NTS.Tools.MSADDS.psm1

function Install-NLASvcFixForDCs {
    <#
        .Description
        checks if dns is specified as dependy for service nlasvc and if its not the case it will add it.
 
        .Example
        # this will service dns as dependency for the service nlasvc
        Install-NLASvcFixForDCs
 
        .NOTES
         
    #>


    try {
        $RegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\NlaSvc"
        $RegKeyValue = "DependOnService"
        $ServiceName = "DNS"

        Write-Output "adding service $($ServiceName) as dependency for service NlaSvc"
        $NLASvcDependencies = (Get-ItemProperty -Path $RegKey -Name $RegKeyValue).$RegKeyValue
        if ($NLASvcDependencies -notcontains $ServiceName) {
            $FixedNLASvcDependencies = $NLASvcDependencies + $ServiceName
            Set-ItemProperty -Path $RegKey -Name $RegKeyValue -Value $FixedNLASvcDependencies
            Write-Output "NlaSvc fix applied"
        }
        else {
            Write-Output "NlaSvc fix already applied"
        }
    }
    catch {
        throw $PSItem.Exception.Message
    }
}

function New-EASEOUStructure {
    <#
        .Description
        this will create the esae structure with OUs, User, Groups and Group Managed Service Accounts
 
        .Example
        # creates the ease structure on the local domain controller
        New-EASEOUStructure
 
        .NOTES
        must be executed on a domain controller
    #>


    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $false)]
        [string]
        $LogFileName = ""
    )

    $ErrorActionPreference = 'Stop'
    if ($LogFileName -eq "") {
        $LogParam = @{
            Console = $true
        }
    }
    elseif ($LogFileName -ne "") {
        $LogParam = @{
            LogFileName = $LogFileName
            LogFileFolderPath = "$($env:ProgramData)\NTS\LogFiles"
        }
    }
    else {
        throw "`$LogFileName is not defined properly, was $($LogFileName)"
    }

    function Add-ESAEADOU {
        [CmdletBinding()]
        param (
            [Parameter(Mandatory = $true)]
            [string[]]
            $OUs,

            [Parameter(Mandatory = $true)]
            [string]
            $Path
        )
        
        try {
            $OUs | ForEach-Object {
                Write-Verbose "creating ou $($PSItem) at $($Path)"
                New-ADOrganizationalUnit -Name $PSItem -Path $Path
            }
        }
        catch {
            throw $PSItem.Exception.Message
        }
    }
    function New-ESAEADGroup {
        [CmdletBinding()]
        param (
            [Parameter(Mandatory  =$true)]
            [string]
            $Name,

            [Parameter(Mandatory = $true)]
            [string]
            $Path
        )
        
        try {
            Write-Verbose "creating group $($Name) at $($Path)"
            New-ADGroup -Name $Name -SamAccountName $Name -GroupCategory Security -GroupScope Universal -DisplayName $Name -Path $Path
        }
        catch {
            throw "$($Name) - $($PSItem.Exception.Message)"
        }
    }
    function New-ESAEADUser {
        [CmdletBinding()]
        param (
            [Parameter(Mandatory  =$true)]
            [string]
            $Name,

            [Parameter(Mandatory = $true)]
            [string]
            $Path,

            [Parameter(Mandatory = $true)]
            [string]
            $Domain,

            [Parameter(Mandatory = $true)]
            [securestring]
            $Password
        )
        
        try {
            Write-Verbose "creating user $($Name)@$($Domain) at $($Path)"
            New-ADUser -Name $Name -Path $Path -SamAccountName $Name -UserPrincipalName "$($Name)@$($Domain)" -GivenName $Name -DisplayName $Name -AccountPassword $Password -Enabled $true -PasswordNeverExpires $true
        }
        catch {
            throw "$($Name) - $($PSItem.Exception.Message)"
        }
    }
    function New-ESAEADServiceAccount {
        [CmdletBinding()]
        param (
            [Parameter(Mandatory  =$true)]
            [string]
            $Name,

