xADDomainController: Add RODC Creation Support (#406)

- Changes to xAdDomainController
  - Add support for creating Read-Only Domain Controller (RODC) (issue #40).
  - Refactored unit tests for Test-TargetResource.

CHANGELOG.md

@@ -66,6 +66,11 @@
   - Added integration tests ([issue #348](https://github.com/PowerShell/xActiveDirectory/issues/348)).
 - Changes to xWaitForADDomain
   - Added comment-based help ([issue #341](https://github.com/PowerShell/xActiveDirectory/issues/341))
+- Changes to xAdDomainController
+  - Add support for creating Read-Only Domain Controller (RODC)
+    ([issue #40](https://github.com/PowerShell/xActiveDirectory/issues/40)).
+    [Svilen @SSvilen](https://github.com/SSvilen)
+  - Refactored unit tests for Test-TargetResource.
 
 ## 3.0.0.0
 

DSCResources/MSFT_xADDomainController/MSFT_xADDomainController.schema.mof

@@ -11,4 +11,7 @@ class MSFT_xADDomainController : OMI_BaseResource
     [Write, Description("The path of the media you want to use install the Domain Controller.")] String InstallationMediaPath;
     [Write, Description("Specifies if the domain controller will be a Global Catalog (GC).")] Boolean IsGlobalCatalog;
     [Read, Description("Returns the state of the Domain Controller.")] String Ensure;
+    [Write, Description("Indicates that the cmdlet installs the domain controller as an Read-Only Domain Controller (RODC) for an existing domain.")] Boolean ReadOnlyReplica;
+    [Write, Description("Specifies an array of names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this Read-Only Domain Controller (RODC).")] String AllowPasswordReplicationAccountName[];
+    [Write, Description("Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this Read-Only Domain Controller (RODC).")] String DenyPasswordReplicationAccountName[];
 };

DSCResources/MSFT_xADDomainController/README.md

@@ -1,7 +1,8 @@
 # Description
 
 The xADDomainController DSC resource will install and configure domain
-controllers in Active Directory.
+controllers in Active Directory. Installation of Read-Only Domain Controllers
+(RODC) is also supported.
 
 >**Note:** If the account used for the parameter `DomainAdministratorCredential`
 >cannot connect to another domain controller, for example using a credential

DSCResources/MSFT_xADDomainController/en-US/MSFT_xADDomainController.strings.psd1

@@ -14,7 +14,10 @@ ConvertFrom-StringData @'
     FailedToFindSite              = The site '{0}' could not be found in the domain '{1}'. (ADDC0014)
     TestingConfiguration          = Determine the state of the domain controller on the current node '{0}' in the domain '{1}'. (ADDC0015)
     WrongSite                     = The domain controller is in the site '{0}', but expected it to be in the site '{1}'. (ADDC0016)
-    ExpectedDomainController      = Expected the node to be a domain controller, but did not get a domain controller object. (ADDC0017)
     ExpectedGlobalCatalogEnabled  = The domain controller does not contain a Global Catalog, but it was expected to have a Global Catalog. (ADDC0018)
     ExpectedGlobalCatalogDisabled = The domain controller have a Global Catalog, but it was expected to not have a Global Catalog. (ADDC0019)
+    AllowedSyncAccountsMismatch   = There is a mismatch in AllowPasswordReplicationAccountName list. Got {0}, expected was {1}. (ADDC0020)
+    DenySyncAccountsMismatch      = There is a mismatch in DenyPasswordReplicationAccountName list. Got {0}, expected was {1}. (ADDC0021)
+    RODCMissingSite               = You have specified 'ReadOnlyReplica', but did not provide a site name. (ADDC0022)
+    CannotConvertToRODC           = Cannot convert a existing domain controller to a Read-Only Domain Controller (RODC). (ADDC0023)
 '@

DSCResources/MSFT_xADDomainController/en-US/about_xADDomainController.help.txt

@@ -3,7 +3,8 @@
 
 .DESCRIPTION
     The xADDomainController DSC resource will install and configure domain
-    controllers in Active Directory.
+    controllers in Active Directory. Installation of Read-Only Domain Controllers
+    (RODC) is also supported.
 
     >**Note:** If the account used for the parameter `DomainAdministratorCredential`
     >cannot connect to another domain controller, for example using a credential
@@ -57,6 +58,18 @@
     Read - String
     Returns the state of the Domain Controller.
 
