NTS.Tools.MSADDS.psm1

function Install-NLASvcFixForDCs {
    <#
        .Description
        checks if dns is specified as dependy for service nlasvc and if its not the case it will add it.
 
        .Example
        # this will service dns as dependency for the service nlasvc
        Install-NLASvcFixForDCs
 
        .NOTES
         
    #>


    try {
        $RegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\NlaSvc"
        $RegKeyValue = "DependOnService"
        $ServiceName = "DNS"

        Write-Output "$($env:COMPUTERNAME): adding service $($ServiceName) as dependency for service NlaSvc"
        $NLASvcDependencies = (Get-ItemProperty -Path $RegKey -Name $RegKeyValue).$RegKeyValue
        if ($NLASvcDependencies -notcontains $ServiceName) {
            $FixedNLASvcDependencies = $NLASvcDependencies + $ServiceName
            Set-ItemProperty -Path $RegKey -Name $RegKeyValue -Value $FixedNLASvcDependencies
            Write-Output "$($env:COMPUTERNAME): NlaSvc fix applied"
        }
        else {
            Write-Output "$($env:COMPUTERNAME): NlaSvc fix already applied"
        }
    }
    catch {
        throw $PSItem.Exception.Message
    }
}

function New-EASEOUStructure {
    <#
        .Description
        this will create the esae structure with OUs, User, Groups and Group Managed Service Accounts
 
        .Example
        # creates the ease structure on the local domain controller
        New-EASEOUStructure
 
        .NOTES
        must be executed on a domain controller
         
    #>


    if ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -ne 2) {
        throw "$($env:COMPUTERNAME): this is not a domain controller, can only be used on domain controllers"
    }
    
    Import-Module "Activedirectory"
    $Domain = Get-ADDomain

    Write-Output "$($env:COMPUTERNAME): apply esae structure on $($Domain.Forest)"
    
    #region ous
    try {
        Write-Output "$($env:COMPUTERNAME): creating ous"
        $TopLevelOU = 'ESAE'
        New-ADOrganizationalUnit -Name $TopLevelOU -Path $Domain.DistinguishedName
        
        # ESAE
        $ESAEPath = "OU=$TopLevelOU,$($Domain.DistinguishedName)"
        $ESAEOUs = 'Groups', 'PAW', 'Tier 0', 'Tier 1', 'Tier 2' 
        $ESAEOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $ESAEPath
        }
            
        # ESAE\PAW
        $PAWPath = "OU=PAW,$ESAEPath"
        $PAWOUs = 'Accounts', 'Devices', 'Groups' 
        $PAWOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $PAWPath 
        }
            
        # ESAE\Tier0
        $Tier0Path = "OU=Tier 0,$ESAEPath"
        $Tier0OUs = 'AD', 'PKI', 'SQL', 'ADFS', 'ADSync'
        $Tier0OUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier0Path 
        }
            
        # ESAE\Tier1
        $Tier1Path = "OU=Tier 1,$ESAEPath"
        $Tier1OUs = 'Exchange', 'ConfigMgr', 'SQL'
        $Tier1OUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier1Path
        }
            
        # ESAE\Tier2
        $Tier2Path = "OU=Tier 2,$ESAEPath"
        $Tier2OUs = 'Accounts', 'Devices', 'Groups'
        $Tier2OUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier2Path
        }
            
        # ESAE\Tier0\AD
        $Tier0ADPath = "OU=AD,$Tier0Path"
        $Tier0ADOUs = 'Accounts', 'Groups' 
        $Tier0ADOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier0ADPath
        }
            
        # ESAE\Tier0\PKI
        $Tier0PKIPath = "OU=PKI,$Tier0Path"
        $Tier0PKIOUs = 'Accounts', 'Groups', 'Servers'
        $Tier0PKIOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier0PKIPath 
        }
        