            [Parameter(Mandatory = $true)]
            [string]
            $DNSHostName,

            [Parameter(Mandatory = $true)]
            [string]
            $PrincipalsAllowedToRetrieveManagedPwdGroup
        )
        
        try {
            Write-Verbose "creating gmsa $($DNSHostName)"
            New-ADServiceAccount -Name $Name -DNSHostName $DNSHostName -PrincipalsAllowedToRetrieveManagedPassword $PrincipalsAllowedToRetrieveManagedPwdGroup
        }
        catch {
            throw "$($Name) - $($PSItem.Exception.Message)"
        }
    }

    function Add-ESAEADGroupMember {
        [CmdletBinding()]
        param (
            [Parameter(Mandatory  =$true)]
            [string]
            $Group,

            [Parameter(Mandatory = $true)]
            [string[]]
            $Members
        )
        
        try {
            Write-Verbose "add $($Members) to group $($Group)"
            Add-ADGroupMember -Identity $Group -Members $Members
        }
        catch {
            throw "$($Name) - $($PSItem.Exception.Message)"
        }
    }

    try {
        if ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -ne 2) {
            throw "this is not a domain controller, can only be used on domain controllers"
        }
    
        Import-Module "Activedirectory"
        $Domain = Get-ADDomain
    }
    catch {
        $ErrorMessage = "error - $($PSItem.Exception.Message)"
        Write-ToLogOrConsole @LogParam -Severity Error -Message $ErrorMessage
        throw $ErrorMessage
    }

    Write-ToLogOrConsole @LogParam -Severity Info -Message "apply esae structure on $($Domain.Forest)"
    
    #region ous
    try {
        Write-ToLogOrConsole @LogParam -Severity Info -Message "creating ous"
        $TopLevelOU = 'ESAE'
        New-ADOrganizationalUnit -Name $TopLevelOU -Path $Domain.DistinguishedName

        # ESAE - create first level OUs
        $ESAEPath = "OU=$($TopLevelOU),$($Domain.DistinguishedName)"
        Add-ESAEADOU -OUs 'Groups', 'PAW', 'Tier 0', 'Tier 1', 'Tier 2' -Path $ESAEPath

        # ESAE\Tier0 - create second level OUs
        $Tier0Path = "OU=Tier 0,$($ESAEPath)"
        Add-ESAEADOU -OUs 'AD', 'PKI', 'SQL', 'ADFS', 'ADSync' -Path $Tier0Path

        # ESAE\Tier1 - create second level OUs
        $Tier1Path = "OU=Tier 1,$($ESAEPath)"
        Add-ESAEADOU -OUs 'Exchange', 'ConfigMgr', 'SQL', 'Fileserver', 'DHCP' -Path $Tier1Path

        # Create third level OUs
        # ESAE\Tier0\AD
        $Tier0ADPath = "OU=AD,$($Tier0Path)"
        Add-ESAEADOU -OUs 'Accounts', 'Groups' -Path $Tier0ADPath

        # Default OUs
        $DefaultSubOUs = 'Accounts', 'Devices', 'Groups'

        # Basis
        $PAWPath = "OU=PAW,$($ESAEPath)" # ESAE\PAW

        # Tier0
        $Tier0PKIPath = "OU=PKI,$($Tier0Path)" # ESAE\Tier0\PKI
        $Tier0SQLPath = "OU=SQL,$($Tier0Path)" # ESAE\Tier0\SQL
        $Tier0ADFSPath = "OU=ADFS,$($Tier0Path)" # ESAE\Tier0\ADFS
        $Tier0ADSyncPath = "OU=ADSync,$($Tier0Path)" # ESAE\Tier0\ADSync

