DSCResources/MSFT_xADDomain/MSFT_xADDomain.psm1
## Import the common AD functions $adCommonFunctions = Join-Path ` -Path (Split-Path -Path $PSScriptRoot -Parent) ` -ChildPath '\MSFT_xADCommon\MSFT_xADCommon.psm1' Import-Module -Name $adCommonFunctions # Localized messages data localizedData { # culture="en-US" ConvertFrom-StringData @' RoleNotFoundError = Please ensure that the PowerShell module for role '{0}' is installed. InvalidDomainError = Computer is a member of the wrong domain?! ExistingDomainMemberError = Computer is already a domain member. Cannot create a new '{0}' domain? InvalidCredentialError = Domain '{0}' is available, but invalid credentials were supplied. QueryDomainWithLocalCredential = Computer is a domain member; querying domain '{0}' using local credential ... QueryDomainWithCredential = Computer is a workgroup member; querying for domain '{0}' using supplied credential ... DomainFound = Active Directory domain '{0}' found. DomainNotFound = Active Directory domain '{0}' cannot be found. CreatingChildDomain = Creating domain '{0}' as a child of domain '{1}' ... CreatedChildDomain = Child domain '{0}' created. CreatingForest = Creating AD forest '{0}' ... CreatedForest = AD forest '{0}' created. ResourcePropertyValueIncorrect = Property '{0}' value is incorrect; expected '{1}', actual '{2}'. ResourceInDesiredState = Resource '{0}' is in the desired state. ResourceNotInDesiredState = Resource '{0}' is NOT in the desired state. RetryingGetADDomain = Attempt {0} of {1} to call Get-ADDomain failed, retrying in {2} seconds. UnhandledError = Unhandled error occured, detail here: {0} FaultExceptionAndDomainShouldExist = ServiceModel FaultException detected and domain should exist, performing retry... '@ } <# .SYNOPSIS Retrieves the name of the file that tracks the status of the xADDomain resource with the specified domain name. .PARAMETER DomainName The domain name of the xADDomain resource to retrieve the tracking file name of. .NOTES The tracking file is currently output to the environment's temp directory. This file is NOT removed when a configuration completes, so if another call to a xADDomain resource with the same domain name occurs in the same environment, this file will already be present. This is so that when another call is made to the same resource, the resource will not attempt to promote the machine to a domain controller again (which would cause an error). If the resource should be promoted to a domain controller once again, you must first remove this file from the environment's temp directory (usually C:\Temp). If in the future this functionality needs to change so that future configurations are not affected, $env:temp should be changed to the resource's cache location which is removed after each configuration. ($env:systemRoot\system32\Configuration\BuiltinProvCache\MSFT_xADDomain) #> function Get-TrackingFilename { [OutputType([String])] [CmdletBinding()] param( [Parameter(Mandatory = $true)] [String] $DomainName ) return Join-Path -Path ($env:temp) -ChildPath ('{0}.xADDomain.completed' -f $DomainName) } function Get-TargetResource { [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory)] [String] $DomainName, [Parameter(Mandatory)] [PSCredential] $DomainAdministratorCredential, [Parameter(Mandatory)] [PSCredential] $SafemodeAdministratorPassword, [Parameter()] [ValidateNotNullOrEmpty()] [String] $ParentDomainName, [Parameter()] [ValidateNotNullOrEmpty()] [String] $DomainNetBIOSName, [Parameter()] [ValidateNotNullOrEmpty()] [PSCredential] $DnsDelegationCredential, [Parameter()] [ValidateNotNullOrEmpty()] [String] $DatabasePath, [Parameter()] [ValidateNotNullOrEmpty()] [String] $LogPath, [Parameter()] [ValidateNotNullOrEmpty()] [String] $SysvolPath, [Parameter()] [ValidateSet('Win2008', 'Win2008R2', 'Win2012', 'Win2012R2', 'WinThreshold')] [String] $ForestMode, [Parameter()] [ValidateSet('Win2008', 'Win2008R2', 'Win2012', 'Win2012R2', 'WinThreshold')] [String] $DomainMode ) Assert-Module -ModuleName 'ADDSDeployment'; $domainFQDN = Resolve-DomainFQDN -DomainName $DomainName -ParentDomainName $ParentDomainName; $isDomainMember = Test-DomainMember; $retries = 0 $maxRetries = 5 $retryIntervalInSeconds = 30 $domainShouldExist = (Test-Path (Get-TrackingFilename -DomainName $DomainName)) do { try { if ($isDomainMember) { ## We're already a domain member, so take the credentials out of the equation Write-Verbose ($localizedData.QueryDomainADWithLocalCredentials -f $domainFQDN); $domain = Get-ADDomain -Identity $domainFQDN -ErrorAction Stop; $forest = Get-ADForest -Identity $domain.Forest -ErrorAction Stop } else { Write-Verbose ($localizedData.QueryDomainWithCredential -f $domainFQDN); $domain = Get-ADDomain -Identity $domainFQDN -Credential $DomainAdministratorCredential -ErrorAction Stop $forest = Get-ADForest -Identity $domain.Forest -Credential $DomainAdministratorCredential -ErrorAction Stop } ## No need to check whether the node is actually a domain controller. If we don't throw an exception, ## the domain is already UP - and this resource shouldn't run. Domain controller functionality ## should be checked by the xADDomainController resource? Write-Verbose ($localizedData.DomainFound -f $domain.DnsRoot); $targetResource = @{ DomainName = $domain.DnsRoot; ParentDomainName = $domain.ParentDomain; DomainNetBIOSName = $domain.NetBIOSName; ForestMode = (ConvertTo-DeploymentForestMode -Mode $forest.ForestMode) -as [String] DomainMode = (ConvertTo-DeploymentDomainMode -Mode $domain.DomainMode) -as [String] } return $targetResource; } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { $errorMessage = $localizedData.ExistingDomainMemberError -f $DomainName; ThrowInvalidOperationError -ErrorId 'xADDomain_DomainMember' -ErrorMessage $errorMessage; } catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { Write-Verbose ($localizedData.DomainNotFound -f $domainFQDN) $domain = @{ }; # will fall into retry mechanism } catch [System.Security.Authentication.AuthenticationException] { $errorMessage = $localizedData.InvalidCredentialError -f $DomainName; ThrowInvalidOperationError -ErrorId 'xADDomain_InvalidCredential' -ErrorMessage $errorMessage; } catch { $errorMessage = $localizedData.UnhandledError -f ($_.Exception | Format-List -Force | Out-String) Write-Verbose $errorMessage if ($domainShouldExist -and ($_.Exception.InnerException -is [System.ServiceModel.FaultException])) { Write-Verbose $localizedData.FaultExceptionAndDomainShouldExist # will fall into retry mechanism } else { ## Not sure what's gone on here! throw $_ } } if($domainShouldExist) { $retries++ Write-Verbose ($localizedData.RetryingGetADDomain -f $retries, $maxRetries, $retryIntervalInSeconds) Start-Sleep -Seconds ($retries * $retryIntervalInSeconds) } } while ($domainShouldExist -and ($retries -le $maxRetries) ) } #end function Get-TargetResource function Test-TargetResource { [OutputType([System.Boolean])] param ( [Parameter(Mandatory)] [String] $DomainName, [Parameter(Mandatory)] [PSCredential] $DomainAdministratorCredential, [Parameter(Mandatory)] [PSCredential] $SafemodeAdministratorPassword, [Parameter()] [ValidateNotNullOrEmpty()] [String] $ParentDomainName, [Parameter()] [ValidateNotNullOrEmpty()] [String] $DomainNetBIOSName, [Parameter()] [ValidateNotNullOrEmpty()] [PSCredential] $DnsDelegationCredential, [Parameter()] [ValidateNotNullOrEmpty()] [String] $DatabasePath, [Parameter()] [ValidateNotNullOrEmpty()] [String] $LogPath, [Parameter()] [ValidateNotNullOrEmpty()] [String] $SysvolPath, [Parameter()] [ValidateSet('Win2008', 'Win2008R2', 'Win2012', 'Win2012R2', 'WinThreshold')] [String] $ForestMode, [Parameter()] [ValidateSet('Win2008', 'Win2008R2', 'Win2012', 'Win2012R2', 'WinThreshold')] [String] $DomainMode ) $targetResource = Get-TargetResource @PSBoundParameters $isCompliant = $true; ## The Get-Target resource returns .DomainName as the domain's FQDN. Therefore, we ## need to resolve this before comparison. $domainFQDN = Resolve-DomainFQDN -DomainName $DomainName -ParentDomainName $ParentDomainName if ($domainFQDN -ne $targetResource.DomainName) { $message = $localizedData.ResourcePropertyValueIncorrect -f 'DomainName', $domainFQDN, $targetResource.DomainName; Write-Verbose -Message $message; $isCompliant = $false; } $propertyNames = @('ParentDomainName','DomainNetBIOSName'); foreach ($propertyName in $propertyNames) { if ($PSBoundParameters.ContainsKey($propertyName)) { $propertyValue = (Get-Variable -Name $propertyName).Value; if ($targetResource.