DSCResources/MSFT_ADForestProperties/MSFT_ADForestProperties.psm1

$resourceModulePath = Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent
$modulesFolderPath = Join-Path -Path $resourceModulePath -ChildPath 'Modules'

$aDCommonModulePath = Join-Path -Path $modulesFolderPath -ChildPath 'ActiveDirectoryDsc.Common'
Import-Module -Name $aDCommonModulePath

$dscResourceCommonModulePath = Join-Path -Path $modulesFolderPath -ChildPath 'DscResource.Common'
Import-Module -Name $dscResourceCommonModulePath

$script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US'

$script:psModuleName = 'ActiveDirectory'

<#
    .SYNOPSIS
        Gets the current state of user principal name and service principal name suffixes in the forest.
 
    .PARAMETER Credential
        The user account credentials to use to perform this task.
 
    .PARAMETER ForestName
        The target Active Directory forest for the change.
 
    .PARAMETER ServicePrincipalNameSuffixToAdd
        The Service Principal Name Suffix(es) to add in the forest. Cannot be used with ServicePrincipalNameSuffix.
 
    .PARAMETER ServicePrincipalNameSuffixToRemove
        The Service Principal Name Suffix(es) to remove in the forest. Cannot be used with ServicePrincipalNameSuffix.
 
    .PARAMETER UserPrincipalNameSuffixToAdd
        The User Principal Name Suffix(es) to add in the forest. Cannot be used with UserPrincipalNameSuffix.
 
    .PARAMETER UserPrincipalNameSuffixToRemove
        The User Principal Name Suffix(es) to remove in the forest. Cannot be used with UserPrincipalNameSuffix.
 
    .NOTES
        Used Functions:
            Name | Module
            ------------------------------|--------------------------
            Assert-Module | DscResource.Common
            New-CimCredentialInstance | ActiveDirectoryDsc.Common
            Get-ADForest | ActiveDirectory
            Get-ADObject | ActiveDirectory
            Get-ADRootDSE | ActiveDirectory
#>

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter()]
        [System.Management.Automation.PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.String]
        $ForestName,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffix,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffixToAdd,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffixToRemove,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffix,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffixToAdd,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffixToRemove
    )

    Assert-Module -ModuleName $script:psModuleName

    Write-Verbose -Message ($script:localizedData.GetForest -f $ForestName)
    $forest = Get-ADForest -Identity $ForestName

    $configurationNamingContext = (Get-ADRootDSE).configurationNamingContext
    $identity = "CN=Directory Service,CN=Windows NT,CN=Services,$configurationNamingContext"
    $tombstoneLifetime = (Get-ADObject -Identity $identity -Partition $configurationNamingContext `
            -Properties 'tombstonelifetime').tombstonelifetime

    if ($PSBoundParameters.ContainsKey('Credential'))
    {
        $cimCredential = New-CimCredentialInstance -Credential $Credential
    }
    else
    {
        $cimCredential = $null
    }

    return @{
        Credential                         = $cimCredential
        ForestName                         = $forest.Name
        ServicePrincipalNameSuffix         = [System.Array] $forest.SpnSuffixes
        ServicePrincipalNameSuffixToAdd    = [System.Array] $ServicePrincipalNameSuffixToAdd
        ServicePrincipalNameSuffixToRemove = [System.Array] $ServicePrincipalNameSuffixToRemove
        TombstoneLifetime                  = $tombstoneLifetime
        UserPrincipalNameSuffix            = [System.Array] $forest.UpnSuffixes
        UserPrincipalNameSuffixToAdd       = [System.Array] $UserPrincipalNameSuffixToAdd
        UserPrincipalNameSuffixToRemove    = [System.Array] $UserPrincipalNameSuffixToRemove
    }
}

<#
    .SYNOPSIS
        Tests the current state of user principal name and service principal name suffixes in the forest.
 
    .PARAMETER Credential
        The user account credentials to use to perform this task.
 
    .PARAMETER ForestName
        The target Active Directory forest for the change.
 
    .PARAMETER ServicePrincipalNameSuffix
        The Service Principal Name Suffix(es) to be explicitly defined in the forest and replace existing
        members. Cannot be used with ServicePrincipalNameSuffixToAdd or ServicePrincipalNameSuffixToRemove.
 