        # Tier1
        $Tier1ConfigMgrPath = "OU=ConfigMgr,$($Tier1Path)" # ESAE\Tier1\ConfigMgr
        $Tier1SQLPath = "OU=SQL,$($Tier1Path)" # ESAE\Tier1\SQL
        $Tier1DHCPPath = "OU=DHCP,$($Tier1Path)" # ESAE\Tier1\DHCP
        $Tier1FileServerPath = "OU=Fileserver,$($Tier1Path)" # ESAE\Tier1\Fileserver
        $Tier1ExchangePath = "OU=Exchange,$($Tier1Path)" # ESAE\Tier1\Exchange

        # Tier2
        $Tier2Path = "OU=Tier 2,$($ESAEPath)" # ESAE\Tier2

        $OUsForWithDefault = @(
            $PAWPath
            $Tier0PKIPath
            $Tier0SQLPath
            $Tier0ADFSPath
            $Tier0ADSyncPath
            $Tier1ExchangePath
            $Tier1ConfigMgrPath
            $Tier1SQLPath
            $Tier1DHCPPath
            $Tier1FileServerPath
            $Tier2Path
        )
        foreach ($OU in $OUsForWithDefault) {
            Add-ESAEADOU -OUs $DefaultSubOUs -Path $OU
        }
    }
    catch {
        $ErrorMessage = "error creating ous - $($PSItem.Exception.Message)"
        Write-ToLogOrConsole @LogParam -Severity Error -Message $ErrorMessage
        throw $ErrorMessage
    }
    #endregion

    #region groups
    try {
        Write-ToLogOrConsole @LogParam -Severity Info -Message "creating groups"
        # PAW
        $GroupNames = 'T0-Allowed', 'T1-Allowed', 'T2-Allowed', 'T0-Denied', 'T1-Denied', 'T2-Denied'
        $GroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($ESAEPath)"
        }
        $PAWGroupNames = 'PAW-Devices', 'PAW-Maintenance', 'PAW-Users'
        $PAWGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($PAWPath)"
        }

        # T0
        $Tier0ADGroupNames = 'T0-CloudAdmins', 'T0-DomAdmins', 'T0-EntAdmins', 'T0-RODCAdmins', 'T0-SchAdmins'
        $Tier0ADGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier0ADPath)"
        }
        $Tier0PKIGroupNames = 'T0-PKIAdmins', 'T0-PKISCAgents'
        $Tier0PKIGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier0PKIPath)"
        }
        $Tier0SQLGroupNames = 'T0-SQLAdmins', 'T0-SQLServers'
        $Tier0SQLGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier0SQLPath)"
        }
        $Tier0ADFSGroupNames = 'T0-ADFSAdmins', 'T0-ADFSServers', 'T0-ADFSSQLServers'
        $Tier0ADFSGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier0ADFSPath)"
        }
        $Tier0ADSyncGroupNames = 'T0-ADSyncAdmins', 'T0-ADSyncServers', 'T0-ADSyncSQLServers'
        $Tier0ADSyncGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier0ADSyncPath)"
        }

        # T1
        $Tier1ExchangeGroupNames = 'T1-ExAdmins', 'T1-ExAllowed', 'T1-ExMaintenance', 'T1-ExMBXAdmins', 'T1-ExOrgAdmins'
        $Tier1ExchangeGroupNames | ForEach-Object { 
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier1ExchangePath)"
        }
        $Tier1CMGroupNames = 'T1-CMAdmins', 'T1-CMServers', 'T1-CMSQLServers'
        $Tier1CMGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier1ConfigMgrPath)"
        }
        $Tier1SQLGroupNames = 'T1-SQLAdmins', 'T1-SQLServers'
        $Tier1SQLGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier1SQLPath)"
        }
        $Tier1DHCPGroupNames = 'T1-DHCPAdmins', 'T1-DHCPServers'
        $Tier1DHCPGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier1DHCPPath)"
        }
        $Tier1FileServerGroupNames = 'T1-FileServerAdmins', 'T1-FileServerServers'
        $Tier1FileServerGroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier1FileServerPath)"
        }