        # ESAE\Tier0\SQL
        $Tier0SQLPath = "OU=SQL,$Tier0Path"
        $Tier0SQLOUs = 'Accounts', 'Groups', 'Servers'
        $Tier0SQLOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier0SQLPath 
        }
    
        # ESAE\Tier0\ADFS
        $Tier0ADFSPath = "OU=ADFS,$Tier0Path"
        $Tier0ADFSOUs = 'Accounts', 'Groups', 'Servers'
        $Tier0ADFSOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier0ADFSPath 
        }
    
        # ESAE\Tier0\ADSync
        $Tier0ADSyncPath = "OU=ADSync,$Tier0Path"
        $Tier0ADSyncOUs = 'Accounts', 'Groups', 'Servers'
        $Tier0ADSyncOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier0ADSyncPath 
        }
    
        # ESAE\Tier1\Exchange
        $Tier1ExchangePath = "OU=Exchange,$Tier1Path"
        $Tier1ExchangeOUs = 'Accounts', 'Groups', 'Servers'
        $Tier1ExchangeOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier1ExchangePath 
        }
            
        # ESAE\Tier1\ConfigMgr
        $Tier1ConfigMgrPath = "OU=ConfigMgr,$Tier1Path"
        $Tier1ConfigMgrOUs = 'Accounts', 'Groups', 'Servers'
        $Tier1ConfigMgrOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier1ConfigMgrPath 
        }
            
        # ESAE\Tier1\SQL
        $Tier1SQLPath = "OU=SQL,$Tier1Path"
        $Tier1SQLOUs = 'Accounts', 'Groups', 'Servers'
        $Tier1SQLOUs | ForEach-Object { 
            New-ADOrganizationalUnit -Name $PSItem -Path $Tier1SQLPath
        }
    }
    catch {
        throw "error creating ous: $($PSItem.Exception.Message)"
    }
    #endregion

    #region groups
    try {
        Write-Output "$($env:COMPUTERNAME): creating groups"
        # PAW
        $GroupNames = 'T0-Allowed', 'T1-Allowed', 'T2-Allowed', 'T0-Denied', 'T1-Denied', 'T2-Denied'
        $GroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$ESAEPath"
        }
        $PAWGroupNames = 'PAW-Devices', 'PAW-Maintenance', 'PAW-Users'
        $PAWGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$PAWPath"
        }

        # T0
        $Tier0ADGroupNames = 'T0-CloudAdmins', 'T0-DomAdmins', 'T0-EntAdmins', 'T0-RODCAdmins', 'T0-SchAdmins'
        $Tier0ADGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier0ADPath"
        }
        $Tier0PKIGroupNames = 'T0-PKIAdmins', 'T0-PKISCAgents'
        $Tier0PKIGroupNames | ForEach-Object {
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier0PKIPath"
        }
        $Tier0SQLGroupNames = 'T0-SQLAdmins', 'T0-SQLServers'
        $Tier0SQLGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier0SQLPath"
        }
        $Tier0ADFSGroupNames = 'T0-ADFSAdmins', 'T0-ADFSServers', 'T0-ADFSSQLServers'
        $Tier0ADFSGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier0ADFSPath"
        }
        $Tier0ADSyncGroupNames = 'T0-ADSyncAdmins', 'T0-ADSyncServers', 'T0-ADSyncSQLServers'
        $Tier0ADSyncGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier0ADSyncPath"
        }

        # T1
        $Tier1ExchangeGroupNames = 'T1-ExAdmins', 'T1-ExAllowed', 'T1-ExMaintenance', 'T1-ExMBXAdmins', 'T1-ExOrgAdmins'
        $Tier1ExchangeGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier1ExchangePath"
        }
        $Tier1CMGroupNames = 'T1-CMAdmins', 'T1-CMServers', 'T1-CMSQLServers'
        $Tier1CMGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier1ConfigMgrPath"
        }
        $Tier1SQLGroupNames = 'T1-SQLAdmins', 'T1-SQLServers'
        $Tier1SQLGroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier1SQLPath"
        }

