplayName }
            else { '{0} : {1}' -f $this.SchemaVersion, $this.ObjectVersion }
        } -Force
        $configuredData = Get-FMExchangeSchema

        $common = @{
            ObjectType    = 'ExchangeSchema'
            Identity      = $forest
            Server        = $Server
            Configuration = $configuredData
            ADObject      = $adData
        }
        
        if ($configuredData.SchemaOnly) {
            if (-not $schemaVersion) {
                New-TestResult @common -Type CreateSchema
            }
            elseif ($configuredData.RangeUpper -gt $schemaVersion) {
                New-TestResult @common -Type UpdateSchema
            }
            return
        }
        
        if (-not $schemaVersion -or -not $objectVersion) {
            New-TestResult @common -Type Create
            return
        }
        if (($configuredData.RangeUpper -gt $schemaVersion) -or ($configuredData.ObjectVersion -gt $objectVersion)) {
            New-TestResult @common -Type Update
        }
        if ($splitPermissionsEnabled -and -not $configuredData.SplitPermission) {
            New-TestResult @common -Type DisableSplitP
        }
        if (-not $splitPermissionsEnabled -and $configuredData.SplitPermission) {
            New-TestResult @common -Type EnableSplitP
        }
    }
}


function Unregister-FMExchangeSchema
{
<#
    .SYNOPSIS
        Clears the defined exchange forest configuration from the loaded configuration set.
     
    .DESCRIPTION
        Clears the defined exchange forest configuration from the loaded configuration set.
     
    .EXAMPLE
        PS C:\> Unregister-FMExchangeSchema
     
        Clears the defined exchange forest configuration from the loaded configuration set.
#>

    [CmdletBinding()]
    Param (
    
    )
    
    process
    {
        $script:exchangeschema = $null
    }
}


function Get-FMForestLevel
{
<#
    .SYNOPSIS
        Returns the defined desired state if configured.
     
    .DESCRIPTION
        Returns the defined desired state if configured.
     
    .EXAMPLE
        PS C:\> Get-FMForestLevel
     
        Returns the defined desired state if configured.
#>

    [CmdletBinding()]
    Param (
    
    )
    process
    {
        $script:forestLevel
    }
}


function Invoke-FMForestLevel
{
<#
    .SYNOPSIS
        Applies the desired forest level if needed.
     
    .DESCRIPTION
        Applies the desired forest level if needed.
     
    .PARAMETER InputObject
        Test results provided by the associated test command.
        Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
     
    .PARAMETER Confirm
        If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
     
    .PARAMETER WhatIf
        If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
     
    .EXAMPLE
        PS C:\> Invoke-FMForestLevel -Server contoso.com
     
        Raises the forest "contoso.com" to the desired level if needed.
#>

    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential,
        
        [switch]
        $EnableException
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type ForestLevel -Cmdlet $PSCmdlet

        # Must be executed against the Domain Naming Master
        $forest = Get-ADForest @parameters
        $parameters.Server = $forest.DomainNamingMaster
    }
    process
    {
        if (-not $InputObject) {
            $InputObject = Test-FMForestLevel @parameters
        }

        foreach ($testItem in $InputObject)
        {
            switch ($testItem.Type)
            {
                'Raise'
                {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMForestLevel.Raise.Level' -ActionStringValues $testItem.Configuration.Level -Target $testItem.ADObject -ScriptBlock {
                        Set-ADForestMode @parameters -ForestMode $testItem.Configuration.DesiredLevel -Identity $testItem.ADObject -ErrorAction Stop -Confirm:$false
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
            }
        }
    }
}

function Register-FMForestLevel
{
<#
    .SYNOPSIS
        Register a forest functional level as desired state.
     
    .DESCRIPTION
        Register a forest functional level as desired state.
     
    .PARAMETER Level
        The level to apply.
     
    .PARAMETER ContextName
        The name of the context defining the setting.
        This allows determining the configuration set that provided this setting.
        Used by the ADMF, available to any other configuration management solution.
     
    .EXAMPLE
        PS C:\> Register-FMForestLevel -Level 2016
     
        Apply the desired forest level of 2016
#>

    [CmdletBinding()]
    param (
        [ValidateSet('2008R2', '2012', '2012R2', '2016')]
        [string]
        $Level,
        
        [string]
        $ContextName = '<Undefined>'
    )
    
    process
    {
        $script:forestlevel = @([PSCustomObject]@{
            PSTypeName  = 'ForestManagement.Configuration.ForestLevel'
            Level        = $Level
            ContextName = $ContextName
        })
    }
}

function Test-FMForestLevel
{
<#
    .SYNOPSIS
        Tests whether the target forest has at least the desired functional level.
     
    .DESCRIPTION
        Tests whether the target forest has at least the desired functional level.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .EXAMPLE
        PS C:\> Test-FMForestLevel -Server contoso.com
     
        Tests whether the forest contoso.com has at least the desired functional level.
#>

    [CmdletBinding()]
    param (
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type ForestLevel -Cmdlet $PSCmdlet
    }
    process
    {
        $levelValues = @{
            '2008R2' = 4
            '2012'   = 5
            '2012R2' = 6
            '2016'   = 7
        }
        $level = Get-FMForestLevel
        $desiredLevel = $levelValues[$level.Level]
        $tempConfiguration = $level | ConvertTo-PSFHashtable
        $tempConfiguration['DesiredLevel'] = [Microsoft.ActiveDirectory.Management.ADForestMode]$desiredLevel
        $forest = Get-ADForest @parameters
        if ($forest.ForestMode -lt $desiredLevel)
        {
            $change = New-AdcChange -Property ForestLevel -OldValue $forest.ForestMode -NewValue $level.Level -Type ForestLevel -Identity $forest -ToString { '{0}: {1} -> {2}' -f $this.Identity, $this.Old, $this.New }
            New-TestResult -ObjectType ForestLevel -Type Raise -Identity $forest -Server $Server -Configuration ([pscustomobject]$tempConfiguration) -ADObject $forest -Changed $change
        }
    }
}


function Unregister-FMForestLevel
{
<#
    .SYNOPSIS
        Removes the domain level configuration if present.
     
    .DESCRIPTION
        Removes the domain level configuration if present.
     
    .EXAMPLE
        PS C:\> Unregister-FMForestLevel
     
        Removes the domain level configuration if present.
#>

    [CmdletBinding()]
    Param (
    
    )
    
    process
    {
        $script:forestlevel = $null
    }
}


function Get-FMNTAuthStore {
    <#
    .SYNOPSIS
        Returns registered NTAuthStore Certificates.
     
    .DESCRIPTION
        Returns registered NTAuthStore Certificates.
     
    .PARAMETER Thumbprint
        The thumbprint of the certificate to filter by.
     
    .PARAMETER Name
        The name of the certificate to filter by.
     
    .EXAMPLE
        PS C:\> Get-FMNTAuthStore
 
        Returns all registered certificates intended for the NTAuthStore
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
    [CmdletBinding()]
    Param (
        [string]
        $Thumbprint = '*',

        [string]
        $Name = '*'
    )
    
    process {
        ($script:ntAuthStoreCertificates.Values) | Where-Object Thumbprint -like $Thumbprint | Where-Object {
            $_.Subject -like $Name -or
            $_.Subject -like "CN=$Name" -or
            $_.FriendlyName -like $Name
        }
    }
}


function Invoke-FMNTAuthStore {
<#
    .SYNOPSIS
        Applies the desired certificates to the NTAuth store.
     
    .DESCRIPTION
        Applies the desired certificates to the NTAuth store.
        This allows distributing certificates that are trusted across the entire forest.
     
    .PARAMETER InputObject
        The test results to apply.
        Only specify objects returned by Test-FMNTAuthStore.
        By default, if you do not specify this parameter it will run the test and apply all deltas found.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
     
    .PARAMETER Confirm
        If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
     
    .PARAMETER WhatIf
        If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
     
    .EXAMPLE
        PS C:\> Invoke-FMNTAuthStore -Server contoso.com
     
        Applies the defined NTAuthStore configuration to the contoso.com domain.
#>

    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential,
        
        [switch]
        $EnableException
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type ntAuthStoreCertificates -Cmdlet $PSCmdlet
        
        $computerName = (Get-ADDomain @parameters).PDCEmulator
        $psParameter = $PSBoundParameters | ConvertTo-PSFHashtable -Include ComputerName, Credential -Inherit
        try { $session = New-PSSession @psParameter -ErrorAction Stop }
        catch {
            Stop-PSFFunction -String 'Invoke-FMNTAuthStore.WinRM.Failed' -StringValues $computerName -ErrorRecord $_ -EnableException $EnableException -Cmdlet $PSCmdlet -Target $computerName
            return
        }
        
        #region Add Certificate Scriptblock
        $addCertificateScript = {
            param (
                $Certificate
            )
            
            $certPath = "$env:temp\cert_$(Get-Random -Minimum 10000 -Maximum 99999).cer"
            
            try { $Certificate.GetRawCertData() | Set-Content $certPath -Encoding Byte -ErrorAction Stop }
            catch {
                [pscustomobject]@{
                    Success = $false
                    Stage   = 'Writing certificate file'
                    Error   = $_
                }
                return
            }
            
            $res = certutil.exe -dspublish -f $certPath NTAuthCA 2>&1
            if ($LASTEXITCODE -gt 0) {
                [pscustomobject]@{
                    Success = $false
                    Stage   = 'Applying certificate using certutil'
                    Error   = $res
                }
                Remove-Item -Path $certPath -ErrorAction Ignore
                return
            }
            Remove-Item -Path $certPath -ErrorAction Ignore
            
            [pscustomobject]@{
                Success = $true
                Stage   = 'Done'
                Error   = $null
            }
        }
        #endregion Add Certificate Scriptblock
    }
    process {
        if (Test-PSFFunctionInterrupt) { return }
        
        # Test All NTAuthStore Certificates if no specific test result was specified
        if (-not $InputObject) {
            $InputObject = Test-FMNTAuthStore @parameters
        }
        
        :main foreach ($testResult in $InputObject) {
            # Catch invalid input - can only process test results
            if ($testResult.PSObject.TypeNames -notcontains 'ForestManagement.NTAuthStore.TestResult') {
                Stop-PSFFunction -String 'Invoke-FMNTAuthStore.Invalid.Input' -StringValues $testResult -Target $testResult -Continue -EnableException $EnableException
            }
            
            switch ($testResult.Type) {
                'Add' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMNTAuthStore.Add' -ActionStringValues $testResult.Configuration.Subject -Target $testResult -ScriptBlock {
                        $result = Invoke-Command -Session $session -ArgumentList $testResult.Configuration -ScriptBlock $addCertificateScript
                        if (-not $result.Success) {
                            throw "Error executing $($result.Stage) : $($result.Error)"
                        }
                        $rootDSE = Get-ADRootDSE @parameters
                        $storeObject = Get-ADObject @parameters -Identity "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)" -ErrorAction Stop -Properties cACertificate
                        $storedCertificates = $storeObject.cACertificate | ForEach-Object {
                            [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($_)
                        }
                        if ($testResult.Configuration.Thumbprint -notin $storedCertificates.Thumbprint)
                        {
                            throw "Certificate could not be applied successfully for unclarified reasons! Ensure you have the permissions needed for this operation."
                        }
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -ContinueLabel main
                }
                'Remove' {
                    $rootDSE = Get-ADRootDSE @parameters
                    
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMNTAuthStore.Remove' -ActionStringValues $testResult.ADObject.Subject -Target $testResult -ScriptBlock {
                        Set-ADObject @parameters -Identity "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)" -Remove @{ cACertificate = $testResult.ADObject.GetRawCertData() } -ErrorAction Stop
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -ContinueLabel main
                }
            }
        }
    }
    end {
        if (Test-PSFFunctionInterrupt) { return }
        
        Remove-PSSession -Session $session -Confirm:$false -WhatIf:$false
    }
}


function Register-FMNTAuthStore {
    <#
        .SYNOPSIS
            Register NTAuthStore certificates
         
        .DESCRIPTION
            Register NTAuthStore certificates
            This is the ideal / desired state for the NTAuthStore certificate configuration.
            Forests will be brought into this state by using Invoke-FMNTAuthStore.
         
        .PARAMETER Certificate
            The certifcate to apply.
         
        .PARAMETER Authorative
            Should the NTAuthStore configuration overwrite the existing configuration, rather than adding to it (default).
 
        .EXAMPLE
            PS C:\> Register-FMNTAuthStore -Certificate $NTAuthStoreCertificate
 
            Register a certiciate.
         
        .EXAMPLE
            PS C:\> Register-FMNTAuthStore -Authorative
             
            Sets our current configuration as authorative, removing all non-listed certificates from the store.
    #>

    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Certificate")]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Authorative")]
        [switch]
        $Authorative
    )
    
    process {
        switch ($PSCmdlet.ParameterSetName) {
            Certificate { $script:ntAuthStoreCertificates[$Certificate.Thumbprint] = $Certificate }
            Authorative { $script:ntAuthStoreAuthorative = $Authorative.ToBool() }
        }
    }
}

function Test-FMNTAuthStore {
    <#
        .SYNOPSIS
            Tests, whether the NTAuthStore is in the desired state.
         
        .DESCRIPTION
            Tests, whether the NTAuthStore is in the desired state, that is, all defined certificates are already in place.
            Use Register-FMNTAuthStore to define desired the desired state.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
     
        .EXAMPLE
            PS C:\> Test-FMNTAuthStore -Server contoso.com
 
            Checks whether the contoso.com forest has all the NTAuth certificates it should
    #>

    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type ntAuthStoreCertificates -Cmdlet $PSCmdlet

        #region Utility Functions
        function New-TestResult {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
            [CmdletBinding()]
            Param (
                [Parameter(Mandatory = $true)]
                [string]
                $Type,

                [Parameter(Mandatory = $true)]
                [string]
                $Identity,

                [object[]]
                $Changed,

                [Parameter(Mandatory = $true)]
                [AllowNull()]
                [PSFComputer]
                $Server,

                $Configuration,

                $ADObject
            )
    
            process {
                $object = [PSCustomObject]@{
                    PSTypeName    = "ForestManagement.NTAuthStore.TestResult"
                    Type          = $Type
                    ObjectType    = "NTAuthStore"
                    Identity      = $Identity
                    Changed       = $Changed
                    Server        = $Server
                    Configuration = $Configuration
                    ADObject      = $ADObject
                }
                Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Value { $this.Identity } -Force
                $object
            }
        }
        #endregion Utility Functions

        $rootDSE = Get-ADRootDSE @parameters
        $storeObject = $null
        $storedCertificates = $null
        try {
            $storeObject = Get-ADObject @parameters -Identity "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)" -ErrorAction Stop -Properties cACertificate
            $storedCertificates = $storeObject.cACertificate | ForEach-Object {
                [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($_)
            }
            $hasStore = $storeObject -as [bool]
        }
        catch {
            $hasStore = $false
        }
    }
    process {
        $resDefault = @{
            Server = $Server
        }
        $configuredCertificates = Get-FMNTAuthStore
        foreach ($configuredCertificate in $configuredCertificates) {
            if ($storeObject) { $resDefault.ADObject = $storeObject }

            if (-not $hasStore) {
                New-TestResult @resDefault -Type 'Add' -Identity $configuredCertificate.Thumbprint -Configuration $configuredCertificate
                continue
            }

            if ($configuredCertificate.Thumbprint -notin $storedCertificates.Thumbprint) {
                New-TestResult @resDefault -Type 'Add' -Identity $configuredCertificate.Thumbprint -Configuration $configuredCertificate
                continue
            }
        }
        if (-not $hasStore) { return }
        if (-not $script:ntAuthStoreAuthorative) { return }
        
        $resDefault = @{
            Server = $Server
        }
        foreach ($storedCertificate in $storedCertificates) {
            if ($storedCertificate.Thumbprint -notin $configuredCertificates.Thumbprint) {
                New-TestResult @resDefault -Type 'Remove' -Identity $storedCertificate.Thumbprint -ADObject $storedCertificate
            }
        }
    }
}


function Unregister-FMNTAuthStore
{
    <#
    .SYNOPSIS
        Removes a certificate definition for the NTAuthStore.
     