        # T2
        $Tier2GroupNames = 'T2-HelpDesk'
        $Tier2GroupNames | ForEach-Object {
            New-ESAEADGroup -Name $PSItem -Path "OU=Groups,$($Tier2Path)"
        }
    }
    catch {
        $ErrorMessage = "error creating groups - $($PSItem.Exception.Message)"
        Write-ToLogOrConsole @LogParam -Severity Error -Message $ErrorMessage
        throw $ErrorMessage
    }
    #endregion

    #region users
    try {
        Write-ToLogOrConsole @LogParam -Severity Info -Message "creating users"
        $Password = ConvertTo-SecureString -String 'C0mplex' -AsPlainText -Force

        # PAW
        $PAWUserNames = 'PAWMan1'
        $PAWUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($PAWPath)" -Domain $Domain.Forest -Password $Password
        }
    
        # T0
        $Tier0ADUserNames = 'T0-DomAdmin1', 'T0-EntAdmin1'
        $Tier0ADUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier0ADPath)" -Domain $Domain.Forest -Password $Password
        }
        $Tier0PKIUserNames = 'T0-PKIAdmin1', 'T0-PKISCA1'
        $Tier0PKIUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier0PKIPath)" -Domain $Domain.Forest -Password $Password
        }
        $Tier0SQLUserNames = 'T0-SQLAdmin1', 'T0-SQLAdmin2'
        $Tier0SQLUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier0SQLPath)" -Domain $Domain.Forest -Password $Password
        }
        $Tier0ADFSUserNames = 'T0-ADFSAdmin1', 'T0-ADFSAdmin2'
        $Tier0ADFSUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier0ADFSPath)" -Domain $Domain.Forest -Password $Password
        }
        $Tier0ADSyncUserNames = 'T0-ADSyncAdmin1', 'T0-ADSyncAdmin2'
        $Tier0ADSyncUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier0ADSyncPath)" -Domain $Domain.Forest -Password $Password
        }
    
        # T1
        $Tier1ExchangeUserNames = 'T1-ExAdmin1', 'T1-ExAdmin2'
        $Tier1ExchangeUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier1ExchangePath)" -Domain $Domain.Forest -Password $Password
        }
        $Tier1CMUserNames = 'T1-CMAdmin1', 'T1-CMAdmin2', 'T1-CMSQLRPT'
        $Tier1CMUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier1ConfigMgrPath)" -Domain $Domain.Forest -Password $Password
        }
        $Tier1SQLUserNames = 'T1-SQLAdmin1', 'T1-SQLAdmin2'
        $Tier1SQLUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier1SQLPath)" -Domain $Domain.Forest -Password $Password
        }

        $Tier1DHCPUserNames = 'T1-DHCPAdmin1', 'T1-DHCPAdmin2'
        $Tier1DHCPUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier1DHCPPath)" -Domain $Domain.Forest -Password $Password
        }

        $Tier1FileServerUserNames = 'T1-FileServerAdmin1', 'T1-FileServerAdmin2'
        $Tier1FileServerUserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier1FileServerPath)" -Domain $Domain.Forest -Password $Password
        }
    
        # T2
        $Tier2UserNames = 'T2-HelpDesk1', 'T2-HelpDesk2'
        $Tier2UserNames | ForEach-Object {
            New-ESAEADUser -Name $PSItem -Path "OU=Accounts,$($Tier2Path)" -Domain $Domain.Forest -Password $Password
        }
    }
    catch {
        $ErrorMessage = "error creating users - $($PSItem.Exception.Message)"
        Write-ToLogOrConsole @LogParam -Severity Error -Message $ErrorMessage
        throw $ErrorMessage
    }
    #endregion

    #region gmsa
    try {
        Write-ToLogOrConsole @LogParam -Severity Info -Message "creating gmsa"
        Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) | Out-Null