        # T2
        $Tier2GroupNames = 'T2-HelpDesk'
        $Tier2GroupNames | ForEach-Object { 
            New-ADGroup -Name $PSItem -SamAccountName $PSItem -GroupCategory Security -GroupScope Universal -DisplayName $PSItem -Path "OU=Groups,$Tier2Path"
        }
    }
    catch {
        throw "error creating groups: $($PSItem.Exception.Message)"
    }
    #endregion

    #region users
    try {
        Write-Output "$($env:COMPUTERNAME): creating users"
        $Password = ConvertTo-SecureString -String 'C0mplex' -AsPlainText -Force

        # PAW
        $PAWUserNames = 'PAWMan1'
        $PAWUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$PAWPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
    
        # T0
        $Tier0ADUserNames = 'T0-DomAdmin1', 'T0-EntAdmin1'
        $Tier0ADUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier0ADPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
        $Tier0PKIUserNames = 'T0-PKIAdmin1', 'T0-PKISCA1'
        $Tier0PKIUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier0PKIPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
        $Tier0SQLUserNames = 'T0-SQLAdmin1', 'T0-SQLAdmin2'
        $Tier0SQLUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier0SQLPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
        $Tier0ADFSUserNames = 'T0-ADFSAdmin1', 'T0-ADFSAdmin2'
        $Tier0ADFSUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier0ADFSPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
        $Tier0ADSyncUserNames = 'T0-ADSyncAdmin1', 'T0-ADSyncAdmin2'
        $Tier0ADSyncUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier0ADSyncPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
    
        # T1
        $Tier1ExchangeUserNames = 'T1-ExAdmin1', 'T1-ExAdmin2'
        $Tier1ExchangeUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier1ExchangePath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
        $Tier1CMUserNames = 'T1-CMAdmin1', 'T1-CMAdmin2', 'T1-CMSQLRPT'
        $Tier1CMUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier1ConfigMgrPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
        $Tier1SQLUserNames = 'T1-SQLAdmin1', 'T1-SQLAdmin2'
        $Tier1SQLUserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier1SQLPath" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
    
        # T2
        $Tier2UserNames = 'T2-HelpDesk1', 'T2-HelpDesk2'
        $Tier2UserNames | ForEach-Object { 
            New-ADUser -Name $PSItem -Path "OU=Accounts,$Tier2Path" -SamAccountName $PSItem -UserPrincipalName "$PSItem@$($Domain.Forest)" -GivenName $PSItem -DisplayName $PSItem -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
    }
    catch {
        throw "error creating users: $($PSItem.Exception.Message)"
    }
    #endregion

    #region gmsa
    try {
        Write-Output "$($env:COMPUTERNAME): creating gmsa"
        Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) | Out-Null
        # T0
        New-ADServiceAccount -Name "T0-SQLSvc" -DNSHostName "T0-SQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-SQLServers"
        New-ADServiceAccount -Name "T0-SQLAgt" -DNSHostName "T0-SQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-SQLServers"
        # T0\ADFS
        New-ADServiceAccount -Name "T0-ADFSSvc" -DNSHostName "T0-ADFSSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-ADFSServers"
        New-ADServiceAccount -Name "T0-ADFSSQLSvc" -DNSHostName "T0-ADFSSQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-ADFSSQLServers"
        New-ADServiceAccount -Name "T0-ADFSSQLAgt" -DNSHostName "T0-ADFSSQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-ADFSSQLServers"
        # T0\ADSync
        New-ADServiceAccount -Name "T0-ADSyncSvc" -DNSHostName "T0-ADSyncSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-ADSyncServers"
        New-ADServiceAccount -Name "T0-ADSyncSQLSvc" -DNSHostName "T0-ADSyncSQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-ADSyncSQLServers"
        New-ADServiceAccount -Name "T0-ADSyncSQLAgt" -DNSHostName "T0-ADSyncSQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T0-ADSyncSQLServers"
    