    .PARAMETER ServicePrincipalNameSuffixToAdd
        The Service Principal Name Suffix(es) to add in the forest. Cannot be used with ServicePrincipalNameSuffix.
 
    .PARAMETER ServicePrincipalNameSuffixToRemove
        The Service Principal Name Suffix(es) to remove in the forest. Cannot be used with ServicePrincipalNameSuffix.
 
    .PARAMETER TombstoneLifetime
        Specifies the AD Tombstone lifetime which determines how long deleted items exist in Active Directory before
        they are purged.
 
    .PARAMETER UserPrincipalNameSuffix
        The User Principal Name Suffix(es) to be explicitly defined in the forest and replace existing
        members. Cannot be used with UserPrincipalNameSuffixToAdd or UserPrincipalNameSuffixToRemove.
 
    .PARAMETER UserPrincipalNameSuffixToAdd
        The User Principal Name Suffix(es) to add in the forest. Cannot be used with UserPrincipalNameSuffix.
 
    .PARAMETER UserPrincipalNameSuffixToRemove
        The User Principal Name Suffix(es) to remove in the forest. Cannot be used with UserPrincipalNameSuffix.
 
    .NOTES
        Used Functions:
            Name | Module
            ------------------------------|--------------------------
            Assert-MemberParameters | ActiveDirectoryDsc.Common
            Assert-Module | DscResource.Common
            Test-Members | ActiveDirectoryDsc.Common
#>

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter()]
        [System.Management.Automation.PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.String]
        $ForestName,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffix,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffixToAdd,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffixToRemove,

        [Parameter()]
        [System.Int32]
        $TombstoneLifetime,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffix,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffixToAdd,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffixToRemove
    )

    Assert-Module -ModuleName $script:psModuleName

    $inDesiredState = $true

    $targetResource = Get-TargetResource -ForestName $ForestName

    # Validate parameters before we even attempt to retrieve anything
    $assertMemberParameters = @{}

    if ($PSBoundParameters.ContainsKey('ServicePrincipalNameSuffix') -and
        -not [system.string]::IsNullOrEmpty($ServicePrincipalNameSuffix))
    {
        $assertMemberParameters['Members'] = $ServicePrincipalNameSuffix
    }

    if ($PSBoundParameters.ContainsKey('ServicePrincipalNameSuffixToAdd') -and
        -not [system.string]::IsNullOrEmpty($ServicePrincipalNameSuffixToAdd))
    {
        $assertMemberParameters['MembersToInclude'] = $ServicePrincipalNameSuffixToAdd
    }

    if ($PSBoundParameters.ContainsKey('ServicePrincipalNameSuffixToRemove') -and
        -not [system.string]::IsNullOrEmpty($ServicePrincipalNameSuffixToRemove))
    {
        $assertMemberParameters['MembersToExclude'] = $ServicePrincipalNameSuffixToRemove
    }

    Assert-MemberParameters @assertMemberParameters -ErrorAction Stop

    if (-not ( Test-Members @assertMemberParameters -ExistingMembers ($targetResource.ServicePrincipalNameSuffix -split ',') ))
    {
        Write-Verbose -Message ($script:localizedData.ForestSpnSuffixNotInDesiredState -f $ForestName)
        $inDesiredState = $false
    }

    $assertMemberParameters = @{}

    if ($PSBoundParameters.ContainsKey('UserPrincipalNameSuffix') -and
        -not [system.string]::IsNullOrEmpty($UserPrincipalNameSuffix))
    {
        $assertMemberParameters['Members'] = $UserPrincipalNameSuffix
    }

    if ($PSBoundParameters.ContainsKey('UserPrincipalNameSuffixToAdd') -and
        -not [system.string]::IsNullOrEmpty($UserPrincipalNameSuffixToAdd))
    {
        $assertMemberParameters['MembersToInclude'] = $UserPrincipalNameSuffixToAdd
    }

    if ($PSBoundParameters.ContainsKey('UserPrincipalNameSuffixToRemove') -and
        -not [system.string]::IsNullOrEmpty($UserPrincipalNameSuffixToRemove))
    {
        $assertMemberParameters['MembersToExclude'] = $UserPrincipalNameSuffixToRemove
    }

    Assert-MemberParameters @assertMemberParameters -ErrorAction Stop

    if (-not ( Test-Members @assertMemberParameters -ExistingMembers ($targetResource.UserPrincipalNameSuffix -split ',') ))
    {
        Write-Verbose -Message ($script:localizedData.ForestUpnSuffixNotInDesiredState -f $ForestName)