        # T0
        New-ESAEADServiceAccount -Name "T0-SQLSvc" -DNSHostName "T0-SQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-SQLServers"
        New-ESAEADServiceAccount -Name "T0-SQLAgt" -DNSHostName "T0-SQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-SQLServers"
        # T0\ADFS
        New-ESAEADServiceAccount -Name "T0-ADFSSvc" -DNSHostName "T0-ADFSSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-ADFSServers"
        New-ESAEADServiceAccount -Name "T0-ADFSSQLSvc" -DNSHostName "T0-ADFSSQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-ADFSSQLServers"
        New-ESAEADServiceAccount -Name "T0-ADFSSQLAgt" -DNSHostName "T0-ADFSSQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-ADFSSQLServers"
        # T0\ADSync
        New-ESAEADServiceAccount -Name "T0-ADSyncSvc" -DNSHostName "T0-ADSyncSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-ADSyncServers"
        New-ESAEADServiceAccount -Name "T0-ADSyncSQLSvc" -DNSHostName "T0-ADSyncSQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-ADSyncSQLServers"
        New-ESAEADServiceAccount -Name "T0-ADSyncSQLAgt" -DNSHostName "T0-ADSyncSQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T0-ADSyncSQLServers"

        # T1
        New-ESAEADServiceAccount -Name "T1-SQLSvc" -DNSHostName "T1-SQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T1-SQLServers"
        New-ESAEADServiceAccount -Name "T1-SQLAgt" -DNSHostName "T1-SQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T1-SQLServers"
        # T1\ConfigMgr
        New-ESAEADServiceAccount -Name "T1-CMSQLSvc" -DNSHostName "T1-CMSQLSvc.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T1-CMSQLServers"
        New-ESAEADServiceAccount -Name "T1-CMSQLAgt" -DNSHostName "T1-CMSQLAgt.$($Domain.Forest)" -PrincipalsAllowedToRetrieveManagedPwdGroup "T1-CMSQLServers"
    }
    catch {
        $ErrorMessage = "error creating gmsa - $($PSItem.Exception.Message)"
        Write-ToLogOrConsole @LogParam -Severity Error -Message $ErrorMessage
        throw $ErrorMessage
    }
    #endregion

    #region group membership
    try {
        Write-ToLogOrConsole @LogParam -Severity Info -Message "creating group membership"
        # Tier Groups
        $Tier0AllowedGroups = 'T0-CloudAdmins', 'T0-DomAdmins', 'T0-EntAdmins', 'T0-RODCAdmins', 'T0-SchAdmins', 'T0-PKIAdmins', 'T0-PKISCAgents', 'T0-SQLAdmins', 'T0-ADFSAdmins', 'T0-ADSyncAdmins'
        $Tier1AllowedGroups = 'T1-CMAdmins', 'T1-ExAdmins', 'T1-ExAllowed', 'T1-ExMaintenance', 'T1-ExMBXAdmins', 'T1-ExOrgAdmins', 'T1-SQLAdmins'
        $Tier2AllowedGroups = 'T2-HelpDesk'
        Add-ESAEADGroupMember -Group 'T0-Allowed' -Members $Tier0AllowedGroups
        Add-ESAEADGroupMember -Group 'T0-Denied' -Members ($Tier1AllowedGroups + $Tier2AllowedGroups)
        Add-ESAEADGroupMember -Group 'T1-Allowed' -Members $Tier1AllowedGroups
        Add-ESAEADGroupMember -Group 'T1-Denied' -Members ($Tier0AllowedGroups + $Tier2AllowedGroups)
        Add-ESAEADGroupMember -Group 'T2-Allowed' -Members $Tier2AllowedGroups
        Add-ESAEADGroupMember -Group 'T2-Denied' -Members ($Tier0AllowedGroups + $Tier1AllowedGroups)

        # PAW
        Add-ESAEADGroupMember -Group 'PAW-Maintenance' -Members 'PAWMan1'

        # T0
        Add-ESAEADGroupMember -Group 'Domain Admins' -Members 'T0-DomAdmin1'
        Add-ESAEADGroupMember -Group 'Enterprise Admins' -Members 'T0-EntAdmin1'
        Add-ESAEADGroupMember -Group 'T0-PKIAdmins' -Members 'T0-PKIAdmin1'
        Add-ESAEADGroupMember -Group 'T0-PKISCAgents' -Members 'T0-PKISCA1'
        Add-ESAEADGroupMember -Group 'T0-SQLAdmins' -Members 'T0-SQLAdmin1', 'T0-SQLAdmin2'

