src/Private/Get-AdRootDsePath.ps1

function Get-AdRootDsePath {
    <#
    .SYNOPSIS
        Builds the ADSI binding path for the RootDSE of the current (or a named) server.
    .DESCRIPTION
        RootDSE is a special phantom object - the only object that carries the constructed
        `defaultNamingContext` attribute. It is reachable ONLY via the literal path 'LDAP://RootDSE'
        (serverless) or 'LDAP://<server>/RootDSE' (explicit server). Binding 'LDAP://<server>' on its
        own resolves to the default naming-context head (the domain object), which does NOT expose
        `defaultNamingContext` - so the '/RootDSE' suffix is required whenever a server is named, e.g.
        in forest mode where each domain is bound by its DNS name.

        Pure string construction, factored out so the binding path can be unit-tested without a live
        directory.
    .OUTPUTS
        [string] the ADSI RootDSE path, e.g. 'LDAP://RootDSE' or 'LDAP://na.contoso.com/RootDSE'.
    #>

    [CmdletBinding()]
    param(
        [string] $Server
    )
    if ($Server) { return "LDAP://$Server/RootDSE" }
    return 'LDAP://RootDSE'
}