    .DESCRIPTION
        Removes a certificate definition for the NTAuthStore.
        See Register-FMNTAuthStore tfor details on defining a certificate.
     
    .PARAMETER Thumbprint
        The thumbprint of the certificate to remove.
     
    .EXAMPLE
        PS C:\> Get-FMNTAuthStore | Unregister-FMNTAuthStore
 
        Clears all certificates from the list of defined NTAuth certificates
    #>

    [CmdletBinding()]
    Param (
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string[]]
        $Thumbprint
    )
    
    process
    {
        foreach ($thumbprintString in $Thumbprint) {
            $script:ntAuthStoreCertificates.Remove($thumbprintString)
        }
    }
}


function Get-FMSchema
{
    <#
    .SYNOPSIS
        Returns the list of registered Schema Extensions.
     
    .DESCRIPTION
        Returns the list of registered Schema Extensions.
     
    .PARAMETER Name
        Name to filter by.
        Defaults to '*'
     
    .EXAMPLE
        PS C:\> Get-FMSchema
 
        Returns a list of all schema extensions
    #>

    
    [CmdletBinding()]
    Param (
        [string]
        $Name = '*'
    )
    
    process
    {
        ($script:schema.Values | Where-Object AdminDisplayName -Like $Name)
    }
}


function Invoke-FMSchema {
    <#
        .SYNOPSIS
            Updates the schema to conform to the desired state.
         
        .DESCRIPTION
            Updates the schema to conform to the desired state.
            Can add new attributes and update existing ones.
 
            Use Register-FMSchema to define the desired state.
            Use the module's configuration settings to govern schema admin credentials.
            The configuration can be read with Get-PSFConfig and updated with Set-PSFConfig.
         
        .PARAMETER InputObject
            Test results provided by the associated test command.
            Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
         
        .PARAMETER EnableException
            This parameters disables user-friendly warnings and enables the throwing of exceptions.
            This is less user friendly, but allows catching exceptions in calling scripts.
 
        .PARAMETER Confirm
            If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
         
        .PARAMETER WhatIf
            If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
         
        .EXAMPLE
            PS C:\> Invoke-FMSchema
 
            Updates the schema of the current forest according to the configured settings
    #>

    
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type Schema -Cmdlet $PSCmdlet
        try { $rootDSE = Get-ADRootDSE @parameters -ErrorAction Stop }
        catch {
            Stop-PSFFunction -String 'Invoke-FMSchema.Connect.Failed' -StringValues $Server -ErrorRecord $_ -EnableException $EnableException -Exception $_.Exception.GetBaseException()
            return
        }
        $forest = Get-ADForest @parameters
        $parameters["Server"] = $forest.SchemaMaster
        $removeParameters = $parameters.Clone()
        
        #region Resolve Credentials
        $cred = $null
        if (Test-SchemaAdminCredential) {
            Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Schema.Credentials' -Target $forest.SchemaMaster -ScriptBlock {
                [PSCredential]$cred = Get-SchemaAdminCredential @parameters | Write-Output | Select-Object -First 1
                if ($cred) { $parameters['Credential'] = $cred }
            } -EnableException $EnableException -PSCmdlet $PSCmdlet
            if (Test-PSFFunctionInterrupt) { return }
        }
        
        $null = Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Credentials.Test' -Target $forest.SchemaMaster -ScriptBlock {
            $null = Get-ADDomain @parameters -ErrorAction Stop
        } -EnableException $EnableException -PSCmdlet $PSCmdlet -RetryCount 5 -RetryWait 1
        if (Test-PSFFunctionInterrupt) { return }
        #endregion Resolve Credentials

        # Prepare parameters to use for when discarding the schema credentials
        if ($cred -and ($cred -ne $Credential)) { $removeParameters['SchemaAccountCredential'] = $cred }
    }
    process {
        if (Test-PSFFunctionInterrupt) { return }

        if (-not $InputObject) {
            $InputObject = Test-FMSchema @parameters
        }

        $testResultsSorted = $InputObject | Sort-Object {
            if ($_.Type -eq 'Decommission') { 0 }
            elseif ($_.Type -eq 'Rename') { 2 }
            elseif ($_.Type -eq 'ConfigurationOnly') { 3 }
            else { 1 }
        }
        :main foreach ($testItem in $testResultsSorted) {
            switch ($testItem.Type) {
                #region Create new Schema Attribute
                'Create' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Creating.Attribute' -Target $testItem.Identity -ScriptBlock {
                        New-ADObject @parameters -Type attributeSchema -Name $testItem.Configuration.AdminDisplayName -Path $rootDSE.schemaNamingContext -OtherAttributes (Resolve-SchemaAttribute -Configuration $testItem.Configuration) -ErrorAction Stop
                        Update-Schema @parameters
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet -Continue
                    
                    foreach ($class in  $testItem.Configuration.ObjectClass) {
                        try { $classObject = Get-ADObject @parameters -SearchBase $rootDSE.schemaNamingContext -LDAPFilter "(name=$($class))" -ErrorAction Stop }
                        catch { Stop-PSFFunction -String 'Invoke-FMSchema.Reading.ObjectClass.Failed' -StringValues $class -EnableException $EnableException -Continue -ErrorRecord $_ }
                        if (-not $classObject) { Stop-PSFFunction -String 'Invoke-FMSchema.Reading.ObjectClass.NotFound' -StringValues $class -EnableException $EnableException -Continue }

                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Assigning.Attribute.ToObjectClass' -ActionStringValues $class,$testItem.Identity -Target $testItem.Identity -ScriptBlock {
                            $classObject | Set-ADObject @parameters -Add @{ mayContain = $testItem.Configuration.LdapDisplayName } -ErrorAction Stop
                        } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -RetryCount 10
                    }
                }
                #endregion Create new Schema Attribute

                #region Decommission the unwanted Schema Attribute
                'Decommission' {
                    $values = @{
                        IsDefunct = $true
                        # PartialAttributeSet = $false
                    }
                    foreach ($adObject in (Get-ADObject @parameters -SearchBase $rootDSE.schemaNamingContext -LDAPFilter "(mayContain=$($testItem.Configuration.OID))" -Properties ldapDisplayName)) {
                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Decommission.MayContain' -ActionStringValues $testItem.ADObject.LdapDisplayName, $adObject.LdapDisplayName -Target $testItem -ScriptBlock {
                            $adObject | Set-ADObject @parameters -Remove @{ mayContain = $testItem.ADObject.LdapDisplayName } -ErrorAction Stop
                        } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                    }

                    foreach ($adObject in (Get-ADObject @parameters -SearchBase $rootDSE.schemaNamingContext -LDAPFilter "(mustContain=$($testItem.Configuration.OID))" -Properties ldapDisplayName)) {
                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Decommission.MustContain' -ActionStringValues $testItem.ADObject.LdapDisplayName, $adObject.LdapDisplayName -Target $testItem -ScriptBlock {
                            $adObject | Set-ADObject @parameters -Remove @{ mustContain = $testItem.ADObject.LdapDisplayName } -ErrorAction Stop
                        } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                    }

                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Decommission.Attribute' -ActionStringValues $testItem.ADObject.LdapDisplayName, $testItem.ADObject.AttributeID -Target $testItem -ScriptBlock {
                        $testItem.ADObject | Set-ADObject @parameters -Replace $values -ErrorAction Stop
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                    $rootDSE = Get-ADRootDSE @parameters
                }
                #endregion Decommission the unwanted Schema Attribute

                #region Update Schema Attribute
                'Update' {
                    $resolvedAttributes = Resolve-SchemaAttribute -Configuration $testItem.Configuration -ADObject $testItem.ADObject -Changes $testItem.Changed
                    if ($resolvedAttributes.Keys.Count -ge 1) {
                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Updating.Attribute' -ActionStringValues ($resolvedAttributes.Keys -join ', ') -Target $testItem.Identity -ScriptBlock {
                            $testItem.ADObject | Set-ADObject @parameters -Replace $resolvedAttributes -ErrorAction Stop
                        } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                    }

                    # Do not process MayContain for defunct attributes
                    if ($testItem.Configuration.IsDefunct) { continue }

                    # Only proceed if any Object Class changes are intended
                    $change = $testItem.Changed | Where-Object Property -EQ 'ObjectClass'
                    if (-not $change) { continue }

                    foreach ($class in $change.New | Where-Object { $_ -notin $change.Old }) {
                        try { $classObject = Get-ADObject @parameters -SearchBase $rootDSE.schemaNamingContext -LDAPFilter "(name=$($class))" -ErrorAction Stop -Properties mayContain }
                        catch { Stop-PSFFunction -String 'Invoke-FMSchema.Reading.ObjectClass.Failed' -StringValues $class -EnableException $EnableException -Continue -ErrorRecord $_ }
                        if (-not $classObject) { Stop-PSFFunction -String 'Invoke-FMSchema.Reading.ObjectClass.NotFound' -StringValues $class -EnableException $EnableException -Continue }
    
                        if ($classObject.mayContain -notcontains $testItem.ADObject.LdapDisplayName) {
                            Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Assigning.Attribute.ToObjectClass' -ActionStringValues $class, $testItem.Identity -Target $testItem.Identity -ScriptBlock {
                                $classObject | Set-ADObject @parameters -Add @{ mayContain = $testItem.ADObject.LdapDisplayName } -ErrorAction Stop
                            } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                        }
                    }

                    foreach ($class in $change.Old | Where-Object { $_ -notin $change.New }) {
                        try { $classObject = Get-ADObject @parameters -SearchBase $rootDSE.schemaNamingContext -LDAPFilter "(name=$($class))" -ErrorAction Stop -Properties mayContain }
                        catch { Stop-PSFFunction -String 'Invoke-FMSchema.Reading.ObjectClass.Failed' -StringValues $class -EnableException $EnableException -Continue -ErrorRecord $_ }
                        if (-not $classObject) { Stop-PSFFunction -String 'Invoke-FMSchema.Reading.ObjectClass.NotFound' -StringValues $class -EnableException $EnableException -Continue }
    
                        if ($classObject.mayContain -contains $testItem.ADObject.LdapDisplayName) {
                            Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Removing.Attribute.FromObjectClass' -ActionStringValues $class, $testItem.Identity -Target $testItem.Identity -ScriptBlock {
                                $classObject | Set-ADObject @parameters -Remove @{ mayContain = $testItem.ADObject.LdapDisplayName } -ErrorAction Stop
                            } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                        }
                    }
                }
                #endregion Update Schema Attribute

                #region Rename Schema Attribute
                'Rename' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Rename.Attribute' -ActionStringValues $testItem.ADObject.cn, $testItem.Configuration.Name -Target $testItem -ScriptBlock {
                        $testItem.ADObject | Rename-ADObject @parameters -NewName $testItem.Configuration.Name -ErrorAction Stop
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue
                }
                #endregion Rename Schema Attribute
            }
        }
    }
    end {
        if (Test-PSFFunctionInterrupt) { return }

        if (Test-SchemaAdminCredential) {
            Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchema.Schema.Credentials.Release' -Target $forest.SchemaMaster -ScriptBlock {
                $null = Remove-SchemaAdminCredential @removeParameters -ErrorAction Stop
            } -EnableException $EnableException -PSCmdlet $PSCmdlet
        }
    }
}

function Register-FMSchema {
    <#
    .SYNOPSIS
        Registers a schema extension attribute.
     
    .DESCRIPTION
        Registers a schema extension attribute.
        These registered attributes will be applied / updated as needed when running Invoke-FMSchema.
        Use Test-FMSchema to verify, whether a forest is properly configured.
     
    .PARAMETER ObjectClass
        The class to assign the new attribute to.
     
    .PARAMETER OID
        The unique OID of the attribute.
     
    .PARAMETER AdminDisplayName
        The displayname of the attribute as admins see it.
     
    .PARAMETER LdapDisplayName
        The name of the attribute as LDAP sees it.
 
    .PARAMETER Name
        The name of the attribute.
        Defaults to the AdminDisplayName if not specified.
     
    .PARAMETER OMSyntax
        The OM Syntax of the attribute
     
    .PARAMETER AttributeSyntax
        The syntax rules of the attribute.
     
    .PARAMETER SingleValued
        Whether the attribute is singlevalued.
     
    .PARAMETER AdminDescription
        The human friendly description of the attribute.
     
    .PARAMETER SearchFlags
        The search flags for the attribute.
     
    .PARAMETER PartialAttributeSet
        Whether the attribute is part of a partial attribute set.
     
    .PARAMETER AdvancedView
        Whether this attribute is only shown in advanced view.
        Use this to hide it from the default display, used to simplify display by hiding information not needed for regulaar daily tasks.
 
    .PARAMETER IsDefunct
        Flag this attribute as defunct.
        It will be marked as such in AD, be delisted from the Global Catalog and removed from all its supposed memberships.
 
    .PARAMETER Optional
        By default, all defined schema attributes must exist.
        By setting a schema attribute optional, it will be tolerated if it exists, but not created if it does not.
 
    .PARAMETER ContextName
        The name of the context defining the setting.
        This allows determining the configuration set that provided this setting.
        Used by the ADMF, available to any other configuration management solution.
     
    .EXAMPLE
        PS C:\> Get-Content .\schema.json | ConvertFrom-Json | Write-Output | Register-FMSchema
 
        Registers all extension attributes in the json file as schema settings to apply when running Invoke-FMSchema.
#>

    [CmdletBinding()]
    Param (
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [AllowEmptyCollection()]
        [string[]]
        $ObjectClass,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $OID,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $AdminDisplayName,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $LdapDisplayName,

        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $Name,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [int]
        $OMSyntax,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $AttributeSyntax,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [bool]
        $SingleValued,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $AdminDescription,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [int]
        $SearchFlags,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [bool]
        $PartialAttributeSet,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [bool]
        $AdvancedView,

        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [bool]
        $IsDefunct,

        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [bool]
        $Optional,

        [string]
        $ContextName = '<Undefined>'
    )
    
    process {
        $nameResult = $Name
        if (-not $Name) { $nameResult = $AdminDisplayName }

        $hashtable = $PSBoundParameters | ConvertTo-PSFHashtable
        $hashtable.ContextName = $ContextName
        $hashtable.PSTypeName = 'ForestManagement.Schema.Configuration'
        if ($nameResult) { $hashtable.Name = $nameResult }

        $script:schema[$OID] = [PSCustomObject]$hashtable
    }
}


function Test-FMSchema {
    <#
        .SYNOPSIS
            Compare the current schema with the configured / desired configuration state.
         
        .DESCRIPTION
            Compare the current schema with the configured / desired configuration state.
            Only compares the custom configured settings, ignores any changes outside.
            (So it's not a delta comparison to the AD baseline)
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
 
        .PARAMETER EnableException
            This parameters disables user-friendly warnings and enables the throwing of exceptions.
            This is less user friendly, but allows catching exceptions in calling scripts.
         