$propertyName -ne $propertyValue) { $message = $localizedData.ResourcePropertyValueIncorrect -f $propertyName, $propertyValue, $targetResource.$propertyName; Write-Verbose -Message $message; $isCompliant = $false; } } } if ($isCompliant) { Write-Verbose -Message ($localizedData.ResourceInDesiredState -f $domainFQDN); return $true; } else { Write-Verbose -Message ($localizedData.ResourceNotInDesiredState -f $domainFQDN); return $false; } } #end function Test-TargetResource function Set-TargetResource { param ( [Parameter(Mandatory)] [String] $DomainName, [Parameter(Mandatory)] [PSCredential] $DomainAdministratorCredential, [Parameter(Mandatory)] [PSCredential] $SafemodeAdministratorPassword, [Parameter()] [ValidateNotNullOrEmpty()] [String] $ParentDomainName, [Parameter()] [ValidateNotNullOrEmpty()] [String] $DomainNetBIOSName, [Parameter()] [ValidateNotNullOrEmpty()] [PSCredential] $DnsDelegationCredential, [Parameter()] [ValidateNotNullOrEmpty()] [String] $DatabasePath, [Parameter()] [ValidateNotNullOrEmpty()] [String] $LogPath, [Parameter()] [ValidateNotNullOrEmpty()] [String] $SysvolPath, [Parameter()] [ValidateSet('Win2008', 'Win2008R2', 'Win2012', 'Win2012R2', 'WinThreshold')] [String] $ForestMode, [Parameter()] [ValidateSet('Win2008', 'Win2008R2', 'Win2012', 'Win2012R2', 'WinThreshold')] [String] $DomainMode ) # Debug can pause Install-ADDSForest/Install-ADDSDomain, so we remove it. [ref] $null = $PSBoundParameters.Remove('Debug'); ## Not entirely necessary, but run Get-TargetResouece to ensure we raise any pre-flight errors. $targetResource = Get-TargetResource @PSBoundParameters; $installADDSParams = @{ SafeModeAdministratorPassword = $SafemodeAdministratorPassword.Password; NoRebootOnCompletion = $true; Force = $true; } if ($PSBoundParameters.ContainsKey('DnsDelegationCredential')) { $installADDSParams['DnsDelegationCredential'] = $DnsDelegationCredential; $installADDSParams['CreateDnsDelegation'] = $true; } if ($PSBoundParameters.ContainsKey('DatabasePath')) { $installADDSParams['DatabasePath'] = $DatabasePath; } if ($PSBoundParameters.ContainsKey('LogPath')) { $installADDSParams['LogPath'] = $LogPath; } if ($PSBoundParameters.ContainsKey('SysvolPath')) { $installADDSParams['SysvolPath'] = $SysvolPath; } if ($PSBoundParameters.ContainsKey('DomainMode')) { $installADDSParams['DomainMode'] = $DomainMode; } if ($PSBoundParameters.ContainsKey('ParentDomainName')) { Write-Verbose -Message ($localizedData.CreatingChildDomain -f $DomainName, $ParentDomainName); $installADDSParams['Credential'] = $DomainAdministratorCredential $installADDSParams['NewDomainName'] = $DomainName $installADDSParams['ParentDomainName'] = $ParentDomainName $installADDSParams['DomainType'] = 'ChildDomain'; if ($PSBoundParameters.ContainsKey('DomainNetBIOSName')) { $installADDSParams['NewDomainNetbiosName'] = $DomainNetBIOSName; } Install-ADDSDomain @installADDSParams; Write-Verbose -Message ($localizedData.CreatedChildDomain); } else { Write-Verbose -Message ($localizedData.CreatingForest -f $DomainName); $installADDSParams['DomainName'] = $DomainName; if ($PSBoundParameters.ContainsKey('DomainNetbiosName')) { $installADDSParams['DomainNetbiosName'] = $DomainNetBIOSName; } if ($PSBoundParameters.ContainsKey('ForestMode')) { $installADDSParams['ForestMode'] = $ForestMode } Install-ADDSForest @installADDSParams; Write-Verbose -Message ($localizedData.CreatedForest -f $DomainName); } 'Finished' | Out-File -FilePath (Get-TrackingFilename -DomainName $DomainName) -Force # Signal to the LCM to reboot the node to compensate for the one we # suppressed from Install-ADDSForest/Install-ADDSDomain $global:DSCMachineStatus = 1 } #end function Set-TargetResource Export-ModuleMember -Function *-TargetResource; |