        # T1
        New-ADServiceAccount -Name "T1-SQLSvc" -DNSHostName "T1-SQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T1-SQLServers"
        New-ADServiceAccount -Name "T1-SQLAgt" -DNSHostName "T1-SQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T1-SQLServers"
        # T1\ConfigMgr
        New-ADServiceAccount -Name "T1-CMSQLSvc" -DNSHostName "T1-CMSQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T1-CMSQLServers"
        New-ADServiceAccount -Name "T1-CMSQLAgt" -DNSHostName "T1-CMSQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPassword "T1-CMSQLServers"
    }
    catch {
        throw "error creating gmsa: $($PSItem.Exception.Message)"
    }
    #endregion

    #region group membership
    try {
        Write-Output "$($env:COMPUTERNAME): creating group membership"
        # Tier Groups
        $Tier0AllowedGroups = 'T0-CloudAdmins', 'T0-DomAdmins', 'T0-EntAdmins', 'T0-RODCAdmins', 'T0-SchAdmins', 'T0-PKIAdmins', 'T0-PKISCAgents', 'T0-SQLAdmins', 'T0-ADFSAdmins', 'T0-ADSyncAdmins'
        $Tier1AllowedGroups = 'T1-CMAdmins', 'T1-ExAdmins', 'T1-ExAllowed', 'T1-ExMaintenance', 'T1-ExMBXAdmins', 'T1-ExOrgAdmins', 'T1-SQLAdmins'
        $Tier2AllowedGroups = 'T2-HelpDesk'
        Add-ADGroupMember -Identity 'T0-Allowed' -Members $Tier0AllowedGroups
        Add-ADGroupMember -Identity 'T0-Denied' -Members ($Tier1AllowedGroups + $Tier2AllowedGroups)
        Add-ADGroupMember -Identity 'T1-Allowed' -Members $Tier1AllowedGroups
        Add-ADGroupMember -Identity 'T1-Denied' -Members ($Tier0AllowedGroups + $Tier2AllowedGroups)
        Add-ADGroupMember -Identity 'T2-Allowed' -Members $Tier2AllowedGroups
        Add-ADGroupMember -Identity 'T2-Denied' -Members ($Tier0AllowedGroups + $Tier1AllowedGroups)

        # PAW
        Add-ADGroupMember -Identity 'PAW-Maintenance' -Members 'PAWMan1'

        # T0
        Add-ADGroupMember -Identity 'Domain Admins' -Members 'T0-DomAdmin1'
        Add-ADGroupMember -Identity 'Enterprise Admins' -Members 'T0-EntAdmin1'
        Add-ADGroupMember -Identity 'T0-PKIAdmins' -Members 'T0-PKIAdmin1'
        Add-ADGroupMember -Identity 'T0-PKISCAgents' -Members 'T0-PKISCA1'
        Add-ADGroupMember -Identity 'T0-SQLAdmins' -Members 'T0-SQLAdmin1', 'T0-SQLAdmin2'

        # T1
        Add-ADGroupMember -Identity 'T1-ExAdmins' -Members 'T1-ExAdmin1', 'T1-ExAdmin2'
        Add-ADGroupMember -Identity 'T1-CMAdmins' -Members 'T1-CMAdmin1', 'T1-CMAdmin2'
        Add-ADGroupMember -Identity 'T1-SQLAdmins' -Members 'T1-SQLAdmin1', 'T1-SQLAdmin2'

        # T2
        Add-ADGroupMember -Identity 'T2-HelpDesk' -Members 'T2-HelpDesk1', 'T2-HelpDesk2'
    }
    catch {
        throw "error creating group memberships: $($PSItem.Exception.Message)"
    }
    #endregion
}

function Repair-DFSRReplication {
    <#
        .Description
        this will forcefully repair dfsr replication on the domain, use with care
 