        .EXAMPLE
            PS C:\> Test-FMSchema
 
            Tests the current domain's schema configuration.
    #>

    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type Schema -Cmdlet $PSCmdlet
        try { $rootDSE = Get-ADRootDSE @parameters -ErrorAction Stop }
        catch {
            Stop-PSFFunction -String 'Test-FMSchema.Connect.Failed' -StringValues $Server -ErrorRecord $_ -EnableException $EnableException -Exception $_.Exception.GetBaseException()
            return
        }
        $forest = Get-ADForest @parameters
        $parameters["Server"] = $forest.SchemaMaster

        #region Display Code
        $objectClassToString = {
            $updates = do {
                $this.New | Where-Object { $_ -notin @($this.Old) } | Format-String '+{0}'
                $this.Old | Where-Object { $_ -notin @($this.New) } | Format-String '-{0}'
            }
            until ($true)
            'ObjectClass: {0}' -f ($updates -join ', ')
        }
        #endregion Display Code
    }
    process {
        # Pick up termination flag from Stop-PSFFunction and interrupt if begin failed to connect
        if (Test-PSFFunctionInterrupt) { return }

        foreach ($schemaSetting in (Get-FMSchema)) {
            $schemaObject = $null
            $schemaObject = Get-ADObject @parameters -LDAPFilter "(attributeID=$($schemaSetting.OID))" -SearchBase $rootDSE.schemaNamingContext -ErrorAction Ignore -Properties *

            if (-not $schemaObject) {
                # If we already want to disable the attribute, no need to create it
                if ($schemaSetting.IsDefunct) { continue }
                if ($schemaSetting.Optional) { continue }

                [PSCustomObject]@{
                    PSTypeName    = 'ForestManagement.Schema.TestResult'
                    Type          = 'Create'
                    ObjectType    = 'Schema'
                    Identity      = $schemaSetting.AdminDisplayName
                    Changed       = $null
                    Server        = $forest.SchemaMaster
                    ADObject      = $null
                    Configuration = $schemaSetting
                }
                continue
            }

            if ($schemaSetting.IsDefunct -and -not $schemaObject.isDefunct) {
                [PSCustomObject]@{
                    PSTypeName    = 'ForestManagement.Schema.TestResult'
                    Type          = 'Decommission'
                    ObjectType    = 'Schema'
                    Identity      = $schemaSetting.AdminDisplayName
                    Changed       = @('IsDefunct')
                    Server        = $forest.SchemaMaster
                    ADObject      = $schemaObject
                    Configuration = $schemaSetting
                }
            }

            if ($schemaSetting.Name -cne $schemaObject.cn) {
                [PSCustomObject]@{
                    PSTypeName    = 'ForestManagement.Schema.TestResult'
                    Type          = 'Rename'
                    ObjectType    = 'Schema'
                    Identity      = $schemaSetting.AdminDisplayName
                    Changed       = @('Name')
                    Server        = $forest.SchemaMaster
                    ADObject      = $schemaObject
                    Configuration = $schemaSetting
                }
            }

            $changes = [System.Collections.ArrayList]@()

            $param = @{
                Configuration = $schemaSetting
                ADObject      = $schemaObject
                CaseSensitive = $true
                IfExists      = $true
                AsUpdate      = $true
                Changes       = $changes
                Type          = 'Schema'
            }
            Compare-AdcProperty @param -Property oMSyntax
            Compare-AdcProperty @param -Property attributeSyntax
            Compare-AdcProperty @param -Property SingleValued -ADProperty isSingleValued
            Compare-AdcProperty @param -Property adminDescription
            Compare-AdcProperty @param -Property adminDisplayName
            Compare-AdcProperty @param -Property ldapDisplayName
            Compare-AdcProperty @param -Property searchflags
            Compare-AdcProperty @param -Property PartialAttributeSet -ADProperty isMemberOfPartialAttributeSet
            Compare-AdcProperty @param -Property AdvancedView -ADProperty showInAdvancedViewOnly
            if (-not $schemaSetting.IsDefunct -and $schemaObject.isDefunct) {
                Compare-AdcProperty @param -Property isDefunct
            }

            if (-not $schemaSetting.IsDefunct -and $schemaSetting.PSObject.Properties.Name -contains 'Objectclass') {
                $mayContain = Get-ADObject @parameters -LDAPFilter "(mayContain=$($schemaSetting.LdapDisplayName))" -SearchBase $rootDSE.schemaNamingContext
                if (-not $mayContain -and $schemaSetting.ObjectClass) {
                    $null = $changes.Add((New-AdcChange -Property ObjectClass -NewValue $schemaSetting.ObjectClass -Identity $schemaObject.DistinguishedName -Type Schema -ToString $objectClassToString))
                }
                elseif ($mayContain.Name -and -not $schemaSetting.ObjectClass) {
                    $null = $changes.Add((New-AdcChange -Property ObjectClass -OldValue $mayContain.Name -Identity $schemaObject.DistinguishedName -Type Schema -ToString $objectClassToString))
                }
                elseif (-not $mayContain.Name -and -not $schemaSetting.ObjectClass) {
                    # Nothing wrong here
                }
                elseif ($mayContain.Name | Compare-Object $schemaSetting.ObjectClass) {
                    $null = $changes.Add((New-AdcChange -Property ObjectClass -OldValue $mayContain.Name -NewValue $schemaSetting.ObjectClass -Identity $schemaObject.DistinguishedName -Type Schema -ToString $objectClassToString))
                }
            }

            if ($changes.Count -gt 0) {
                [PSCustomObject]@{
                    PSTypeName    = 'ForestManagement.Schema.TestResult'
                    Type          = 'Update'
                    ObjectType    = 'Schema'
                    Identity      = $schemaSetting.AdminDisplayName
                    Changed       = $changes.ToArray()
                    Server        = $forest.SchemaMaster
                    ADObject      = $schemaObject
                    Configuration = $schemaSetting
                }
            }
        }
    }
}

function Unregister-FMSchema
{
    <#
    .SYNOPSIS
        Removes a configured schema extension.
     
    .DESCRIPTION
        Removes a configured schema extension.
     
    .PARAMETER Name
        Name(s) of the schema extensions to unregister.
     
    .EXAMPLE
        PS C:\> Unregister-FMSchema -Name $names
 
        Removes the list of names stored in $names from the registered schema extension configurations.
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [Alias('AdminDisplayName')]
        [string[]]
        $Name
    )
    
    process
    {
        foreach ($nameLabel in $Name) {
            $script:schema.Remove($nameLabel)
        }
    }
}


function Get-FMSchemaDefaultPermission
{
<#
    .SYNOPSIS
        Returns the list of registered default schema permissions.
     
    .DESCRIPTION
        Returns the list of registered default schema permissions.
     
    .PARAMETER ClassName
        The name of the affected objectclass to filter by.
        Defaults to '*'.
     
    .EXAMPLE
        PS C:\> Get-FMSchemaDefaultPermission
     
        Returns the list of all registered default schema permissions.
#>

    [CmdletBinding()]
    param (
        [string]
        $ClassName = '*'
    )
    
    process
    {
        foreach ($key in $script:schemaDefaultPermissions.Keys)
        {
            if ($key -notlike $ClassName) { continue }
            
            $script:schemaDefaultPermissions[$key].Values
        }
    }
}


function Invoke-FMSchemaDefaultPermission
{
<#
    .SYNOPSIS
        Brings the target forest into compliance with the defined default permissions in its schema.
     
    .DESCRIPTION
        Brings the target forest into compliance with the defined default permissions in its schema.
     
        Use the module's configuration settings to govern schema admin credentials.
        The configuration can be read with Get-PSFConfig and updated with Set-PSFConfig.
     
    .PARAMETER InputObject
        Test results from Test-FMSchemaDefaultPermission to apply.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
 
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
     
    .PARAMETER Confirm
        If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
     
    .PARAMETER WhatIf
        If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
     
    .EXAMPLE
        PS C:\> Invoke-FMSchemaDefaultPermission -Server contoso.com
     
        Brings the contoso.com forest into compliance with the defined default permissions in its schema.
#>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseUsingScopeModifierInNewRunspaces", "")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseDeclaredVarsMoreThanAssignments", "")]
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential,
        
        [switch]
        $EnableException
    )
    
    begin
    {
        #region Utility Functions
        function Add-AccessRule
        {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseUsingScopeModifierInNewRunspaces", "")]
            [CmdletBinding()]
            param (
                $Change,
                
                $Session,
                
                [Hashtable]
                $Tracking
            )
            
            Invoke-Command -Session $Session -ArgumentList $Change -ScriptBlock {
                param ($Change)
                
                $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                    [System.Security.Principal.SecurityIdentifier]$Change.Configuration.Principal,
                    $Change.Configuration.ActiveDirectoryRights,
                    $Change.Configuration.AccessControlType,
                    $Change.Configuration.ObjectTypeGuid,
                    $Change.Configuration.InheritanceType,
                    $Change.Configuration.InheritedObjectTypeGuid
                )
                $null = $acl.AddAccessRule($rule)
            } -ErrorAction Stop
            $Tracking[$Change] = $Change
        }
        
        function Remove-AccessRule
        {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseUsingScopeModifierInNewRunspaces", "")]
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
            [CmdletBinding()]
            param (
                $Change,
                
                $Session,
                
                [Hashtable]
                $Tracking
            )
            
            Invoke-Command -Session $Session -ArgumentList $Change -ScriptBlock {
                param ($Change)
                $rules = $acl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])
                foreach ($rule in $rules)
                {
                    if ($rule.ActiveDirectoryRights -ne $Change.ADObject.ActiveDirectoryRights) { continue }
                    if ($rule.InheritanceType -ne $Change.ADObject.InheritanceType) { continue }
                    if ($rule.ObjectType -ne $Change.ADObject.ObjectType) { continue }
                    if ($rule.InheritedObjectType -ne $Change.ADObject.InheritedObjectType) { continue }
                    if ($rule.AccessControlType -ne $Change.ADObject.AccessControlType) { continue }
                    if ("$($rule.IdentityReference)" -ne "$($Change.ADObject.IdentityReference)") { continue }
                    $null = $acl.RemoveAccessRule($rule)
                }
            } -ErrorAction Stop
            $Tracking[$Change] = $Change
        }
        
        function Write-SchemaDefaultPermission
        {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseUsingScopeModifierInNewRunspaces", "")]
            [CmdletBinding()]
            param (
                $Session,
                
                [hashtable]
                $SchemaParameters
            )
            
            $newSddl, $schemaObjectDN = Invoke-Command -Session $Session -ScriptBlock { $acl.Sddl, $schemaObject.DistinguishedName }
            
            Set-ADObject @SchemaParameters -Identity $schemaObjectDN -Replace @{ defaultSecurityDescriptor = $newSddl } -ErrorAction Stop
        }
        #endregion Utility Functions
        
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type SchemaDefaultPermissions -Cmdlet $PSCmdlet
        try { $rootDSE = Get-ADRootDSE @parameters -ErrorAction Stop }
        catch
        {
            Stop-PSFFunction -String 'Invoke-FMSchemaDefaultPermission.Connect.Failed' -StringValues $Server -ErrorRecord $_ -EnableException $EnableException -Exception $_.Exception.GetBaseException()
            return
        }
        $forest = Get-ADForest @parameters
        $parameters["Server"] = $forest.SchemaMaster
        #region WinRM
        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaDefaultPermission.WinRM.Connect' -Target $forest.SchemaMaster -ScriptBlock {
            $psParameters = $parameters.Clone()
            $psParameters.Remove('Server')
            $psParameters.ComputerName = $forest.SchemaMaster
            $session = New-PSSession @psParameters -ErrorAction Stop
        } -EnableException $EnableException -PSCmdlet $PSCmdlet -WhatIf:$false -Confirm:$false
        #endregion WinRM
        
        #region Resolve Credentials
        $cred = $null
        $schemaParameters = $parameters.Clone()
        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaDefaultPermission.Schema.Credentials' -Target $forest.SchemaMaster -ScriptBlock {
            [PSCredential]$cred = Get-SchemaAdminCredential @parameters | Write-Output | Select-Object -First 1
            if ($cred) { $schemaParameters['Credential'] = $cred }
        } -EnableException $EnableException -PSCmdlet $PSCmdlet
        if (Test-PSFFunctionInterrupt) { return }
        $null = Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaDefaultPermission.Credentials.Test' -Target $forest.SchemaMaster -ScriptBlock {
            $null = Get-ADDomain @schemaParameters -ErrorAction Stop
        } -EnableException $EnableException -PSCmdlet $PSCmdlet -RetryCount 5 -RetryWait 1
        if (Test-PSFFunctionInterrupt) { return }
        #endregion Resolve Credentials
    }
    process
    {
        if (Test-PSFFunctionInterrupt) { return }
        
        if (-not $InputObject)
        {
            $InputObject = Test-FMSchemaDefaultPermission @parameters -EnableException:$EnableException
        }
        
        foreach ($testItem in $InputObject)
        {
            # Catch invalid input - can only process test results
            if ($testItem.PSObject.TypeNames -notcontains 'ForestManagement.SchemaDefaultPermission.TestResult')
            {
                Stop-PSFFunction -String 'General.Invalid.Input' -StringValues 'Test-FMSchemaDefaultPermission', $testItem -Target $testItem -Continue -EnableException $EnableException
            }
            
            switch ($testItem.Type)
            {
                'Update'
                {
                    #region Load Acl from SDDL
                    Invoke-Command -Session $session -ArgumentList $rootDSE.schemaNamingContext, $testItem.Identity -ScriptBlock {
                        param ($SchemaNC, $ClassName)
                        $schemaObject = Get-ADObject -Server localhost -SearchBase $SchemaNC -LDAPFilter "(name=$ClassName)" -Properties defaultSecurityDescriptor
                        $acl = New-Object System.DirectoryServices.ActiveDirectorySecurity
                        $acl.SetSecurityDescriptorSddlForm($schemaObject.defaultSecurityDescriptor)
                    }
                    #endregion Load Acl from SDDL
                    
                    #region Apply individual changes to in-memory ACL
                    $tracking = @{ }
                    # Apply remove changes
                    foreach ($change in $testItem.Changed)
                    {
                        if ($change.Type -ne 'Remove') { continue }
                        
                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaDefaultPermission.AccessRule.Remove' -ActionStringValues $change.Identity, $change.Privilege, $change.Access -Target $testItem -ScriptBlock {
                            Remove-AccessRule -Change $change -Session $session -Tracking $tracking -ErrorAction Stop
                        } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -Tag invoke
                        
                    }
                    
                    # Apply add changes
                    foreach ($change in $testItem.Changed)
                    {
                        if ($change.Type -ne 'Add') { continue }
                        
                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaDefaultPermission.AccessRule.Add' -ActionStringValues $change.Identity, $change.Privilege, $change.Access -Target $testItem -ScriptBlock {
                            Add-AccessRule -Change $change -Session $session -Tracking $tracking -ErrorAction Stop
                        } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -Tag invoke
                    }
                    #endregion Apply individual changes to in-memory ACL
                    
                    # Write SDDL back to schema object
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaDefaultPermission.Permissions.Update' -ActionStringValues $tracking.Count, $testItem.Changed.Count, $testItem.Identity -Target $testItem -ScriptBlock {
                        Write-SchemaDefaultPermission -Session $session -SchemaParameters $schemaParameters -ErrorAction Stop
                    } -EnableException $EnableException -PSCmdlet $PSCmdlet -Continue -Tag invoke
                }
                'NotFound'
                {
                    Write-PSFMessage -Level Warning -String 'Invoke-FMSchemaDefaultPermission.NotFound' -StringValues $testItem.Identity -Target $testItem
                }
                'IdentityError'
                {
                    Write-PSFMessage -Level Warning -String 'Invoke-FMSchemaDefaultPermission.IdentityError' -StringValues $testItem.Identity -Target $testItem
                }
            }
        }
    }
    end
    {
        if ($session) { Remove-PSSession -Session $session -ErrorAction Ignore -WhatIf:$false -Confirm:$false }
        
        if (Test-PSFFunctionInterrupt) { return }
        
        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaDefaultPermission.Schema.Credentials.Release' -Target $forest.SchemaMaster -ScriptBlock {
            $null = Remove-SchemaAdminCredential @parameters -ErrorAction Stop
        } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
    }
}

function Register-FMSchemaDefaultPermission
{
<#
    .SYNOPSIS
        Registers a new desired schema default permission access rule.
     