        $inDesiredState = $false
    }

    if ($PSBoundParameters.ContainsKey('TombstoneLifetime'))
    {
        if ($TombstoneLifetime -ne $targetResource.TombstoneLifetime)
        {
            Write-Verbose -Message ($script:localizedData.TombstoneLifetimeNotInDesiredState -f
                $ForestName, $targetResource.TombstoneLifetime, $TombstoneLifetime)

            $inDesiredState = $false
        }
    }

    return $inDesiredState
}

<#
    .SYNOPSIS
        Sets the user principal name and service principal name suffixes in the forest.
 
    .PARAMETER Credential
        The user account credentials to use to perform this task.
 
    .PARAMETER ForestName
        The target Active Directory forest for the change.
 
    .PARAMETER ServicePrincipalNameSuffix
        The Service Principal Name Suffix(es) to be explicitly defined in the forest and replace existing
        members. Cannot be used with ServicePrincipalNameSuffixToAdd or ServicePrincipalNameSuffixToRemove.
 
    .PARAMETER ServicePrincipalNameSuffixToAdd
        The Service Principal Name Suffix(es) to add in the forest. Cannot be used with ServicePrincipalNameSuffix.
 
    .PARAMETER ServicePrincipalNameSuffixToRemove
        The Service Principal Name Suffix(es) to remove in the forest. Cannot be used with ServicePrincipalNameSuffix.
 
    .PARAMETER TombstoneLifetime
        Specifies the AD Tombstone lifetime which determines how long deleted items exist in Active Directory before
        they are purged.
 
    .PARAMETER UserPrincipalNameSuffix
        The User Principal Name Suffix(es) to be explicitly defined in the forest and replace existing
        members. Cannot be used with UserPrincipalNameSuffixToAdd or UserPrincipalNameSuffixToRemove.
 
    .PARAMETER UserPrincipalNameSuffixToAdd
        The User Principal Name Suffix(es) to add in the forest. Cannot be used with UserPrincipalNameSuffix.
 
    .PARAMETER UserPrincipalNameSuffixToRemove
        The User Principal Name Suffix(es) to remove in the forest. Cannot be used with UserPrincipalNameSuffix.
 
    .NOTES
        Used Functions:
            Name | Module
            ------------------------------|--------------------------
            Assert-Module | DscResource.Common
            New-InvalidOperationException | DscResource.Common
            Get-ADRootDSE | ActiveDirectory
            Set-ADForest | ActiveDirectory
            Set-ODObject | ActiveDirectory
#>

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter()]
        [System.Management.Automation.PSCredential]
        $Credential,

        [Parameter(Mandatory = $true)]
        [System.String]
        $ForestName,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffix,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffixToAdd,

        [Parameter()]
        [System.String[]]
        $ServicePrincipalNameSuffixToRemove,

        [Parameter()]
        [System.Int32]
        $TombstoneLifetime,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffix,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffixToAdd,

        [Parameter()]
        [System.String[]]
        $UserPrincipalNameSuffixToRemove
    )

    Assert-Module -ModuleName $script:psModuleName

    $targetResource = Get-TargetResource -ForestName $ForestName

    $setADForestParameters = @{}

    # add ServicePrincipalName parameter
    if ($PSBoundParameters.ContainsKey('ServicePrincipalNameSuffix'))
    {
        if (-not [system.string]::IsNullOrEmpty($ServicePrincipalNameSuffix))
        {
            $setADForestParameters['SpnSuffixes'] = @{
                Replace = $($ServicePrincipalNameSuffix)
            }

            Write-Verbose -Message ($script:localizedData.ReplaceSpnSuffix -f
                ($ServicePrincipalNameSuffix -join ', '), $ForestName)
        }
        else
        {
            $setADForestParameters['SpnSuffixes'] = $null
            Write-Verbose -Message ($script:localizedData.ClearSpnSuffix -f $ForestName)
        }
    }

    if ($PSBoundParameters.ContainsKey('ServicePrincipalNameSuffixToAdd') -and
        -not [system.string]::IsNullOrEmpty($ServicePrincipalNameSuffixToAdd))
    {
        $setADForestParameters['SpnSuffixes'] = @{
            Add = $($ServicePrincipalNameSuffixToAdd)
        }

