modules/deploy/dsc/ext/PsGallery/xAdcsDeployment.0.2.0.0/xCertificateServices/Examples/Config-SetupActiveDirectory.ps1

#region Param

param
(
    [String]$DomainName,

    [String]$DomainNetbiosName,

    [PSCredential]$Credential,
    
    [PSCredential]$DomainCredential,
    
    [PSCredential]$SafeModeAdministratorPassword,

    [String]$EncryptionCertificateThumbprint
)

#endregion

#region Decrypt

function Decrypt
{
    param
    (
        [Parameter(Mandatory)]
        [String]$Thumbprint,

        [Parameter(Mandatory)]
        [String]$Base64EncryptedValue
    )

    # Decode Base64 string
    $encryptedBytes = [System.Convert]::FromBase64String($Base64EncryptedValue)

    # Get certificate from store
    $store = new-object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
    $store.open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
    $certificate = $store.Certificates | %{if($_.thumbprint -eq $Thumbprint){$_}}
   
    # Decrypt
    $decryptedBytes = $certificate.PrivateKey.Decrypt($encryptedBytes, $false)
    $decryptedValue = [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
    
    return $decryptedValue
}

if ($EncryptionCertificateThumbprint)
{
    Write-Verbose -Message "Decrypting parameters with certificate $EncryptionCertificateThumbprint..."

    $Password = Decrypt -Thumbprint $EncryptionCertificateThumbprint -Base64EncryptedValue $Password
    $SafeModeAdministratorPassword = Decrypt -Thumbprint $EncryptionCertificateThumbprint -Base64EncryptedValue $SafeModeAdministratorPassword

    Write-Verbose -Message "Successfully decrypted parameters."
}
else
{
    Write-Verbose -Message "No encryption certificate specified. Assuming cleartext parameters."
}

#endregion

#region Config Data

if ($env:COMPUTERNAME -match 'DC-Server\d\d') {
    $ConfigData = @{
        AllNodes = @(
             @{
                Nodename = $env:COMPUTERNAME
                ServerRole = 'Active Directory Domain Controller'
                DomainName = $DomainName
                DomainNetbiosName = $DomainNetbiosName
                Disk = 1
                Drive = 'F'
                PSDscAllowPlainTextPassword = $true
                Credential = $Credential
                DomainCredential = $DomainCredential
                SMCredential = $SafeModeAdministratorPassword
            }
        )
    }
}

if ($EncryptionCertificateThumbprint)
{
    $certificate = dir Cert:\LocalMachine\My\$EncryptionCertificateThumbprint
    $certificatePath = Join-Path -path $PSScriptRoot -childPath "EncryptionCertificate.cer"
    Export-Certificate -Cert $certificate -FilePath $certificatePath | Out-Null
    $configData = @{
        AllNodes = @(
            @{
                Nodename = "*"
                CertificateFile = $certificatePath
                Thumbprint = $EncryptionCertificateThumbprint
                PSDscAllowPlainTextPassword = $false
            }
        )
    }
}

#endregion

#region First DC Configuration Script

if ((test-path C:\Windows\temp\FirstDC.txt) -eq $True)
{
    configuration FirstDomainController
    {
        Import-DscResource -ModuleName xComputerManagement, xActiveDirectory, xCertificateServices

        node $AllNodes.Where{$_.ServerRole -eq 'Active Directory Domain Controller'}.Nodename
        {    
            xWaitForDisk SMA
            {
                DiskNumber = $Node.Disk
                RetryCount = 720
            }

            xDisk DataDisk
            {
                DiskNumber = $Node.Disk
                DriveLetter = $Node.Drive
                DependsOn = '[xWaitforDisk]SMA'
            }
        
            WindowsFeature AD-Domain-Services
            {
                   Ensure = 'Present'
                   Name = 'AD-Domain-Services'
            }
            
            WindowsFeature ADCS-Cert-Authority
            {
                   Ensure = 'Present'
                   Name = 'ADCS-Cert-Authority'
            }

            WindowsFeature ADCS-Web-Enrollment
            {
                Ensure = 'Present'
                Name = 'ADCS-Web-Enrollment'
            }

            xADDomain PrimaryDC
            {
                DomainAdministratorCredential = $Node.Credential
                DomainName = $Node.DomainName
                SafemodeAdministratorPassword = $Node.SMCredential
                DatabasePath = $Node.Drive + ":\NTDS"
                LogPath = $Node.Drive + ":\NTDS"
                SysvolPath = $Node.Drive + ":\SYSVOL"
                DependsOn = "[xDisk]DataDisk", "[WindowsFeature]AD-Domain-Services"
            }

            xADCSCertificationAuthority ADCS
            {
                Ensure = 'Present'
                Credential = $Node.Credential
                CAType = 'EnterpriseRootCA'
                DependsOn = '[WindowsFeature]ADCS-Cert-Authority'              
            }

            xADCSWebEnrollment CertSrv
            {
                Ensure = 'Absent'
                Name = 'CertSrv'
                Credential = $Node.Credential
                DependsOn = '[xADCSCertificationAuthority]ADCS'
            }

            LocalConfigurationManager
            {
                CertificateId = $node.Thumbprint
                ConfigurationMode = 'ApplyandAutoCorrect'
                RebootNodeIfNeeded = 'True'
            }
        }
    }

FirstDomainController -ConfigurationData $configData -OutputPath $PSScriptRoot

}

#endregion

#region DC Configuration Script

if ((test-path C:\Windows\temp\FirstDC.txt) -eq $False)
{
    configuration DomainController
    {
        Import-DscResource -ModuleName xComputerManagement, xActiveDirectory

        node $AllNodes.Where{$_.ServerRole -eq 'Active Directory Domain Controller'}.Nodename
        {    
             xWaitForDisk DataDisk
            {
                DiskNumber = $Node.Disk
                RetryCount = 720
            }

            xDisk DataDisk
            {
                DiskNumber = $Node.Disk
                DriveLetter = $Node.Drive
                DependsOn = '[xWaitforDisk]DataDisk'
            }
        
            WindowsFeature AD-Domain-Services
            {
                   Ensure = 'Present'
                   Name = 'AD-Domain-Services'
            }

            xWaitForADDomain WaitforDomain
            {
                DomainName = $Node.DomainName
                DomainUserCredential = $Node.DomainCredential
                RetryCount = 720
                RetryIntervalSec = 10
                DependsOn = "[WindowsFeature]AD-Domain-Services"
            }
        
            xADDomainController BackupDC
            {
                DomainAdministratorCredential = $Node.DomainCredential
                DomainName = $Node.DomainName
                SafemodeAdministratorPassword = $Node.SMCredential
                DatabasePath = $Node.Drive + ":\NTDS"
                LogPath = $Node.Drive + ":\NTDS"
                SysvolPath = $Node.Drive + ":\SYSVOL"
                DependsOn = '[xDisk]DataDisk', '[WindowsFeature]AD-Domain-Services', '[xWaitforADDomain]WaitforDomain'
            }

            LocalConfigurationManager
            {
                CertificateId = $node.Thumbprint
                ConfigurationMode = 'ApplyandAutoCorrect'
                RebootNodeIfNeeded = 'True'
            }
        }
    }

DomainController -ConfigurationData $configData -OutputPath $PSScriptRoot

}

#endregion

#region Apply MOF

winrm quickconfig -quiet

Set-DscLocalConfigurationManager -ComputerName $env:COMPUTERNAME -Path $PSScriptRoot -Verbose
Start-DscConfiguration -ComputerName $env:COMPUTERNAME -Path $PSScriptRoot -Force -Verbose -Wait

#endregion