    .DESCRIPTION
        Registers a new desired schema default permission access rule.
        These access rules are then used / applied when when creating a new object of the class affected.
     
        These settings apply only to new objects created of the affected class, not already existing ones.
        Using this you could for example add a group to have full control over all newly created group policy objects.
     
    .PARAMETER ClassName
        The name of the object class in schema this applies to.
     
    .PARAMETER Identity
        The principal to which the access rule applies.
        Supports limited string resolution.
     
    .PARAMETER ActiveDirectoryRights
        The rights granted.
     
    .PARAMETER AccessControlType
        Allow or Deny?
        Defaults to: Allow
     
    .PARAMETER InheritanceType
        How is this privilege inherited by child objects?
     
    .PARAMETER ObjectType
        What object types does this permission apply to?
     
    .PARAMETER InheritedObjectType
        What object types does this permission apply to?
        Used for extended properties.
     
    .PARAMETER Mode
        How access rules are actually applied:
        - Additive: Only add new access rules, but do not touch existing ones
        - Defined: Add new access rules, remove access rules not defined in configuration that apply to a principal that has access rules defined.
        - Constrained: Add new access rules, remove all access rules not defined in configuration
     
        All Modes of all settings for a given class are used when determining the effective Mode applied to that class.
        The most restrictive Mode applies.
     
    .PARAMETER ContextName
        The name of the context defining the setting.
        This allows determining the configuration set that provided this setting.
        Used by the ADMF, available to any other configuration management solution.
     
    .EXAMPLE
        PS C:\> Get-Content .\sdp.json | ConvertFrom-Json | Write-Output | Register-FMSchemaDefaultPermission
     
        Loads all entries from the specified json file and registers them.
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ClassName,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Identity,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ActiveDirectoryRights,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [System.Security.AccessControl.AccessControlType]
        $AccessControlType = 'Allow',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [System.DirectoryServices.ActiveDirectorySecurityInheritance]
        $InheritanceType = 'None',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $ObjectType = '<All>',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $InheritedObjectType = '<All>',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [ValidateSet('Constrained', 'Defined', 'Additive')]
        [string]
        $Mode,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $ContextName = '<Undefined>'
    )
    
    process
    {
        if (-not $script:schemaDefaultPermissions[$ClassName]) { $script:schemaDefaultPermissions[$ClassName] = @{ } }
        $script:schemaDefaultPermissions[$ClassName]["$($Identity)þ$($ActiveDirectoryRights)þ$($ObjectType)þ$($InheritedObjectType)þ$($InheritanceType)þ$($AccessControlType)"] = [PSCustomObject]@{
            PSTypeName              = 'ForestManagement.SchemaDefaultPermission.Configuration'
            ClassName              = $ClassName
            Identity              = $Identity
            ActiveDirectoryRights = $ActiveDirectoryRights
            AccessControlType      = $AccessControlType
            InheritanceType          = $InheritanceType
            ObjectType              = $ObjectType
            InheritedObjectType   = $InheritedObjectType
            Mode                  = $Mode
            ContextName              = $ContextName
        }
    }
}

function Test-FMSchemaDefaultPermission
{
<#
    .SYNOPSIS
        Validates, whether the target forest has the defined default permissions applied in its schema.
     
    .DESCRIPTION
        Validates, whether the target forest has the defined default permissions applied in its schema.
        Returns a list of all actions that would be taken by the associated Invoke-* command.
     
    .PARAMETER Server
        The server / domain to work with.
         
    .PARAMETER Credential
        The credentials to use for this operation.
 
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
     
    .EXAMPLE
        PS C:\> Test-FMSchemaDefaultPermission -Server contoso.com
     
        Validates, whether the contoso.com forest has the defined default permissions applied in its schema.
#>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseDeclaredVarsMoreThanAssignments", "")]
    [CmdletBinding()]
    param (
        [PSFComputer]
        $Server,
        
        [PSCredential]
        $Credential,
        
        [switch]
        $EnableException
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type SchemaDefaultPermissions -Cmdlet $PSCmdlet
        Set-FMDomainContext @parameters
        try { $rootDSE = Get-ADRootDSE @parameters -ErrorAction Stop }
        catch
        {
            Stop-PSFFunction -String 'Test-FMSchemaDefaultPermission.Connect.Failed' -StringValues $Server -ErrorRecord $_ -EnableException $EnableException -Exception $_.Exception.GetBaseException()
            return
        }
        $forest = Get-ADForest @parameters
        $parameters["Server"] = $forest.SchemaMaster
        Invoke-PSFProtectedCommand -ActionString 'Test-FMSchemaDefaultPermission.WinRM.Connect' -Target $forest.SchemaMaster -ScriptBlock {
            $psParameters = $parameters.Clone()
            $psParameters.Remove('Server')
            $psParameters.ComputerName = $forest.SchemaMaster
            $session = New-PSSession @psParameters -ErrorAction Stop
        } -EnableException $EnableException -PSCmdlet $PSCmdlet -WhatIf:$false -Confirm:$false
        
        #region Default Permissions Scriptblock
        $defaultPermissionScriptblock = {
            param (
                $ClassName,
                
                $SchemaNC
            )
            $object = Get-ADObject -LDAPFilter "(name=$ClassName)" -SearchBase $SchemaNC -Server localhost -Properties defaultSecurityDescriptor
            if (-not $object) { throw "Object class '$ClassName' not found!" }
            $acl = New-Object System.DirectoryServices.ActiveDirectorySecurity
            $acl.SetSecurityDescriptorSddlForm($object.defaultSecurityDescriptor)
            $acl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])
        }
        #endregion Default Permissions Scriptblock
        
        #region Utility Functions
        function Convert-ConfiguredAccessRule
        {
            [CmdletBinding()]
            param (
                [Parameter(ValueFromPipeline = $true)]
                $AccessRule,
                
                [System.Collections.Hashtable]
                $Parameters
            )
            process
            {
                $basicHash = $AccessRule | ConvertTo-PSFHashtable
                $basicHash.IdentityResolved = $true
                $basicHash.Error = $null
                $basicHash.ObjectTypeGuid = Convert-DMSchemaGuid @Parameters -Name $basicHash.ObjectType -OutType GuidString
                $basicHash.ObjectTypeName = Convert-DMSchemaGuid @Parameters -Name $basicHash.ObjectType -OutType Name
                $basicHash.InheritedObjectTypeGuid = Convert-DMSchemaGuid @Parameters -Name $basicHash.InheritedObjectType -OutType GuidString
                $basicHash.InheritedObjectTypeName = Convert-DMSchemaGuid @Parameters -Name $basicHash.InheritedObjectType -OutType Name
                
                # Namensauflösung
                $basicHash.ResolvedIdentity = $AccessRule.Identity | Resolve-String -Mode Lax -ArgumentList $Parameters
                
                # Principal Auflösung
                try { $basicHash.Principal = [string]($basicHash.ResolvedIdentity | Resolve-Principal -OutputType SID @Parameters -ErrorAction Stop) }
                catch
                {
                    Write-PSFMessage -Level Warning -String 'Test-FMSchemaDefaultPermission.Principal.ResolutionError' -StringValues $AccessRule.Identity, $basicHash.ResolvedIdentity -Target $AccessRule
                    $basicHash.IdentityResolved = $false
                    $basicHash.Error = $_
                }
                
                [pscustomobject]$basicHash
            }
        }
        
        function Compare-AccessRule
        {
            [CmdletBinding()]
            param (
                $Configuration,
                
                $Applied,
                
                [PSFComputer]
                $Server,
                
                [Hashtable]
                $Parameters
            )
            
            #region Utility Functions
            function New-Change
            {
                [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
                [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingEmptyCatchBlock", "")]
                [CmdletBinding()]
                param (
                    [Parameter(Mandatory = $true)]
                    [ValidateSet('Add', 'Remove')]
                    [string]
                    $Type,
                    
                    $Configuration,
                    
                    $ADObject,
                    
                    [string]
                    $ClassName,
                    
                    [hashtable]
                    $Parameters
                )
                
                $object = [pscustomobject]@{
                    PSTypeName = 'ForestManagement.SchemaDefaultPermission.Change'
                    Type       = $Type
                    Identity   = $Configuration.ResolvedIdentity
                    Privilege  = $Configuration.ActiveDirectoryRights
                    Access       = $Configuration.AccessControlType -as [string]
                    Configuration = $Configuration
                    ADObject   = $ADObject
                    ClassName  = $ClassName
                }
                if ($ADObject)
                {
                    $object.Identity = $ADObject.IdentityReference
                    if (($ADObject.IdentityReference -as [System.Security.Principal.SecurityIdentifier]).AccountDomainSid)
                    {
                        try { $object.Identity = $ADObject.IdentityReference | Resolve-Principal @Parameters -ErrorAction Stop -OutputType NTAccount }
                        catch { } # No Action Needed
                    }
                    $object.Privilege = $ADObject.ActiveDirectoryRights
                    $object.Access = $ADObject.AccessControlType -as [string]
                }
                
                Add-Member -InputObject $object -MemberType ScriptMethod -Name ToString -Force -Value {
                    '{0}: {1}>{2}({3})' -f $this.Type, $this.Identity, $this.Privilege, $this.Access.SubString(0, 1)
                } -PassThru
            }
            #endregion Utility Functions
            
            #region Process ProcessingMode
            $processingMode = 'Additive'
            if ($Configuration.Mode -contains 'Defined') { $processingMode = 'Defined' }
            if ($Configuration.Mode -contains 'Constrained') { $processingMode = 'Constrained' }
            
            if ($processingMode -eq 'Constrained' -and ($Configuration | Where-Object IdentityResolved -EQ $false))
            {
                Write-PSFMessage -Level Warning -String 'Test-FMSchemaDefaultPermission.Class.IdentityUncertain' -StringValues $Configuration[0].ClassName -Target $Configuration[0].ClassName -Data @{
                    Configured = $Configuration
                    Applied    = $Applied
                }
                New-TestResult -ObjectType SchemaDefaultPermission -Type IdentityError -Identity $Configuration[0].ClassName -Server $Server -Configuration $Configuration -ADObject $Applied
                return
            }
            #endregion Process ProcessingMode
            
            $changes = @()
            $matchedRules = @()
            #region Check configured rules against applied rules
            :outer foreach ($ruleDefinition in $Configuration)
            {
                if (-not $ruleDefinition.IdentityResolved) { continue }
                foreach ($appliedRule in $Applied)
                {
                    if ($ruleDefinition.ActiveDirectoryRights -ne $appliedRule.ActiveDirectoryRights) { continue }
                    if ($ruleDefinition.InheritanceType -ne $appliedRule.InheritanceType) { continue }
                    if ($ruleDefinition.ObjectTypeGuid -ne $appliedRule.ObjectType) { continue }
                    if ($ruleDefinition.InheritedObjectTypeGuid -ne $appliedRule.InheritedObjectType) { continue }
                    if ($ruleDefinition.AccessControlType -ne $appliedRule.AccessControlType) { continue }
                    if ($ruleDefinition.Principal -ne $appliedRule.IdentityReference) { continue }
                    
                    # Existing rule is a match
                    $matchedRules += $appliedRule
                    continue outer
                }
                
                $changes += New-Change -Type Add -Configuration $ruleDefinition -ClassName $Configuration[0].ClassName -Parameters $Parameters
            }
            #endregion Check configured rules against applied rules
            
            #region Check applied rules against configured rules
            foreach ($appliedRule in $Applied)
            {
                if ($processingMode -eq 'Additive') { break }
                if ($appliedRule -in $matchedRules) { continue }
                if ($processingMode -eq 'Defined' -and $Configuration.Principal -notcontains $Applied.Identity) { continue }
                
                $changes += New-Change -Type Remove -ADObject $appliedRule -ClassName $Configuration[0].ClassName -Parameters $Parameters
            }
            #endregion Check applied rules against configured rules
            
            if ($changes)
            {
                New-TestResult -ObjectType SchemaDefaultPermission -Type Update -Identity $Configuration[0].ClassName -Server $Server -Configuration $Configuration -ADObject $Applied -Changed $changes
            }
        }
        #endregion Utility Functions
    }
    process
    {
        if (Test-PSFFunctionInterrupt) { return }
        
        foreach ($className in $script:schemaDefaultPermissions.Keys)
        {
            $definedAccessRules = $script:schemaDefaultPermissions[$className].Values | Convert-ConfiguredAccessRule -Parameters $parameters
            
            try { $actualAccessRules = Invoke-Command -Session $session -ScriptBlock $defaultPermissionScriptblock -ArgumentList $className, $rootDSE.schemaNamingContext }
            catch
            {
                Write-PSFMessage -Level Warning -String 'Test-FMSchemaDefaultPermission.Class.NotFound' -StringValues $className -Target $className
                New-TestResult -ObjectType SchemaDefaultPermission -Type NotFound -Identity $className -Server $Server -Configuration $definedAccessRules
                continue
            }
            
            Compare-AccessRule -Configuration $definedAccessRules -Applied $actualAccessRules -Server $Server -Parameters $parameters
        }
    }
    end
    {
        if ($session) { Remove-PSSession -Session $session -ErrorAction Ignore -WhatIf:$false -Confirm:$false }
    }
}


function Unregister-FMSchemaDefaultPermission
{
<#
    .SYNOPSIS
        Removes schema default permissions from the list of registered configurationsets.
     
    .DESCRIPTION
        Removes schema default permissions from the list of registered configurationsets.
     
    .PARAMETER ClassName
        The name of the object class in schema this applies to.
     
    .PARAMETER Identity
        The principal to which the access rule applies.
     
    .PARAMETER ActiveDirectoryRights
        The rights granted.
     
    .PARAMETER AccessControlType
        Allow or Deny?
     
    .PARAMETER InheritanceType
        How is this privilege inherited by child objects?
     
    .PARAMETER ObjectType
        What object types does this permission apply to?
     
    .PARAMETER InheritedObjectType
        What object types does this permission apply to?
        Used for extended properties.
     
    .EXAMPLE
        PS C:\> Get-FMSchemaDefaultPermission | Unregister-FMSchemaDefaultPermission
     
        Clear all configured default schema permissions.
#>

    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ClassName,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Identity,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ActiveDirectoryRights,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [System.Security.AccessControl.AccessControlType]
        $AccessControlType,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [System.DirectoryServices.ActiveDirectorySecurityInheritance]
        $InheritanceType,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ObjectType,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $InheritedObjectType
    )
    
    process
    {
        if (-not $script:schemaDefaultPermissions[$ClassName]) { return }
        $script:schemaDefaultPermissions[$ClassName].Remove("$($Identity)þ$($ActiveDirectoryRights)þ$($ObjectType)þ$($InheritedObjectType)þ$($InheritanceType)þ$($AccessControlType)")
        if ($script:schemaDefaultPermissions[$ClassName].Count -lt 1) { $script:schemaDefaultPermissions.Remove($ClassName) }
    }
}


function Get-FMSchemaLdif
{
    <#
    .SYNOPSIS
        Returns the registered schema ldif files.
     
    .DESCRIPTION
        Returns the registered schema ldif files.
     
    .PARAMETER Name
        The name to filter byy.
     
    .EXAMPLE
        PS C:\> Get-FMSchemaLdif
 
        List all registered ldif files.
    #>

    
    [CmdletBinding()]
    Param (
        [string]
        $Name = '*'
    )
    
    process
    {
        ($script:schemaLdif.Values | Where-Object Name -Like $Name)
    }
}


function Invoke-FMSchemaLdif
{
    <#
        .SYNOPSIS
            Applies missing LDIF files to a forest's schema.
         
        .DESCRIPTION
            Applies missing LDIF files to a forest's schema.
         
        .PARAMETER InputObject
            Test results provided by the associated test command.
            Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
         
        .PARAMETER EnableException
            This parameters disables user-friendly warnings and enables the throwing of exceptions.
            This is less user friendly, but allows catching exceptions in calling scripts.
 