        Write-Verbose -Message ($script:localizedData.AddSpnSuffix -f
            ($ServicePrincipalNameSuffixToAdd -join ', '), $ForestName)
    }

    if ($PSBoundParameters.ContainsKey('ServicePrincipalNameSuffixToRemove') -and
        -not [system.string]::IsNullOrEmpty($ServicePrincipalNameSuffixToRemove))
    {
        if ($setADForestParameters['SpnSuffixes'])
        {
            $setADForestParameters['SpnSuffixes']['Remove'] = $($ServicePrincipalNameSuffixToRemove)
        }
        else
        {
            $setADForestParameters['SpnSuffixes'] = @{
                Remove = $($ServicePrincipalNameSuffixToRemove)
            }
        }

        Write-Verbose -Message ($script:localizedData.RemoveSpnSuffix -f
            ($ServicePrincipalNameSuffixToRemove -join ', '), $ForestName)
    }

    # add UserPrincipalName parameter
    if ($PSBoundParameters.ContainsKey('UserPrincipalNameSuffix'))
    {
        if (-not [system.string]::IsNullOrEmpty($UserPrincipalNameSuffix))
        {
            $setADForestParameters['UpnSuffixes'] = @{
                Replace = $($UserPrincipalNameSuffix)
            }

            Write-Verbose -Message ($script:localizedData.ReplaceUpnSuffix -f
                ($UserPrincipalNameSuffix -join ', '), $ForestName)
        }
        else
        {
            $setADForestParameters['UpnSuffixes'] = $null
            Write-Verbose -Message ($script:localizedData.ClearUpnSuffix -f $ForestName)
        }
    }

    if ($PSBoundParameters.ContainsKey('UserPrincipalNameSuffixToAdd') -and
        -not [system.string]::IsNullOrEmpty($UserPrincipalNameSuffixToAdd))
    {
        $setADForestParameters['UpnSuffixes'] = @{
            Add = $($UserPrincipalNameSuffixToAdd)
        }

        Write-Verbose -Message ($script:localizedData.AddUpnSuffix -f
            ($UserPrincipalNameSuffixToAdd -join ', '), $ForestName)
    }

    if ($PSBoundParameters.ContainsKey('UserPrincipalNameSuffixToRemove') -and
        -not [system.string]::IsNullOrEmpty($UserPrincipalNameSuffixToRemove))
    {
        if ($setADForestParameters['UpnSuffixes'])
        {
            $setADForestParameters['UpnSuffixes']['Remove'] = $($UserPrincipalNameSuffixToRemove)
        }
        else
        {
            $setADForestParameters['UpnSuffixes'] = @{
                Remove = $($UserPrincipalNameSuffixToRemove)
            }
        }

        Write-Verbose -Message ($script:localizedData.RemoveUpnSuffix -f
            ($UserPrincipalNameSuffixToRemove -join ', '), $ForestName)
    }

    # Only run Set-ADForest if a value needs updating
    if ($setADForestParameters.count -gt 0)
    {
        if ($PSBoundParameters.ContainsKey('Credential'))
        {
            $setADForestParameters['Credential'] = $Credential
        }

        $setADForestParameters['Identity'] = $ForestName

        Set-ADForest @setADForestParameters
    }

    if ($PSBoundParameters.ContainsKey('TombstoneLifetime') -and
        $TombstoneLifetime -ne $targetResource.TombstoneLifetime)
    {
        Write-Verbose -Message ($script:localizedData.SetTombstoneLifetime -f
            $TombstoneLifetime, $ForestName)

        $configurationNamingContext = (Get-ADRootDSE).configurationNamingContext
        $identity = "CN=Directory Service,CN=Windows NT,CN=Services,$configurationNamingContext"

        $setADObjectParameters = @{
            Identity  = $identity
            Partition = $configurationNamingContext
            Replace   = @{
                tombstonelifetime = $TombstoneLifetime
            }
        }

        if ($PSBoundParameters.ContainsKey('Credential'))
        {
            $setADObjectParameters['Credential'] = $Credential
        }

        try
        {
            Set-ADObject @setADObjectParameters
        }
        catch
        {
            $errorMessage = ($script:localizedData.SetTombstoneLifetimeError -f
                $TombstoneLifetime, $ForestName)
            New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
        }
    }
}