        .Example
        # this will forcefully repair dfsr replication on the domain
        Repair-DFSRReplication
 
        .NOTES
        must be executed on a domain controller
         
    #>


    $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
    $PDC = (Get-ADDomain).PDCEmulator
    $DCs = Get-ADObject -Filter { (objectclass -eq "computer") } -SearchBase "OU=Domain Controllers,$Domain" -Properties Name | Sort-Object Name
    
    $DCs | ForEach-Object {
        Invoke-Command -ComputerName $PSItem.Name -ScriptBlock {
            try {
                $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
                $PDC = (Get-ADDomain).PDCEmulator
                $sysvolADObject = Get-ADObject -Filter { (objectclass -eq "msDFSR-Subscription") } `
                    -SearchBase "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$($env:COMPUTERNAME),OU=Domain Controllers,$Domain"`
                    -Properties "msDFSR-Options", "msDFSR-Enabled"
        
                Write-Output "$($env:COMPUTERNAME): Restarting NIC to correct Network Profile"
                $NetAdapter = Get-NetAdapter 
                $NetAdapter[0] | Restart-NetAdapter -Confirm:$false
    
                Write-Output "$($env:COMPUTERNAME): Installing DFSR Management Tools"
                Install-WindowsFeature -Name RSAT-DFS-Mgmt-Con | Out-Null
                if ($($PDC).Contains($env:COMPUTERNAME)) {
                    Write-Output "$($env:COMPUTERNAME): Setting msDFSR-Options to 1"
                    Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Options" = 1 }
                }
                Write-Output "$($env:COMPUTERNAME): Setting msDFSR-Enabled to false"
                Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Enabled" = $false }
            }
            catch {
                throw $PSItem.Exception.Message
            }
        }
    }
    
    Write-Output "$($env:COMPUTERNAME): Forcing AD Replication"
    repadmin /syncall /P /e
    Start-Sleep(10)

    Invoke-Command -ComputerName $PDC -ScriptBlock {
        try {
            $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
            $sysvolADObject = Get-ADObject -Filter { (objectclass -eq "msDFSR-Subscription") } `
                -SearchBase "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$($env:COMPUTERNAME),OU=Domain Controllers,$Domain"`
                -Properties "msDFSR-Options", "msDFSR-Enabled"
            Write-Output "$($env:COMPUTERNAME): Restarting DFSR Service"
            Restart-Service DFSR 
            Start-Sleep(20)
            Write-Output "$($env:COMPUTERNAME): Setting msDFSR-Enabled to true"
            Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Enabled" = $true }
            Write-Output "$($env:COMPUTERNAME): Forcing AD Replication"
            repadmin /syncall /P /e
            Start-Sleep(10)
            Write-Output "$($env:COMPUTERNAME): Executing DFSRDIAG"
            dfsrdiag pollad
        }
        catch {
            $PSItem.Exception.Message
        }
    }
    
    $DCs | ForEach-Object {
        Invoke-Command -ComputerName $PSItem.Name -ScriptBlock {
            try {
                $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
                $PDC = (Get-ADDomain).PDCEmulator
                $sysvolADObject = Get-ADObject -Filter { (objectclass -eq "msDFSR-Subscription") } `
                    -SearchBase "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$($env:COMPUTERNAME),OU=Domain Controllers,$Domain"`
                    -Properties "msDFSR-Options", "msDFSR-Enabled"
                if (!$($PDC).Contains($($env:COMPUTERNAME))) {
                    Write-Output "$($env:COMPUTERNAME): Restarting DFSR Service"
                    Restart-Service DFSR 
                    Start-Sleep(20)
                    Write-Output "$($env:COMPUTERNAME): Setting msDFSR-Enabled to true"
                    Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Enabled" = $true }
                    Write-Output "$($env:COMPUTERNAME): Executing DFSRDIAG"
                    dfsrdiag pollad  
                }
            }
            catch {
                throw $PSItem.Exception.Message
            }
        }
    }
}