        .PARAMETER Confirm
            If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
         
        .PARAMETER WhatIf
            If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
         
        .EXAMPLE
            PS C:\> Invoke-FMSchemaLdif
 
            Tests the configured LDIF schema files and applies all still missing updates.
    #>

    
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin
    {
        #region Resolve Schema Master
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type SchemaLdif -Cmdlet $PSCmdlet
        try {
            $forest = Get-ADForest @parameters -ErrorAction Stop
        }
        catch {
            Stop-PSFFunction -String 'Invoke-FMSchemaLdif.Connect.Failed' -StringValues $Server -ErrorRecord $_ -EnableException $EnableException -Exception $_.Exception.GetBaseException()
            return
        }
        $parameters["Server"] = $forest.SchemaMaster
        $removeParameters = $parameters.Clone()
        #endregion Resolve Schema Master

        #region Resolve Credentials
        $cred = $null
        if (Test-SchemaAdminCredential) {
            Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaLdif.Schema.Credentials' -Target $forest.SchemaMaster -ScriptBlock {
                [PSCredential]$cred = Get-SchemaAdminCredential @parameters | Write-Output | Select-Object -First 1
                if ($cred) { $parameters['Credential'] = $cred }
            } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
            if (Test-PSFFunctionInterrupt) { return }
        }
        #endregion Resolve Credentials

        # Prepare parameters to use for when discarding the schema credentials
        if ($cred -and ($cred -ne $Credential)) { $removeParameters['SchemaAccountCredential'] = $cred }
    }
    process
    {
        if (Test-PSFFunctionInterrupt) { return }

        if (-not $InputObject) {
            $InputObject = Test-FMSchemaLdif @parameters -EnableException:$EnableException
        }

        foreach ($testItem in $InputObject) {
            Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaLdif.Invoke.File' -ActionStringValues $testItem.Identity -Target $forest.SchemaMaster -ScriptBlock {
                Invoke-LdifFile @parameters -Path $testItem.Configuration.Path -ErrorAction Stop
            } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet -Continue
        }
    }
    end
    {
        if (Test-PSFFunctionInterrupt) { return }

        if (Test-SchemaAdminCredential) {
            Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSchemaLdif.Schema.Credentials.Release' -Target $forest.SchemaMaster -ScriptBlock {
                Remove-SchemaAdminCredential @removeParameters -ErrorAction Stop
            } -EnableException $EnableException -PSCmdlet $PSCmdlet
        }
    }
}


function Register-FMSchemaLdif
{
    <#
        .SYNOPSIS
            Registers an ldif file for validation and application.
         
        .DESCRIPTION
            Registers an ldif file for validation and application.
         
        .PARAMETER Name
            The name to register the file under.
         
        .PARAMETER Path
            The path to the file to register.
 
        .PARAMETER Weight
            Ldif files will be applied in a certain order.
            The weight of an Ldif file determines, the order it is applied in.
            The lower the number, the earlier the file will be applied.
 
            Default: 50
 
        .PARAMETER MissingObjectExemption
            Testing in a forest will cause it to complain about all objects the ldif file tries to modify, not create and doesn't exist.
            Using this parameter you can exempt individual classes from triggering this warning.
 
        .PARAMETER ContextName
            The name of the context defining the setting.
            This allows determining the configuration set that provided this setting.
            Used by the ADMF, available to any other configuration management solution.
         
        .EXAMPLE
            PS C:\> Register-FMSchemaLdif -Name Skype -Path "$PSScriptRoot\skype.ldif"
 
            Registers the Skype for Business schema extensions.
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true)]
        [string]
        $Name,

        [Parameter(Mandatory = $true)]
        [PsfValidateScript('ForestManagement.Validate.Path.SingleFile', ErrorString = 'ForestManagement.Validate.Path.SingleFile.Failed')]
        [string]
        $Path,

        [int]
        $Weight = 50,

        [string[]]
        $MissingObjectExemption,

        [string]
        $ContextName = '<Undefined>'
    )
    
    begin
    {
        $resolvedPath = Resolve-PSFPath -Path $Path -Provider FileSystem -SingleItem
    }
    process
    {
        $script:schemaLdif[$Name] = [PSCustomObject]@{
            PSTypeName = 'ForestManagement.SchemaLdif.Configuration'
            Name = $Name
            Path = $resolvedPath
            Settings = (Import-LdifFile -Path $Path)
            MissingObjectExemption = ($MissingObjectExemption | ForEach-Object { $_ -replace '(^CN=)|(^)','CN=' })
            Weight = $Weight
            ContextName = $ContextName
        }
    }
}

function Test-FMSchemaLdif
{
    <#
    .SYNOPSIS
        Tests whether the configured ldif-file-based schema extension has been applied.
     
    .DESCRIPTION
        Tests whether the configured ldif-file-based schema extension has been applied.
     
    .PARAMETER Server
        The server / domain to work with.
     
    .PARAMETER Credential
        The credentials to use for this operation.
     
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
     
    .EXAMPLE
        PS C:\> Test-FMSchemaLdif
 
        Checks the current forest against all configured schema extension files
    #>

    
    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type SchemaLdif -Cmdlet $PSCmdlet
        try {
            $rootDSE = Get-ADRootDSE @parameters -ErrorAction Stop
            $forest = Get-ADForest @parameters -ErrorAction Stop
        }
        catch {
            Stop-PSFFunction -String 'Test-FMSchemaLdif.Connect.Failed' -StringValues $Server -ErrorRecord $_ -EnableException $EnableException -Exception $_.Exception.GetBaseException()
            return
        }
        $parameters["Server"] = $forest.SchemaMaster
    }
    process
    {
        $ldifMapping = ConvertTo-SchemaLdifPhase -LdifData (Get-FMSchemaLdif)
        $ldifSorted = Get-FMSchemaLdif | Sort-Object Weight
        $changes = @{ }
        $missingEntities = @()

        foreach ($ldifFile in $ldifSorted) {
            $changes[$ldifFile.Name] = @()
        }

        foreach ($distinguishedName in $ldifMapping.Keys) {
            $hasDefinedState = $ldifMapping[$distinguishedName].Values.State.Count -gt 0
            $attributeName = '{0},{1}' -f $distinguishedName, $rootDSE.schemaNamingContext

            #region Retrieve AD Object ($adObject)
            try { $adObject = Get-ADObject @parameters -Identity $attributeName -ErrorAction Stop -Properties * }
            catch {
                if ($hasDefinedState) {
                    foreach ($file in $ldifMapping[$distinguishedName].Keys) {
                        $changes[$file] += [PSCustomObject]@{
                                DN = $distinguishedName
                                Property = '<FailsToExist>'
                                File = $file
                                Setting = $ldifMapping[$distinguishedName][$file]
                                ADObject = $null
                                ValueS = $null
                                ValueA = $null
                            }
                    }
                }
                else {
                    if ($distinguishedName -notin ($ldifSorted.MissingObjectExemption | Write-Output)) {
                        Write-PSFMessage -Level Warning -String 'Test-FMSchemaLdif.Missing.SchemaItem' -StringValues $attributeName -Tag 'panic'
                        $missingEntities += $attributeName
                    }
                }
                continue
            }
            #endregion Retrieve AD Object ($adObject)

            #region Compare configured with real state ($offStateLdifName)
            $offStateLdif = foreach ($ldifFile in $ldifSorted) {
                # Skip files that do not yet contain the taret object
                if (-not $ldifMapping[$distinguishedName][$ldifFile.Name]) { continue }

                $definedState = $ldifMapping[$distinguishedName][$ldifFile.Name]
                if ($definedState.State.Count -gt 0) {
                    foreach ($propertyName in $definedState.State.Keys) {
                        if (Compare-SchemaProperty -Setting $definedState.State -ADObject $adObject -PropertyName $propertyName -RootDSE $rootDSE) {
                            [PSCustomObject]@{
                                DN = $distinguishedName
                                Property = $propertyName
                                File = $ldifFile.Name
                                Setting = $definedState
                                ADObject = $adObject
                                ValueS = $definedState.State.$propertyName
                                ValueA = $adObject.$propertyName
                            }
                        }
                    }
                }
                else {
                    foreach ($propertyName in $definedState.Add.Keys) {
                        if (Compare-SchemaProperty -Setting $definedState.Add -ADObject $adObject -PropertyName $propertyName -RootDSE $rootDSE -Add) {
                            [PSCustomObject]@{
                                DN = $distinguishedName
                                Property = $propertyName
                                File = $ldifFile.Name
                                Setting = $definedState
                                ADObject = $adObject
                                ValueS = $definedState.Add.$propertyName
                                ValueA = $adObject.$propertyName
                            }
                        }
                    }
                    foreach ($propertyName in $definedState.Replace.Keys) {
                        if (Compare-SchemaProperty -Setting $definedState.Replace -ADObject $adObject -PropertyName $propertyName -RootDSE $rootDSE) {
                            [PSCustomObject]@{
                                DN = $distinguishedName
                                Property = $propertyName
                                File = $ldifFile.Name
                                Setting = $definedState
                                ADObject = $adObject
                                ValueS = $definedState.Replace.$propertyName
                                ValueA = $adObject.$propertyName
                            }
                        }
                    }
                }
            }
            #endregion Compare configured with real state ($offStateLdifName)

            $applicableLdif = $ldifSorted | Where-Object Name -in $ldifMapping[$distinguishedName].Keys
            $lastAppliedItem = $applicableLdif |
                Where-Object Name -notin $offStateLdif.File |
                    Sort-Object Weight -Descending |
                        Select-Object -First 1
            
            foreach ($ldifFile in $applicableLdif) {
                if ($ldifFile.Weight -lt $lastAppliedItem.Weight) { continue }
                if ($lastAppliedItem.Name -eq $ldifFile.Name) { continue }
                foreach ($entry in $offStateLdif) {
                    if ($entry.File -ne $ldifFile.Name) { continue }
                    $changes[$ldifFile.Name] += $entry
                }
            }
        }
        $ldifResult = foreach ($schemaName in $changes.Keys) {
            if (-not $changes[$schemaName]) { continue }

            [PSCustomObject]@{
                PSTypeName = 'ForestManagement.SchemaLdif.TestResult'
                Type = 'InEqual'
                ObjectType = 'SchemaLdif'
                Identity = $schemaName
                Changed = $changes[$schemaName]
                Server = $forest.SchemaMaster
                DeltaCount = $changes[$schemaName].Count
                ADObject = $null
                Configuration = ($ldifSorted | Where-Object Name -eq $schemaName)
            }
        }
        $ldifResult | Sort-Object { $_.Configuration.Weight }
    }
}

function Unregister-FMSchemaLdif
{
    <#
        .SYNOPSIS
            Removes a registered ldif file from the configured state.
         
        .DESCRIPTION
            Removes a registered ldif file from the configured state.
         
        .PARAMETER Name
            The name to select the ldif file by.
         
        .EXAMPLE
            PS C:\> Get-FMSchemaLdif | Unregister-FMSchemaLdif
 
            Unregisters all registered ldif files.
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string[]]
        $Name
    )
    
    process
    {
        foreach ($nameLabel in $Name) {
            $script:schemaLdif.Remove($nameLabel)
        }
    }
}


function Invoke-FMServer
{
    <#
    .SYNOPSIS
        Ensures domain controllers are assigned to sites suitable for their IP addresses.
     
    .DESCRIPTION
        Ensures domain controllers are assigned to sites suitable for their IP addresses.
     
    .PARAMETER InputObject
        Test results provided by the associated test command.
        Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
     
    .PARAMETER Server
        The server / domain to work with.
     
    .PARAMETER Credential
        The credentials to use for this operation.
 
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
 
    .PARAMETER Confirm
        If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
     
    .PARAMETER WhatIf
        If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
     
    .EXAMPLE
        PS C:\> Invoke-FMServer
 
        Ensures all domain controllers in the current forest are in the correct site.
    #>

    
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
    }
    process
    {
        if (-not $InputObject) {
            $InputObject = Test-FMServer @parameters
        }

        foreach ($testItem in $InputObject) {
            switch ($testItem.Type) {
                'AddressNotFound'
                {
                    if (-not $testItem.ADObject.DNSHostName) {
                        Write-PSFMessage -Level Warning -String 'Invoke-FMServer.Server.NotFound' -StringValues $testItem.Identity -Target $testItem.Identity
                    }
                    else {
                        Write-PSFMessage -Level Warning -String 'Invoke-FMServer.Server.FailedToResolve' -StringValues $testItem.Identity -Target $testItem.Identity
                    }
                }
                'NoMatchingSubnet'
                {
                    Write-PSFMessage -Level Warning -String 'Invoke-FMServer.Server.NoSubnet' -StringValues $testItem.Identity, $testItem.ADObject.IPAddress -Target $testItem.Identity
                }
                'BadSite'
                {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMServer.Server.Moving' -ActionStringValues $testItem.SupposedSite -Target $testItem.Identity -ScriptBlock {
                        Move-ADDirectoryServer @parameters -Identity $testItem.ADobject.DistinguishedName -Site $testItem.SupposedSite -ErrorAction Stop
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
            }
        }
    }
}


function Register-FMServer {
    <#
    .SYNOPSIS
        Configure the server-site assignment.
     
    .DESCRIPTION
        Configure the server-site assignment.
     
    .PARAMETER NoAutoAssignment
        Setting this to true will disable any automatically calculated site assignments.
        When enabled, only explicitly configured site assignments will be applied.
     
    .EXAMPLE
        PS C:\> Get-Content .\servers.json | ConvertFrom-Json | Write-Output | Register-FMServer
         
        Apply all configuration settings stored in servers.json
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Auto')]
        [bool]
        $NoAutoAssignment
    )

    process {
        switch ($PSCmdlet.ParameterSetName) {
            #region Auto Assignment
            'Auto'
            {
                $script:serverAutoAssignment = -not $NoAutoAssignment
            }
            #endregion Auto Assignment
        }
    }
}

function Test-FMServer
{
    <#
        .SYNOPSIS
            Checks whether the Domain Controller in a forest are in the correct site.
         