        # T1
        Add-ESAEADGroupMember -Group 'T1-ExAdmins' -Members 'T1-ExAdmin1', 'T1-ExAdmin2'
        Add-ESAEADGroupMember -Group 'T1-CMAdmins' -Members 'T1-CMAdmin1', 'T1-CMAdmin2'
        Add-ESAEADGroupMember -Group 'T1-SQLAdmins' -Members 'T1-SQLAdmin1', 'T1-SQLAdmin2'
        Add-ESAEADGroupMember -Group 'T1-DHCPAdmins' -Members 'T1-DHCPAdmin1', 'T1-DHCPAdmin2'
        Add-ESAEADGroupMember -Group 'T1-FileServerAdmins' -Members 'T1-FileServerAdmin1', 'T1-FileServerAdmin2'

        # T2
        Add-ESAEADGroupMember -Group 'T2-HelpDesk' -Members 'T2-HelpDesk1', 'T2-HelpDesk2'
    }
    catch {
        $ErrorMessage = "error creating group memberships - $($PSItem.Exception.Message)"
        Write-ToLogOrConsole @LogParam -Severity Error -Message $ErrorMessage
        throw $ErrorMessage
    }
    #endregion
}

function Repair-DFSRReplication {
    <#
        .Description
        this will forcefully repair dfsr replication on the domain, use with care
 
        .Example
        # this will forcefully repair dfsr replication on the domain
        Repair-DFSRReplication
 
        .NOTES
        must be executed on a domain controller
         
    #>


    $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
    $PDC = (Get-ADDomain).PDCEmulator
    $DCs = Get-ADObject -Filter { (objectclass -eq "computer") } -SearchBase "OU=Domain Controllers,$Domain" -Properties Name | Sort-Object Name
    
    $DCs | ForEach-Object {
        Invoke-Command -ComputerName $PSItem.Name -ScriptBlock {
            try {
                $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
                $PDC = (Get-ADDomain).PDCEmulator
                $sysvolADObject = Get-ADObject -Filter { (objectclass -eq "msDFSR-Subscription") } `
                    -SearchBase "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$($env:COMPUTERNAME),OU=Domain Controllers,$Domain"`
                    -Properties "msDFSR-Options", "msDFSR-Enabled"
        
                Write-Output "Restarting NIC to correct Network Profile"
                $NetAdapter = Get-NetAdapter 
                $NetAdapter[0] | Restart-NetAdapter -Confirm:$false
    
                Write-Output "Installing DFSR Management Tools"
                Install-WindowsFeature -Name RSAT-DFS-Mgmt-Con | Out-Null
                if ($($PDC).Contains($env:COMPUTERNAME)) {
                    Write-Output "Setting msDFSR-Options to 1"
                    Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Options" = 1 }
                }
                Write-Output "Setting msDFSR-Enabled to false"
                Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Enabled" = $false }
            }
            catch {
                throw $PSItem.Exception.Message
            }
        }
    }
    
    Write-Output "Forcing AD Replication"
    repadmin /syncall /P /e
    Start-Sleep(10)

    Invoke-Command -ComputerName $PDC -ScriptBlock {
        try {
            $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
            $sysvolADObject = Get-ADObject -Filter { (objectclass -eq "msDFSR-Subscription") } `
                -SearchBase "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$($env:COMPUTERNAME),OU=Domain Controllers,$Domain"`
                -Properties "msDFSR-Options", "msDFSR-Enabled"
            Write-Output "Restarting DFSR Service"
            Restart-Service DFSR 
            Start-Sleep(20)
            Write-Output "Setting msDFSR-Enabled to true"
            Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Enabled" = $true }
            Write-Output "Forcing AD Replication"
            repadmin /syncall /P /e
            Start-Sleep(10)
            Write-Output "Executing DFSRDIAG"
            dfsrdiag pollad
        }
        catch {
            $PSItem.Exception.Message
        }
    }
    