+.PARAMETER ReadOnlyReplica
+    Write - Boolean
+    Indicates that the cmdlet installs the domain controller as an Read-Only Domain Controller (RODC) for an existing domain.
+
+.PARAMETER AllowPasswordReplicationAccountName
+    Write - String
+    Specifies an array of names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this Read-Only Domain Controller (RODC).
+
+.PARAMETER DenyPasswordReplicationAccountName
+    Write - String
+    Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this Read-Only Domain Controller (RODC).
+
 .EXAMPLE 1
 
 This configuration will add a domain controller to the domain
@@ -228,4 +241,63 @@ Configuration AddDomainControllerToDomainUsingIFM_Config
     }
 }
 
+.EXAMPLE 4
+
+This configuration will add a read-only domain controller to the domain contoso.com
+and specify a list of account, whose passwords are allowed/denied for synchronisation.
+
+Configuration AddReadOnlyDomainController_Config
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.Management.Automation.PSCredential]
+        $DomainAdministratorCredential
+    )
+
+    Import-DscResource -ModuleName PSDscResources
+    Import-DscResource -ModuleName xActiveDirectory
+
+    node localhost
+    {
+        WindowsFeature 'InstallADDomainServicesFeature'
+        {
+            Ensure = 'Present'
+            Name   = 'AD-Domain-Services'
+        }
+
+        WindowsFeature 'RSATADPowerShell'
+        {
+            Ensure    = 'Present'
+            Name      = 'RSAT-AD-PowerShell'
+
+            DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
+        }
+
+        xWaitForADDomain 'WaitForestAvailability'
+        {
+            DomainName           = 'contoso.com'
+            DomainUserCredential = $DomainAdministratorCredential
+            RetryCount           = 10
+            RetryIntervalSec     = 120
+
+            DependsOn            = '[WindowsFeature]RSATADPowerShell'
+        }
+
+        xADDomainController 'Read-OnlyDomainController(RODC)'
+        {
+            DomainName                          = 'contoso.com'
+            DomainAdministratorCredential       = $DomainAdministratorCredential
+            SafemodeAdministratorPassword       = $DomainAdministratorCredential
+            ReadOnlyReplica                     = $true
+            SiteName                            = 'Default-First-Site-Name'
+            AllowPasswordReplicationAccountName = @('pvdi.test1', 'pvdi.test')
+            DenyPasswordReplicationAccountName  = @('SVC_PVS', 'TA2SCVMM')
+
+            DependsOn                           = '[xWaitForADDomain]WaitForestAvailability'
+        }
+    }
+}
+
 

Examples/Resources/xADDomainController/4-AddReadOnlyDomainController_Config.ps1

@@ -0,0 +1,77 @@
+<#PSScriptInfo
+.VERSION 1.0.0
+.GUID ba30df50-0873-4c2c-872b-96f5c825910d
+.AUTHOR Microsoft Corporation
+.COMPANYNAME Microsoft Corporation
+.COPYRIGHT (c) Microsoft Corporation. All rights reserved.
+.TAGS DSCConfiguration
+.LICENSEURI https://github.com/PowerShell/xActiveDirectory/blob/master/LICENSE
+.PROJECTURI https://github.com/PowerShell/xActiveDirectory
+.ICONURI
+.EXTERNALMODULEDEPENDENCIES
+.REQUIREDSCRIPTS
+.EXTERNALSCRIPTDEPENDENCIES
+.RELEASENOTES First version.
+.PRIVATEDATA 2016-Datacenter,2016-Datacenter-Server-Core
+#>
+
+#Requires -module xActiveDirectory
+
+<#
+    .DESCRIPTION
+    This configuration will add a read-only domain controller to the domain contoso.com
+    and specify a list of account, whose passwords are allowed/denied for synchronisation.
+#>
+Configuration AddReadOnlyDomainController_Config
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+        [System.Management.Automation.PSCredential]
+        $DomainAdministratorCredential
+    )
+
+    Import-DscResource -ModuleName PSDscResources
+    Import-DscResource -ModuleName xActiveDirectory
+
+    node localhost
+    {
+        WindowsFeature 'InstallADDomainServicesFeature'
+        {
+            Ensure = 'Present'
+            Name   = 'AD-Domain-Services'
+        }
+
+        WindowsFeature 'RSATADPowerShell'
+        {
+            Ensure    = 'Present'
+            Name      = 'RSAT-AD-PowerShell'
+
+            DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
+        }
+
+        xWaitForADDomain 'WaitForestAvailability'
+        {
+            DomainName           = 'contoso.com'
+            DomainUserCredential = $DomainAdministratorCredential
+            RetryCount           = 10
+            RetryIntervalSec     = 120
+
+            DependsOn            = '[WindowsFeature]RSATADPowerShell'
+        }
+
+        xADDomainController 'Read-OnlyDomainController(RODC)'
+        {
+            DomainName                          = 'contoso.com'
+            DomainAdministratorCredential       = $DomainAdministratorCredential
+            SafemodeAdministratorPassword       = $DomainAdministratorCredential
+            ReadOnlyReplica                     = $true
+            SiteName                            = 'Default-First-Site-Name'
+            AllowPasswordReplicationAccountName = @('pvdi.test1', 'pvdi.test')
+            DenyPasswordReplicationAccountName  = @('SVC_PVS', 'TA2SCVMM')
+
+            DependsOn                           = '[xWaitForADDomain]WaitForestAvailability'
+        }
+    }
+}