        .DESCRIPTION
            Checks whether the Domain Controller in a forest are in the correct site.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
         
        .EXAMPLE
            PS C:\> Test-FMServer
 
            Tests, whethether all domain controllers in the current forest are up-to-date.
    #>

    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        $rootDSE = Get-ADRootDSE @parameters
        $searchBase = "CN=Sites,$($rootDSE.configurationNamingContext)"
        $domainControllers = Get-ADObject @parameters -LDAPFilter '(objectClass=server)' -SearchBase $searchBase -Properties * | Select-Object *, IPAddress, @{
            Name = 'SiteName'
            Expression = { $_.DistinguishedName -replace ".+,CN=(.+?),CN=Sites,CN=Configuration,DC=.+",'$1' }
        }
        foreach ($domainController in $domainControllers) {
            if ($domainController.DNSHostName) {
                $domainController.IPAddress = [IPAddress](Resolve-DnsName -Name $domainController.DNSHostName -ErrorAction Ignore -Debug:$false | Where-Object Type -eq A | Select-Object -First 1).IPAddress
            }
        }
        $allSubnets = Get-ADReplicationSubnet @parameters -Filter * -Properties Description | Select-PSFObject 'Name',  @{
            Name = "SiteName"
            Expression = { ($_.Site | Get-ADObject @parameters).Name }
        }, 'Name.Split("/")[0] AS IPBase TO IPAddress', 'Name.Split("/")[1].Split("´n")[0] AS MaskSize To Int', Mask, site | Where-Object Name -notlike "*CNF*" | Sort-Object MaskSize -Descending
        foreach ($subnet in $allSubnets) {
            $subnet.Mask = ConvertTo-SubnetMask -MaskSize $subnet.MaskSize
        }
    }
    process
    {
        :main foreach ($domainController in $domainControllers) {
            $resultDefaults = @{
                ObjectType = 'Server'
                Identity = $domainController.Name
                Server = $Server
                ADObject = $domainController
            }

            if (-not $script:serverAutoAssignment) { continue }

            #region No IP Address
            if (-not $domainController.IPAddress) {
                New-TestResult @resultDefaults -Type AddressNotFound -Properties @{
                    CurrentSite = $domainController.SiteName
                }
                continue
            }
            #endregion No IP Address

            #region Resolving Subnet
            $foundSubnet = $null
            foreach ($subnet in $allSubnets) {
                if (Test-Subnet -NetworkAddress $subnet.IPBase -MaskAddress $subnet.Mask -HostAddress $domainController.IPAddress) {
                    $foundSubnet = $subnet
                    break
                }
            }

            if (-not $foundSubnet) {
                New-TestResult @resultDefaults -Type NoMatchingSubnet -Properties @{
                    CurrentSite = $domainController.SiteName
                }
                continue
            }
            #endregion Resolving Subnet

            if ($domainController.SiteName -ne $foundSubnet.SiteName) {
                $currentSiteSubnets = $allSubnets | Where-Object SiteName -eq $domainController.SiteName
                foreach ($subnet in $currentSiteSubnets) {
                    # Domain Controller is legally in his current site
                    if (Test-Subnet -NetworkAddress $subnet.IPBase -MaskAddress $subnet.Mask -HostAddress $domainController.IPAddress) {
                        Write-PSFMessage -Level InternalComment -String 'Test-FMServer.SiteConflict' -StringValues $domainController.Name, $foundSubnet.SiteName, $domainController.SiteName, $foundSubnet.Name -Tag 'note' -Target $domainController.Name
                        continue main
                    }
                }
                
                New-TestResult @resultDefaults -Type BadSite -Changed $foundSubnet.SiteName -Properties @{
                    CurrentSite = $domainController.SiteName
                    SupposedSite = $foundSubnet.SiteName
                    FoundSubnet = $foundSubnet
                }
            }
        }
    }
}


function Get-FMSiteLink
{
    <#
    .SYNOPSIS
        Returns the configured link between two sites.
     
    .DESCRIPTION
        Returns the configured link between two sites.
     
    .PARAMETER SiteName
        The site to filter by.
        Defaults to '*'
     
    .EXAMPLE
        PS C:\> Get-FMSiteLink
 
        Returns all configured sitelinks.
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
    [CmdletBinding()]
    Param (
        [string]
        $SiteName = "*"
    )
    
    process
    {
        ($script:sitelinks.Values | Where-Object {
            ($_.Site1 -like $SiteName) -or ($_.Site2 -like $SiteName)
        })
    }
}


function Invoke-FMSiteLink {
    <#
        .SYNOPSIS
            Update a forest's sitelink to conform to the defined configuration.
         
        .DESCRIPTION
            Update a forest's sitelink to conform to the defined configuration.
            Configuration is defined using Register-FMSiteLink.
         
        .PARAMETER InputObject
            Test results provided by the associated test command.
            Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
 
        .PARAMETER EnableException
            This parameters disables user-friendly warnings and enables the throwing of exceptions.
            This is less user friendly, but allows catching exceptions in calling scripts.
 
        .PARAMETER Confirm
            If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
         
        .PARAMETER WhatIf
            If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
 
        .EXAMPLE
            PS C:\> Invoke-FMSiteLink
 
            Updates the current forest's sitelinks to conform to the defined configuration.
    #>

    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type SiteLinks -Cmdlet $PSCmdlet
    }
    process {
        if (-not $InputObject) {
            $InputObject = Test-FMSiteLink @parameters
        }
        
        foreach ($testItem in $InputObject) {
            switch ($testItem.Type) {
                #region Delete undesired Sitelink
                'Delete' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSiteLink.Removing.SiteLink' -Target $testItem.Name -ScriptBlock {
                        Remove-ADReplicationSiteLink @parameters -Identity $testItem.Name -ErrorAction Stop -Confirm:$false
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
                #endregion Delete undesired Sitelink

                #region Create new Sitelink
                'Create' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSiteLink.Creating.SiteLink' -Target $testItem.Name -ScriptBlock {
                        $parametersCreate = $parameters.Clone()
                        $parametersCreate += @{
                            ErrorAction                   = 'Stop'
                            Name                          = $testItem.Name
                            Description                   = $testItem.Description
                            Cost                          = $testItem.Cost
                            ReplicationFrequencyInMinutes = $testItem.ReplicationInterval
                            SitesIncluded                 = $testItem.Site1, $testItem.Site2
                        }
                        if ($testItem.Options) { $parametersCreate['OtherAttributes'] = @{ Options = $testItem.Options } }
                        New-ADReplicationSiteLink @parametersCreate
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
                #endregion Create new Sitelink

                #region Update existing Sitelink
                'Update' {
                    if ($testItem.ADObject.Name -ne $testItem.IdealName) {
                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSiteLink.Renaming.SiteLink' -ActionStringValues $testItem.IdealName -Target $testItem.Name -ScriptBlock {
                            Rename-ADObject @parameters -Identity $testItem.ADObject.DistinguishedName -NewName $testItem.IdealName -ErrorAction Stop
                        } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                    }

                    $parametersUpdate = $parameters.Clone()
                    $parametersUpdate += @{
                        ErrorAction = 'Stop'
                        Identity    = $testItem.ADObject.ObjectGUID
                    }
                    foreach ($change in $testItem.Changed) {
                        switch ($change.Property) {
                            'Cost' { $parametersUpdate['Cost'] = $change.NewValue }
                            'Description' { $parametersUpdate['Description'] = $change.NewValue }
                            'Options' { $parametersUpdate['Replace'] = @{ Options = $change.NewValue } }
                            'ReplicationInterval' { $parametersUpdate['ReplicationFrequencyInMinutes'] = $change.NewValue }
                        }
                    }

                    # If the only change pending was the name, don't call a meaningles Set-ADReplicationSiteLink
                    if ($parametersUpdate.Keys.Count -le (2 + $parameters.Keys.Count)) { continue }

                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSiteLink.Updating.SiteLink' -ActionStringValues ($testItem.Changed -join ", ") -Target $testItem.Name -ScriptBlock {
                        Set-ADReplicationSiteLink @parametersUpdate
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
                #endregion Update existing Sitelink
            }
        }
    }
}

function Register-FMSiteLink
{
    <#
    .SYNOPSIS
        Register a new sitelink configuration.
     
    .DESCRIPTION
        Register a new sitelink configuration.
     
    .PARAMETER Site1
        The first sitename in the pair of sites to be linked.
     
    .PARAMETER Site2
        The second sitename in the pair of sites to be linked.
     
    .PARAMETER Cost
        The cost of the connection between the two sites.
     
    .PARAMETER Interval
        The replication interval (in minutes) between two sites.
        Defaults to 15 minutes.
        Cannot be less than 15 minutes.
     
    .PARAMETER Description
        A description to add to the sitelink.
        For example, consider including a timestamp and the available bandwidth.
     
    .PARAMETER Option
        Any options for the sitelink.
        This is a bitmap with currently only one relevant setting:
        00000001 : Change Notify (Changes replicate instantly, rather than the configured interval. Only use for high-bandwidth connections)
     
    .EXAMPLE
        PS C:\> Register-FMSiteLink -Site1 MySite -Site2 MyOtherSite -Cost 80 -Description '2019 | 1GB/s' -Option 1
 
        Registers a new sitelink between MySite and MyOtherSite at a cost of 80, registering it as instant replication and adding docs on its bandwidth.
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Site1,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Site2,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [ValidateRange(1,[int]::MaxValue)]
        [int]
        $Cost,

        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [ValidateRange(15,[int]::MaxValue)]
        [int]
        $Interval = 15,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [AllowEmptyString()]
        [string]
        $Description,

        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [int]
        $Option
    )
    
    process
    {
        $sitelinkName = "{0}-{1}" -f $Site1, $Site2
        $script:sitelinks[$sitelinkName] = [PSCustomObject]@{
            PSTypeName = 'ForestManagement.SiteLink.Configuration'
            Name = $sitelinkName
            Site1 = $Site1
            Site2 = $Site2
            Cost = $Cost
            Interval = $Interval
            Description = $Description
            Option = $Option
        }
    }
}


function Test-FMSiteLink {
    <#
        .SYNOPSIS
            Compares a live sitelink setup with the configured desired state.
         
        .DESCRIPTION
            Compares a live sitelink setup with the configured desired state.
     
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
     
        .EXAMPLE
            PS C:\> Test-FMSiteLink
 
            Tests the current forest for compliance with the sitelink configuration
    #>

    
    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential
    )
    
    begin {
        #region Functions
        function New-Update {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
            [CmdletBinding()]
            param (
                $Identity,

                $Property,

                $OldValue,

                $NewValue
            )

            $datum = [PSCustomObject]@{
                PSTypeName = 'ForestManagement.SiteLink.Update'
                Identity = $Identity
                Property = $Property
                OldValue = $OldValue
                NewValue = $NewValue
            }
            Add-Member -InputObject $datum -MemberType ScriptMethod -Name ToString -Value {
                '{0}: {1} -> {2}' -f $this.Property, $this.OldValue, $this.NewValue
            } -Force
            $datum
        }
        #endregion Functions

        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type SiteLinks -Cmdlet $PSCmdlet
        $allSiteLinks = Get-ADReplicationSiteLink @parameters -Filter * -Properties Cost, Description, Options, Name, replInterval, siteList | Select-Object *
        $linksToExclude = @()

        $resultDefaults = @{
            ObjectType = 'SiteLink'
            Server     = $Server
        }

        foreach ($siteLink in $allSiteLinks) {
            $count = 1
            foreach ($site in $siteLink.siteList) {
                try { Add-Member -InputObject $siteLink -MemberType NoteProperty -Name "Site$($count)" -Value (Get-ADObject @parameters -Identity $site -Properties Name).Name }
                catch { Add-Member -InputObject $siteLink -MemberType NoteProperty -Name "Site$($count)" -Value $site }
                $count++
            }
            #region More than 2 sites in Sitelink
            if ($siteLink.siteList.Count -ge 3) {
                if (Get-PSFConfigValue -FullName 'ForestManagement.SiteLink.MultilateralLinks') {
                    Write-PSFMessage -Level Verbose -String 'Test-FMSiteLink.Information.MultipleSites' -StringValues $siteLink.DistinguishedName, $siteLink.siteList.Count -Tag sitelink, multiple_sites -Target $siteLink.DistinguishedName
                    New-TestResult @resultDefaults -Type MultipleSites -Identity $siteLink.Name -ADObject $siteLink -Properties @{
                        Name              = $siteLink.Name
                        DistinguishedName = $siteLink.DistinguishedName
                    }
                }
                else {
                    Write-PSFMessage -Level Warning -String 'Test-FMSiteLink.Critical.TooManySites' -StringValues $siteLink.DistinguishedName, $siteLink.siteList.Count -Tag sitelink, critical, panic -Target $siteLink.DistinguishedName
                    New-TestResult @resultDefaults -Type TooManySites -Identity $siteLink.Name -ADObject $siteLink -Properties @{
                        Name              = $siteLink.Name
                        DistinguishedName = $siteLink.DistinguishedName
                    }
                }
                $linksToExclude += $siteLink
            }
            #endregion More than 2 sites in Sitelink
            Add-Member -InputObject $siteLink -MemberType NoteProperty -Name IdealName -Value ('{0}-{1}' -f $siteLink.Site1, $siteLink.Site2)
        }
        $allSiteLinks = $allSiteLinks | Where-Object { $_ -notin $linksToExclude }
    }
    process {
        #region Test all sitelinks found in the forest
        foreach ($siteLink in $allSiteLinks) {
            if (-not (Get-FMSiteLink | Compare-SiteLink $siteLink)) {
                New-TestResult @resultDefaults -Type Delete -Identity $siteLink.Name -ADObject $siteLink -Properties @{
                    Name                = $siteLink.Name
                    Site1               = $siteLink.Site1
                    Site2               = $siteLink.Site2
                    IdealName           = $siteLink.IdealName
                    Cost                = $siteLink.Cost
                    Description         = $siteLink.Description
                    Options             = $siteLink.Options
                    ReplicationInterval = $siteLink.replInterval
                }
                continue
            }

            $configuredSitelink = Get-FMSiteLink | Compare-SiteLink $siteLink | Select-Object -First 1
            $deltaProperties = @()

            #region Compare Properties
            if ($configuredSiteLink.Name -ne $siteLink.Name) {
                $deltaProperties += New-Update -Identity $siteLink.Name -OldValue $siteLink.Name -NewValue $configuredSitelink.Name -Property 'Name'
            }
            if ($configuredSiteLink.Cost -ne $siteLink.Cost) {
                $deltaProperties += New-Update -Identity $siteLink.Name -OldValue $siteLink.Cost -NewValue $configuredSitelink.Cost -Property 'Cost'
            }
            if ($configuredSiteLink.Description -ne ([string]($siteLink.Description))) {
                $deltaProperties += New-Update -Identity $siteLink.Name -OldValue ([string]($siteLink.Description)) -NewValue $configuredSitelink.Description -Property 'Description'
            }
            if ($configuredSiteLink.Option -ne ([int]($siteLink.Options))) {
                $deltaProperties += New-Update -Identity $siteLink.Name -OldValue ([int]($siteLink.Options)) -NewValue $configuredSitelink.Option -Property 'Options'
            }
            if ($configuredSiteLink.Interval -ne $siteLink.replInterval) {
                $deltaProperties += New-Update -Identity $siteLink.Name -OldValue $siteLink.replInterval -NewValue $configuredSitelink.Interval -Property 'ReplicationInterval'
            }
            #endregion Compare Properties

            if ($deltaProperties) {
                New-TestResult @resultDefaults -Type Update -Identity $siteLink.Name -ADObject $siteLink -Configuration $configuredSitelink -Properties @{
                    Name                = $configuredSitelink.Name
                    Site1               = $configuredSitelink.Site1
                    Site2               = $configuredSitelink.Site2
                    IdealName           = $configuredSitelink.Name
                    Cost                = $configuredSitelink.Cost
                    Description         = $configuredSitelink.Description
                    Options             = $configuredSitelink.Option
                    ReplicationInterval = $configuredSitelink.Interval
                } -Changed $deltaProperties
            }
        }
        #endregion Test all sitelinks found in the forest

        foreach ($configuredSitelink in (Get-FMSiteLink)) {
            if ($allSiteLinks | Compare-SiteLink $configuredSitelink) { continue }

            New-TestResult @resultDefaults -Type Create -Identity $configuredSitelink.Name -Configuration $configuredSitelink -Properties @{
                Name                = $configuredSitelink.Name
                Site1               = $configuredSitelink.Site1
                Site2               = $configuredSitelink.Site2
                IdealName           = $configuredSitelink.Name
                Cost                = $configuredSitelink.Cost
                Description         = $configuredSitelink.Description
                Options             = $configuredSitelink.Option
                ReplicationInterval = $configuredSitelink.Interval
            }
        }
    }
}

function Unregister-FMSiteLink
{
    <#
        .SYNOPSIS
            Removes a link between two sites from configuration.
         
        .DESCRIPTION
            Removes a link between two sites from configuration.
         
        .PARAMETER Site1
            The site1 of the link.
         
        .PARAMETER Site2
            The site2 of the link.
         
        .EXAMPLE
            PS C:\> Unregister-FMSiteLink -Site1 MySite -Site2 MyOtherSite
 
            Removes a sitelink from configuration.
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Site1,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Site2
    )
    
    process
    {
        $sitelinkName = "{0}-{1}" -f $Site1, $Site2
        $sitelinkName2 = "{1}-{0}" -f $Site1, $Site2
        $script:sitelinks.Remove($sitelinkName)
        $script:sitelinks.Remove($sitelinkName2)
    }
}


function Get-FMSite
{
<#
.SYNOPSIS
    Returns the list of configured sites.
 