    $DCs | ForEach-Object {
        Invoke-Command -ComputerName $PSItem.Name -ScriptBlock {
            try {
                $Domain = (Get-ADDomain -Current LoggedOnUser).DistinguishedName
                $PDC = (Get-ADDomain).PDCEmulator
                $sysvolADObject = Get-ADObject -Filter { (objectclass -eq "msDFSR-Subscription") } `
                    -SearchBase "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$($env:COMPUTERNAME),OU=Domain Controllers,$Domain"`
                    -Properties "msDFSR-Options", "msDFSR-Enabled"
                if (!$($PDC).Contains($($env:COMPUTERNAME))) {
                    Write-Output "Restarting DFSR Service"
                    Restart-Service DFSR 
                    Start-Sleep(20)
                    Write-Output "Setting msDFSR-Enabled to true"
                    Set-ADObject -Identity $sysvolADObject.DistinguishedName -Replace @{"msDFSR-Enabled" = $true }
                    Write-Output "Executing DFSRDIAG"
                    dfsrdiag pollad  
                }
            }
            catch {
                throw $PSItem.Exception.Message
            }
        }
    }
}

function Compare-DFSRObject {
    [CmdletBinding()]

    $Domain = Get-ADDomain -Current LoggedOnUser
    $PDC = (Get-ADDomain).PDCEmulator
    $DCs = Get-ADObject -Filter { (objectclass -eq "computer") } -SearchBase "OU=Domain Controllers,$($Domain.DistinguishedName)" -Properties Name,DNSHostName | Where-Object -Property Name -NE "AzureADKerberos" | Sort-Object Name

    $Polices_CompareObject = @{}
    $Scripts_CompareObject = @{}

    # Get Files
    Write-Output "Getting data for comparison"
    $DCs | ForEach-Object {
        # C:\Windows\SYSVOL\sysvol\AZURE-HYBRID.DE\
        $PoliciesPath = "\\$($PSItem.DNSHostName)\C$\Windows\SYSVOL\domain\Policies"
        $ScriptsPath = "\\$($PSItem.DNSHostName)\C$\Windows\SYSVOL\domain\scripts"

        $Polices_CompareObject.add("$($PSItem.DNSHostName)",$(Get-ChildItem -Path $PoliciesPath).count)
        $Scripts_CompareObject.add("$($PSItem.DNSHostName)",$(Get-ChildItem -Path $ScriptsPath).count)
    }

    # Compare files count
    Write-Output "Comparing data"
    $Polices_CompareObject.Keys | ForEach-Object {
        if($Polices_CompareObject."$($PDC)" -ne $Polices_CompareObject.$($PSItem)) {
            Write-Output "--------------------------------------------------------"
            Write-Warning "$($PSItem) is not in sync with $($PDC) at folder Policies"
            Write-Warning "$($PDC): $($Polices_CompareObject."$($PDC.Trim())") <---> $($PSItem): $($Polices_CompareObject.$($PSItem))"            
        }
        else {
            Write-Output "$($PSItem) is in sync with $($PDC) at folder Policies"
        }
    }
    $Scripts_CompareObject.Keys | ForEach-Object {
        if($Scripts_CompareObject."$($PDC)" -ne $Scripts_CompareObject.$($PSItem)) {
            Write-Output "--------------------------------------------------------"
            Write-Warning "$($PSItem) is not in sync with $($PDC) at folder Scripts"
            Write-Warning "$($PDC): $($Scripts_CompareObject."$($PDC.Trim())") <---> $($PSItem): $($Scripts_CompareObject.$($PSItem))"            
        }
        else {
            Write-Output "$($PSItem) is in sync with $($PDC) at folder Scripts"
        }
    }
}