.DESCRIPTION
    Returns the list of configured sites.
    Sites can be configured using Register-FMSite.
    Those configurations represent the "Should be" state as defined for the entire organization.
 
.PARAMETER Name
    Name to filter by.
    Defaults to "*"
 
.EXAMPLE
    PS C:\> Get-FMSite
 
    Returns all configured sites.
#>

    [CmdletBinding()]
    Param (
        [string]
        $Name = "*"
    )
    
    process
    {
        ($script:sites.Values | Where-Object Name -like $Name)
    }
}


function Invoke-FMSite
{
    <#
        .SYNOPSIS
            Adjusts the targeted forest to comply with the site configuration.
         
        .DESCRIPTION
            Adjusts the targeted forest to comply with the site configuration.
            Use Register-FMSiteConfiguration to register configuration settings.
         
        .PARAMETER InputObject
            Test results provided by the associated test command.
            Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
 
        .PARAMETER EnableException
            This parameters disables user-friendly warnings and enables the throwing of exceptions.
            This is less user friendly, but allows catching exceptions in calling scripts.
 
        .PARAMETER Confirm
            If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
 
        .PARAMETER WhatIf
            If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
         
        .EXAMPLE
            PS C:\> Invoke-FMSite
 
            Scans the forest for discrepancies from the desired state
            Then attempts to rectify the state.
    #>

    
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type Sites -Cmdlet $PSCmdlet
    }
    process
    {
        if (-not $InputObject) {
            $InputObject = Test-FMSite @parameters
        }

        foreach ($testItem in $InputObject) {
            switch ($testItem.Type) {
                'Delete' {
                    $siteObject = Get-ADReplicationSite @parameters -Identity $testItem.Name
                    $servers = Get-ADObject @parameters -LDAPFilter '(objectClass=server)' -SearchBase $siteObject.DistinguishedName
                    if ($servers) {
                        Write-PSFMessage -Level Warning -String 'Invoke-FMSite.Removing.Site.ChildServers' -StringValues ($servers.Name -join ", ") -Tag 'failed','sites'
                    }
                    else {
                        Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSite.Removing.Site' -Target $testItem.Name -ScriptBlock {
                            Remove-ADReplicationSite @parameters -Identity $testItem.Name -ErrorAction Stop -Confirm:$false
                        } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                    }
                }
                'Create' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSite.Creating.Site' -Target $testItem.Name -ScriptBlock {
                        New-ADReplicationSite @parameters -Name $testItem.Name -Description $testItem.Description -OtherAttributes @{ Location = $testItem.Location } -ErrorAction Stop
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
                'Update' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSite.Updating.Site' -ActionStringValues ($testItem.Changed -join ", ") -Target $testItem.Name -ScriptBlock {
                        Set-ADReplicationSite @parameters -Identity $testItem.Name -Description $testItem.Description -Replace @{ Location = $testItem.Location } -ErrorAction Stop
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
                'Rename' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSite.Renaming.Site' -ActionStringValues $testItem.NewName -Target $testItem.Name -ScriptBlock {
                        Get-ADReplicationSite @parameters -Identity $testItem.Name | Rename-ADObject @parameters -NewName $testItem.NewName
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
            }
        }
    }
}


function Register-FMSite
{
    <#
        .SYNOPSIS
            Register a new site configuration.
         
        .DESCRIPTION
            Register a new site configuration.
            This is the ideal / desired state for the site setup.
            Forests will be brought into this state by using Invoke-FMSite.
         
        .PARAMETER Name
            Name of the site to apply.
         
        .PARAMETER Description
            Description the site should have.
         
        .PARAMETER Location
            Location the site should be part of.
         
        .PARAMETER OldNames
            Previous names for this site.
            Forests that have a site still using one of these names will have those sites renamed.
         
        .EXAMPLE
            PS C:\> Register-FMSite -Name ABCDE -Description "Some Site" -Location 'Atlantis'
 
            Registers a new desired site.
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Name,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Description,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Location,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string[]]
        $OldNames
    )
    
    process
    {
        $hashtable = @{
            PSTypeName = 'ForestManagement.Site.Configuration'
            Name = $Name
            Description = $Description
            Location = $Location
        }
        if ($OldNames) { $hashtable["OldNames"] = $OldNames }
        $script:sites[$Name] = [PSCustomObject]$hashtable
    }
}


function Test-FMSite {
    <#
        .SYNOPSIS
            Tests a target foret's site configuration with the desired state.
         
        .DESCRIPTION
            Tests a target foret's site configuration with the desired state.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
         
        .EXAMPLE
            PS C:\> Test-FMSite
 
            Checks whether the current forest is compliant with the desired site configuration.
    #>

    
    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential
    )
    
    begin {
        #region Functions
        function New-Update {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
            [CmdletBinding()]
            param (
                $Identity,

                $Property,

                $OldValue,

                $NewValue
            )

            $datum = [PSCustomObject]@{
                PSTypeName = 'ForestManagement.Site.Update'
                Identity   = $Identity
                Property   = $Property
                OldValue   = $OldValue
                NewValue   = $NewValue
            }
            Add-Member -InputObject $datum -MemberType ScriptMethod -Name ToString -Value {
                '{0}: {1} -> {2}' -f $this.Property, $this.OldValue, $this.NewValue
            } -Force
            $datum
        }
        #endregion Functions

        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type Sites -Cmdlet $PSCmdlet
        $allSites = Get-ADReplicationSite @parameters -Filter * -Properties Location
        $renameMapping = @{}
        $script:sites.Values | Where-Object OldNames | ForEach-Object {
            foreach ($oldName in $_.OldNames) {
                $renameMapping[$oldName] = $_.Name
            }
        }
    }
    process {
        $foundSites = @{}

        $resultDefaults = @{
            Server     = $Server
            ObjectType = 'Site'
        }
        
        foreach ($site in $allSites) {
            if ($renameMapping.Keys -contains $site.Name) {
                New-TestResult @resultDefaults -Type Rename -Identity $site.Name -Properties @{
                    Name        = $site.Name
                    Description = $site.Description
                    Location    = $site.Location
                    NewName     = $renameMapping[$site.Name]
                } -ADObject $site -Changed (New-Update -Identity $site.Name -Property Name -OldValue $site.Name -NewValue $renameMapping[$site.Name])
                continue
            }
            elseif ($script:sites.Keys -contains $site.Name) {
                $foundSites[$site.Name] = $site
            }
            else {
                New-TestResult @resultDefaults -Type Delete -Identity $site.Name -Properties @{
                    Name        = $site.Name
                    Description = $site.Description
                    Location    = $site.Location
                } -ADObject $site
            }
        }
        foreach ($site in $script:sites.Values) {
            if ($site.Name -in $allSites.Name) { continue }

            New-TestResult @resultDefaults -Type Create -Identity $site.Name -Properties @{
                Name        = $site.Name
                Description = $site.Description
                Location    = $site.Location
            } -Configuration $site
        }

        foreach ($site in $foundSites.Values) {
            $deltaProperties = @()
            if ([string]($site.Location) -ne $script:sites[$site.Name].Location) {
                $deltaProperties += New-Update -Identity $site.Name -OldValue $site.Location -NewValue $script:sites[$site.Name].Location -Property 'Location'
            }
            if ([string]($site.Description) -ne $script:sites[$site.Name].Description) {
                $deltaProperties += New-Update -Identity $site.Name -OldValue $site.Description -NewValue $script:sites[$site.Name].Description -Property 'Description'
            }

            if (-not $deltaProperties) { continue }

            New-TestResult @resultDefaults -Type Update -Identity $site.Name -Properties @{
                Name        = $site.Name
                Description = $script:sites[$site.Name].Description
                Location    = $script:sites[$site.Name].Location
            } -ADObject $site -Configuration $script:sites[$site.Name] -Changed $deltaProperties
        }
    }
}

function Unregister-FMSite
{
    <#
        .SYNOPSIS
            Removes a site from the list of registered sites.
         
        .DESCRIPTION
            Removes a site from the list of registered sites.
         
        .PARAMETER Name
            Name of the site to unregister
         
        .EXAMPLE
            PS C:\> Unregister-FMSite -Name "MySite"
 
            Removes the site "MySite" from the list of registered sites
    #>

    
    [CmdletBinding()]
    Param (
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true)]
        [string[]]
        $Name
    )
    
    process
    {
        foreach ($nameItem in $Name) {
            $script:sites.Remove($nameItem)
        }
    }
}


function Get-FMSubnet
{
<#
    .SYNOPSIS
        Returns the list of configured subnets.
 
    .DESCRIPTION
        Returns the list of configured subnets.
        Subnets can be configured using Register-FMSubnet.
        Those configurations represent the "Should be" state as defined for the entire organization.
 
    .PARAMETER Name
        Name of the subnet to filter by.
        Defaults to "*"
 
    .EXAMPLE
        PS C:\> Get-FMSubnet
 
        Returns all configured subnets.
#>

    [CmdletBinding()]
    Param (
        [string]
        $Name = "*"
    )

    process
    {
        ($script:subnets.Values | Where-Object Name -like $Name)
    }
}

function Invoke-FMSubnet
{
    <#
        .SYNOPSIS
            Corrects the subnet configuration of a forest.
         
        .DESCRIPTION
            Corrects the subnet configuration of a forest.
         
        .PARAMETER InputObject
            Test results provided by the associated test command.
            Only the provided changes will be executed, unless none were specified, in which ALL pending changes will be executed.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
 
        .PARAMETER EnableException
            This parameters disables user-friendly warnings and enables the throwing of exceptions.
            This is less user friendly, but allows catching exceptions in calling scripts.
 
        .PARAMETER Confirm
            If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
 
        .PARAMETER WhatIf
            If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
     
        .EXAMPLE
            PS C:\> Invoke-FMSubnet
 
            Corrects the subnet configuration of the current forest.
    #>

    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low')]
    Param (
        [Parameter(ValueFromPipeline = $true)]
        $InputObject,
        
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential,

        [switch]
        $EnableException
    )
    
    begin
    {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type Subnets -Cmdlet $PSCmdlet
    }
    process
    {
        if (-not $InputObject) {
            $InputObject = Test-FMSubnet @parameters
        }

        $testResult = $InputObject | Sort-Object {
            switch ($_.Type) {
                'ForestOnly' { 1 }
                'InEqual' { 2 }
                default { 3 }
            }
        }

        foreach ($testItem in $testResult) {
            switch ($testItem.Type) {
                'Delete' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSubnet.Deleting.Subnet' -Target $testItem.Name -ScriptBlock {
                        Remove-ADReplicationSubnet @parameters -Identity $testItem.Name -ErrorAction Stop -Confirm:$false
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
                'Create' {
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSubnet.Creating.Subnet' -Target $testItem.Name -ScriptBlock {
                        New-ADReplicationSubnet @parameters -Name $testItem.Name -Site $testItem.SiteName -Description $testItem.Description -Location $testItem.Location -ErrorAction Stop
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
                'Update' {
                    $parametersSetSplat = $parameters.Clone()
                    $parametersSetSplat['Identity'] = $testItem.Identity

                    foreach ($change in $testItem.Changed) {
                        $parametersSetSplat[$change.Property] = $change.NewValue
                    }
                    
                    Invoke-PSFProtectedCommand -ActionString 'Invoke-FMSubnet.Updating.Subnet' -ActionStringValues ($testItem.Changed -join ", ") -Target $testItem.Name -ScriptBlock {
                        Set-ADReplicationSubnet @parametersSetSplat -ErrorAction Stop
                    } -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet
                }
            }
        }
    }
}


function Register-FMSubnet
{
    <#
        .SYNOPSIS
            Registers a new subnet assignment.
         
        .DESCRIPTION
            Registers a new subnet assignment.
            Subnets are assigned to sites.
         
        .PARAMETER SiteName
            Name of the site to which subnets are being assigned.
         
        .PARAMETER Name
            Subnet to assign.
            Must be a subnet in the following notation:
            <ipv4address>/<subnetsize>
            E.g.: 1.2.3.4/24
 
        .PARAMETER Description
            Description to add to the subnet
 
        .PARAMETER Location
            Location, where the subnet is at.
         
        .EXAMPLE
            PS C:\> Register-FMSubnet -SiteName MySite -Name '1.2.3.4/32'
 
            Assigns the subnet '1.2.3.4/32' to the site 'MySite'
    #>

    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $SiteName,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [PsfValidateScript('ForestManagement.Validate.Subnet', ErrorString = 'ForestManagement.Validate.Subnet.Failed')]
        [string]
        $Name,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [AllowEmptyString()]
        [string]
        $Description,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [AllowEmptyString()]
        [string]
        $Location
    )
    
    process
    {
        $hashtable = @{
            PSTypeName = 'ForestManagement.Subnet.Configuration'
            SiteName = $SiteName
            Name = $Name
            Description = $Description
            Location = $Location
        }

        $script:subnets[$Name] = [PSCustomObject]$hashtable
    }
}


function Test-FMSubnet {
    <#
        .SYNOPSIS
            Compares a forest's Subnet configuration against its desired state.
         
        .DESCRIPTION
            Compares a forest's Subnet configuration against its desired state.
         
        .PARAMETER Server
            The server / domain to work with.
         
        .PARAMETER Credential
            The credentials to use for this operation.
     
        .EXAMPLE
            PS C:\> Test-FMSubnet
 
            Compares the current forest's Subnet configuration against its desired state.
    #>

    
    [CmdletBinding()]
    Param (
        [PSFComputer]
        $Server,

        [PSCredential]
        $Credential
    )
    
    begin {
        #region Functions
        function New-Update {
            [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
            [CmdletBinding()]
            param (
                $Identity,

                $Property,

                $OldValue,

                $NewValue
            )

            $datum = [PSCustomObject]@{
                PSTypeName = 'ForestManagement.Subnet.Update'
                Identity   = $Identity
                Property   = $Property
                OldValue   = $OldValue
                NewValue   = $NewValue
            }
            Add-Member -InputObject $datum -MemberType ScriptMethod -Name ToString -Value {
                '{0}: {1} -> {2}' -f $this.Property, $this.OldValue, $this.NewValue
            } -Force
            $datum
        }
        #endregion Functions

        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $parameters['Debug'] = $false
        Assert-ADConnection @parameters -Cmdlet $PSCmdlet
        Invoke-Callback @parameters -Cmdlet $PSCmdlet
        Assert-Configuration -Type Subnets -Cmdlet $PSCmdlet
        $allSubnets = Get-ADReplicationSubnet @parameters -Filter * -Properties Description | Select-Object *, @{
            Name       = "SiteName"
            Expression = { ($_.Site | Get-ADObject @parameters).Name }
        }
    }
    process {
        $resultDefaults = @{
            ObjectType = 'Subnet'
            Server     = $Server
        }

        #region Test all Subnets found in the forest
        foreach ($subnetItem in $allSubnets) {
            if ($script:subnets.Keys -notcontains $subnetItem.Name) {
                New-TestResult @resultDefaults -Type Delete -Identity $subnetItem.Name -ADObject $subnetItem -Properties @{
                    SiteName    = $subnetItem.SiteName
                    Name        = $subnetItem.Name
                    Description = $subnetItem.Description
                    Location    = $subnetItem.Location
                }
                continue
            }

            $configuredSubnet = $script:subnets[$subnetItem.Name]
            
            $deltaProperties = @()
            if ($subnetItem.SiteName -ne $configuredSubnet.SiteName) {
                $deltaProperties += New-Update -Identity $subnetItem.Name -OldValue $subnetItem.SiteName -NewValue $configuredSubnet.SiteName -Property 'Site'
            }
            if ([string]($subnetItem.Description) -ne $configuredSubnet.Description) {
                $deltaProperties += New-Update -Identity $subnetItem.Name -OldValue ([string]$subnetItem.Description) -NewValue $configuredSubnet.Description -Property 'Description'
            }
            if ([string]($subnetItem.Location) -ne $configuredSubnet.Location) {
                $deltaProperties += New-Update -Identity $subnetItem.Name -OldValue ([string]$subnetItem.Location) -NewValue $configuredSubnet.Location -Property 'Location'
            }

            if (-not $deltaProperties) { continue }
            New-TestResult @resultDefaults -Type Update -Identity $subnetItem.Name -ADObject $subnetItem -Configuration $configuredSubnet -Properties @{
                SiteName    = $configuredSubnet.SiteName
                Name        = $configuredSubnet.Name
                Description = $configuredSubnet.Description
                Location    = $configuredSubnet.Location
            } -Changed $deltaProperties
        }
        #endregion Test all Subnets found in the forest

        #region Catch subnets only in configuration but NOT in forest
        foreach ($configuredSubnet in $script:subnets.Values) {
            if ($allSubnets.Name -contains $configuredSubnet.Name) { continue }

            New-TestResult @resultDefaults -Type Create -Identity $configuredSubnet.Name -Configuration $configuredSubnet -Properties @{
                SiteName    = $configuredSubnet.SiteName
                Name        = $configuredSubnet.Name
                Description = $configuredSubnet.Description
                Location    = $configuredSubnet.Location
            }
        }
        #endregion Catch subnets only in configuration but NOT in forest
    }
}


function Unregister-FMSubnet
{
    <#
        .SYNOPSIS
            Removes a subnet mapping.
         
        .DESCRIPTION
            Removes a subnet mapping.
         
        .PARAMETER Name
            Name of the subnets to unregister
         
        .EXAMPLE
            PS C:\> Unregister-FMSubnet -Name "1.2.3.4/32"
 
            Removes the subnet "1.2.3.4/32"
    #>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
    [CmdletBinding()]
    Param (
        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true)]
        [string[]]
        $Name
    )
    
    process
    {
        foreach ($nameItem in $Name) {
            $script:subnets.Remove($nameItem)
        }
    }
}


function Clear-FMConfiguration
{
    <#
        .SYNOPSIS
            Clears the stored configuration data.
         
        .DESCRIPTION
            Clears the stored configuration data.
         
        .EXAMPLE
            PS C:\> Clear-FMConfiguration
 
            Clears the stored configuration data.
    #>

    [CmdletBinding()]
    Param (
    
    )
    
    process
    {
        # Site Configurations
        $script:sites = @{ }

        # Subnet Configurations
        $script:subnets = @{ }

        # Sitelink Configurations
        $script:sitelinks = @{ }

        # Schema Definition
        $script:schema = @{ }

        # Schema Definitions for external LDIF files
        $script:schemaLdif = @{ }
    }
}


function Get-FMCallback
{
    <#
    .SYNOPSIS
        Returns the list of registered callbacks.
     
    .DESCRIPTION
        Returns the list of registered callbacks.
 
        For more details on this system, call:
        Get-Help about_FM_callbacks
     
    .PARAMETER Name
        The name of the callback.
        Supports wildcard filtering.
     
    .EXAMPLE
        PS C:\> Get-FMCallback
 
        Returns a list of all registered callbacks
    #>

    [CmdletBinding()]
    Param (
        [string]
        $Name = '*'
    )
    
    process
    {
        $script:callbacks.Values | Where-Object Name -like $Name
    }
}


function Register-FMCallback
{
    <#
    .SYNOPSIS
        Registers a scriptblock to be called when invoking any Test- or Invoke- command.
     
    .DESCRIPTION
        Registers a scriptblock to be called when invoking any Test- or Invoke- command.
        This enables extending the module and ensuring correct configuration loading.
        The scriptblock will receive four arguments:
        - The Server targeted (if any)
        - The credentials used to do the targeting (if any)
        - The Forest the two earlier pieces of information map to (if any)
        - The Domain the two earlier pieces of information map to (if any)
        Any and all of these pieces of information may be empty.
        Any exception in a callback scriptblock will block further execution!
 
        For more details on this system, call:
        Get-Help about_FM_callbacks
     
    .PARAMETER Name
        The name of the callback to register (multiple can be active at any given moment).
     
    .PARAMETER ScriptBlock
        The scriptblock containing the callback logic.
     
    .EXAMPLE
        PS C:\> Register-FMCallback -Name MyCompany -Scriptblock $scriptblock
 
        Registers the scriptblock stored in $scriptblock under the name 'MyCompany'
    #>

    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Name,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [ScriptBlock]
        $ScriptBlock
    )
    
    begin
    {
        if (-not $script:callbacks) {
            $script:callbacks = @{ }
        }
    }
    process
    {
        $script:callbacks[$Name] = [PSCustomObject]@{
            Name = $Name
            ScriptBlock = $ScriptBlock
        }
    }
}


function Unregister-FMCallback
{
    <#
    .SYNOPSIS
        Removes a callback from the list of registered callbacks.
     
    .DESCRIPTION
        Removes a callback from the list of registered callbacks.
 
        For more details on this system, call:
        Get-Help about_FM_callbacks
     
    .PARAMETER Name
        The name of the callback to remove.
     
    .EXAMPLE
        PS C:\> Get-FMCallback | Unregister-FMCallback
 
        Unregisters all callback scriptblocks that have been registered.
    #>

    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string[]]
        $Name
    )
    
    process
    {
        foreach ($nameItem in $Name) {
            $script:callbacks.Remove($nameItem)
        }
    }
}


<#
This is an example configuration file
 
By default, it is enough to have a single one of them,
however if you have enough configuration settings to justify having multiple copies of it,
feel totally free to split them into multiple files.
#>


<#
# Example Configuration
Set-PSFConfig -Module 'ForestManagement' -Name 'Example.Setting' -Value 10 -Initialize -Validation 'integer' -Handler { } -Description "Example configuration setting. Your module can then use the setting using 'Get-PSFConfigValue'"
#>


Set-PSFConfig -Module 'ForestManagement' -Name 'Import.DoDotSource' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be dotsourced on import. By default, the files of this module are read as string value and invoked, which is faster but worse on debugging."
Set-PSFConfig -Module 'ForestManagement' -Name 'Import.IndividualFiles' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be imported individually. During the module build, all module code is compiled into few files, which are imported instead by default. Loading the compiled versions is faster, using the individual files is easier for debugging and testing out adjustments."

# Sitelinks
Set-PSFConfig -Module 'ForestManagement' -Name 'SiteLink.MultilateralLinks' -Value $false -Initialize -Validation 'bool' -Description 'Whether sitelinks should be allowed to contain more than two sites. Enabling this will suppress all error messages when finding those.'

# Schema
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.AutoCreate.TempAdmin' -Value $false -Initialize -Validation 'bool' -Description 'Schema Updates require special privileges not usually granted. Enabling this setting will have the task automatically create a temporary schema admin account with the permissions to execute the planned updates.'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.IgnoreOnCredentialProvider' -Value $false -Initialize -Validation 'bool' -Description 'Whether the Schema Admin Credential workflow should be ignored when called from ADMF with the Credential Provider specified.'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.Credential' -Value $null -Initialize -Validation credential -Description 'Credentials to use for performing schema updates'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.Name' -Value '' -Initialize -Validation string -Description 'The name of the account to use'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoDescription' -Value '' -Initialize -Validation string -Description 'The description for the account used. If specified, this is what the description will be updated to after successfully using the account.'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoCreate' -Value $false -Initialize -Validation bool -Description 'Whether the account should be created automatically if it isn''t present'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoEnable' -Value $false -Initialize -Validation bool -Description 'Whether the account to use for performing the schema update should be enabled for use if disabled.'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoDisable' -Value $false -Initialize -Validation bool -Description 'Whether the account to use for performing the schema update should be disabled after use.'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoGrant' -Value $false -Initialize -Validation bool -Description 'Whether the account to use for performing the schema update should be added to the schema admins group before use.'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Account.AutoRevoke' -Value $false -Initialize -Validation bool -Description 'Whether the account to use for performing the schema update should be removed from the schema admins group after use.'
Set-PSFConfig -Module 'ForestManagement' -Name 'Schema.Password.AutoReset' -Value $false -Initialize -Validation bool -Description 'Whether the password of the used account should be reset before & after use.'


<#
Stored scriptblocks are available in [PsfValidateScript()] attributes.
This makes it easier to centrally provide the same scriptblock multiple times,
without having to maintain it in separate locations.
 
It also prevents lengthy validation scriptblocks from making your parameter block
hard to read.
 
Set-PSFScriptblock -Name 'ForestManagement.ScriptBlockName' -Scriptblock {
     
}
#>


Set-PSFScriptblock -Name 'ForestManagement.Validate.Path.SingleFile' -Scriptblock {
    try {
        Resolve-PSFPath -Path $_ -Provider FileSystem -SingleItem
        return $true
    }
    catch { return $false }
}

Set-PSFScriptblock -Name 'ForestManagement.Validate.Subnet' -Scriptblock {
    if (-not $_.Contains("/")) { return $false }
    if (($_ -split "/").Count -gt 2) { return $false }
    
    $base, $range = $_ -split "/"

    $ipv4Pattern = '^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$'
    if ($base -notmatch $ipv4Pattern) { return $false }
    
    $rangeNumber = $range -as [int]
    if (-not $rangeNumber) { return $false }
    if ($rangeNumber -lt 1) { return $false }
    if ($rangeNumber -gt 32) { return $false }
    $true
}

<#
# Example:
Register-PSFTeppScriptblock -Name "ForestManagement.alcohol" -ScriptBlock { 'Beer','Mead','Whiskey','Wine','Vodka','Rum (3y)', 'Rum (5y)', 'Rum (7y)' }
#>


Register-PSFTeppScriptblock -Name 'ForestManagement.ExchangeVersion' -ScriptBlock {
    (Get-AdcExchangeVersion).Binding
} -Global

Register-PSFTeppScriptblock -Name 'ForestManagement.ForestName' -ScriptBlock {
    (Get-ADTrust -Filter *).Target
}

Register-PSFTeppScriptblock -Name "ForestManagement.Sites" -ScriptBlock {
    $module = Get-Module ForestManagement
    & $module { $script:sites.Keys }
}

Register-PSFTeppScriptblock -Name "ForestManagement.Site2New" -ScriptBlock {
    $module = Get-Module ForestManagement
    $sites = & $module { $script:sites.Keys }
    $sitelinks = & $module { $script:sitelinks.Values }

    if (-not $fakeBoundParameter.Site1) {
        return $sites | Sort-Object -Unique
    }

    $results = foreach ($site in $sites) {
        if ($site -eq $fakeBoundParameter.Site1) { continue }
        if ($siteLinks | Where-Object { ($_.Site1 -eq $fakeBoundParameter.Site1) -and ($_.Site2 -eq $site) }) { continue }
        if ($siteLinks | Where-Object { ($_.Site2 -eq $fakeBoundParameter.Site1) -and ($_.Site1 -eq $site) }) { continue }
        $site
    }
    $results | Sort-Object -Unique
}

Register-PSFTeppScriptblock -Name "ForestManagement.Linked.Site1" -ScriptBlock {
    $module = Get-Module ForestManagement
    $siteLinks = & $module { $script:sitelinks.Values }

    if (-not $fakeBoundParameter.Site2) {
        return $siteLinks.Site1 | Sort-Object -Unique
    }
    ($siteLinks | Where-Object Site2 -eq $fakeBoundParameter.Site2).Site1 | Sort-Object -Unique
}

Register-PSFTeppScriptblock -Name "ForestManagement.Linked.Site2" -ScriptBlock {
    $module = Get-Module ForestManagement
    $siteLinks = & $module { $script:sitelinks.Values }

    if (-not $fakeBoundParameter.Site1) {
        return $siteLinks.Site2 | Sort-Object -Unique
    }
    ($siteLinks | Where-Object Site1 -eq $fakeBoundParameter.Site1).Site2 | Sort-Object -Unique
}

<#
# Example:
Register-PSFTeppArgumentCompleter -Command Get-Alcohol -Parameter Type -Name ForestManagement.alcohol
#>


Register-PSFTeppArgumentCompleter -Command Get-FMSite -Parameter Name -Name 'ForestManagement.Sites'
Register-PSFTeppArgumentCompleter -Command Register-FMSite -Parameter Name -Name 'ForestManagement.Sites'
Register-PSFTeppArgumentCompleter -Command Unregister-FMSite -Parameter Name -Name 'ForestManagement.Sites'

Register-PSFTeppArgumentCompleter -Command Get-FMSubnet -Parameter SiteName -Name 'ForestManagement.Sites'
Register-PSFTeppArgumentCompleter -Command Register-FMSubnet -Parameter SiteName -Name 'ForestManagement.Sites'

Register-PSFTeppArgumentCompleter -Command Get-FMSiteLink -Parameter SiteName -Name 'ForestManagement.Sites'
Register-PSFTeppArgumentCompleter -Command Register-FMSiteLink -Parameter Site1 -Name 'ForestManagement.Sites'
Register-PSFTeppArgumentCompleter -Command Register-FMSiteLink -Parameter Site2 -Name 'ForestManagement.Site2New'
Register-PSFTeppArgumentCompleter -Command Unregister-FMSiteLink -Parameter Site1 -Name "ForestManagement.Linked.Site1"
Register-PSFTeppArgumentCompleter -Command Unregister-FMSiteLink -Parameter Site2 -Name "ForestManagement.Linked.Site2"

Register-PSFTeppArgumentCompleter -Command Invoke-FMSchema -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Invoke-FMSchemaLdif -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Invoke-FMServer -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Invoke-FMSite -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Invoke-FMSiteLink -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Invoke-FMSubnet -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Test-FMSchema -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Test-FMSchemaLdif -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Test-FMServer -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Test-FMSite -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Test-FMSiteLink -Parameter Server -Name 'ForestManagement.ForestName'
Register-PSFTeppArgumentCompleter -Command Test-FMSubnet -Parameter Server -Name 'ForestManagement.ForestName'

New-PSFLicense -Product 'ForestManagement' -Manufacturer 'Friedrich Weinmann' -ProductVersion $script:ModuleVersion -ProductType Module -Name MIT -Version "1.0.0.0" -Date (Get-Date "2019-08-05") -Text @"
Copyright (c) 2019 Friedrich Weinmann
 
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
 
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
 
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
"@


# Directory Certificate Stores
$script:dsCertificates = @{ }
$script:dsCertificatesAuthorative = @{ }

# Exchange Schema Version
$script:exchangeschema = $null

# Forest Level
$script:forestlevel = $null

# NT Auth Store Configuration
$script:ntAuthStoreCertificates = @{ }
$script:ntAuthStoreAuthorative = $false

# Server Auto Assignment - whether domain controllers will be automatically moved to valid sites without any configuration needed
$script:serverAutoAssignment = $true

# Site Configurations
$script:sites = @{ }

# Subnet Configurations
$script:subnets = @{ }

# Sitelink Configurations
$script:sitelinks = @{ }

# Schema Definition
$script:schema = @{ }

# Schema Default Permission
$script:schemaDefaultPermissions = @{ }

# Schema Definitions for external LDIF files
$script:schemaLdif = @{ }

$PSDefaultParameterValues['Resolve-String:ModuleName'] = 'ADMF.Core'
$PSDefaultParameterValues['Register-StringMapping:ModuleName'] = 'ADMF.Core'
$PSDefaultParameterValues['Clear-StringMapping:ModuleName'] = 'ADMF.Core'
$PSDefaultParameterValues['Unregister-StringMapping:ModuleName'] = 'ADMF.Core'

Register-PSFCallback -Name ForestManagement.ConfigurationReset -ModuleName ADMF.Core -CommandName Clear-AdcConfiguration -ScriptBlock {
    Clear-FMConfiguration
}
#endregion Load compiled code