Added AddsDomainController RODC Password Replication Variables (#209)

nikq29 · Niko P · raandree · web-flow · commit d99f804b51ed · 2023-04-11T10:33:15.000+02:00
* Added AddsDC RODC Password Repl Option

* fixed Doc

* Fixed HQRM Test Failure

---------

Co-authored-by: Niko P &lt;nikq29ftw@gmail.com&gt;
Co-authored-by: Raimund Andrée [MSFT] &lt;r.andree@live.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,10 +4,12 @@ The format is based on and uses the types of changes according to [Keep a Change
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
 ### Added
 
 - AddsDomainController:
     - add UnprotectFromAccidentalDeletion to allow dc promote if an existing AD computer account is protected
+    - AllowPasswordReplication and DenyPasswordReplication Variables for RODCs
 - AzureConnectedMachine:
     - Composite to install and configure the Azure Connected Machine Agent
 - DhcpServerAuthorization:
diff --git a/doc/AddsDomainController.adoc b/doc/AddsDomainController.adoc
@@ -80,6 +80,18 @@ Set value to 'Default-First-Site-Name' if the Domain Controller shall be added t
 | - *False* (default)
   - true
 
+| AllowPWReplication
+| Mandatory if RODC, DSC will remove all not listet groups if you add them manually in AD.
+| String[]
+| Specifies an array of names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this Read-Only Domain Controller (RODC).
+|
+
+| DenyPWReplication
+| Mandatory if RODC, DSC will remove all not listet groups if you add them manually in AD.
+| String[]
+| Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this Read-Only Domain Controller (RODC).
+|
+
 | IsGlobalCatalog
 |
 | Boolean
@@ -111,13 +123,30 @@ If the computer acts as domain controller the 'Protect from accidental deletion'
 [source, yaml]
 ----
 AddsDomainController:
+  DomainName: contoso.com
+  Credential: '[ENC=PE9ian...=]'
+  SafeModeAdministratorPassword: '[ENC=PE9ian...=]'
+  LogPath: C:\Windows\Logs
+  SysvolPath: C:\Windows\SYSVOL
+  SiteName: London
+  IsGlobalCatalog: false
+  IsReadOnlyReplica: true
+  UnprotectFromAccidentalDeletion: true
+  InstallationMediaPath: \\Server\Share
+
+  AddsDomainController:
   DomainName: contoso.com
   Credential: '[ENC=PE9ian...=]'
   SafeModeAdministratorPassword: '[ENC=PE9ian...=]'
   LogPath: C:\Windows\Logs
   SysvolPath: C:\Windows\SYSVOL
   SiteName: London
   IsGlobalCatalog: true
+  AllowPasswordReplication:
+    - 'SiteGroup-AllowPasswordReplication'
+    - 'TestGroup'
+  DenyPasswordReplication:
+    - 'SiteGroup-DenyPasswordReplication'
   IsReadOnlyReplica: true
   UnprotectFromAccidentalDeletion: true
   InstallationMediaPath: \\Server\Share
diff --git a/source/DSCResources/AddsDomainController/AddsDomainController.schema.psm1 b/source/DSCResources/AddsDomainController/AddsDomainController.schema.psm1
@@ -38,6 +38,14 @@ configuration AddsDomainController
         [bool]
         $IsReadOnlyReplica = $false,
 
+        [Parameter()]
+        [string[]]
+        $AllowPWReplication,
+
+        [Parameter()]
+        [string[]]
+        $DenyPWReplication,
+
         [Parameter()]
         [bool]
         $UnprotectFromAccidentalDeletion = $false,
@@ -50,12 +58,14 @@ configuration AddsDomainController
     Import-DscResource -ModuleName PSDesiredStateConfiguration
     Import-DscResource -ModuleName ActiveDirectoryDsc
 
-    WindowsFeature ADDS {
+    WindowsFeature ADDS
+    {
         Name   = 'AD-Domain-Services'
         Ensure = 'Present'
     }
 
-    WindowsFeature RSATADPowerShell {
+    WindowsFeature RSATADPowerShell
+    {
         Name      = 'RSAT-AD-PowerShell'
         Ensure    = 'Present'
         DependsOn = '[WindowsFeature]ADDS'
@@ -79,7 +89,7 @@ configuration AddsDomainController
                 {
                     Get-ADDomainController -Identity $env:ComputerName
                     Write-Verbose "Computer '$env:ComputerName' is a domain controller. Nothing to do"
-                     return $true
+                    return $true
                 }
                 catch
                 {
@@ -103,16 +113,38 @@ configuration AddsDomainController
         $depOn = '[Script]RemoveProtectFromAccidentalDeletionBeforeDcPromo'
     }
 
-    ADDomainController 'DomainControllerAllProperties' {
-        DomainName                    = $DomainName
-        Credential                    = $Credential
-        SafeModeAdministratorPassword = $SafeModeAdministratorPassword
-        DatabasePath                  = $DatabasePath
-        LogPath                       = $LogPath
-        SysvolPath                    = $SysvolPath
-        SiteName                      = $SiteName
-        ReadOnlyReplica               = $IsReadOnlyReplica
-        IsGlobalCatalog               = $IsGlobalCatalog
-        DependsOn                     = $depOn
+    if ($IsReadOnlyReplica -eq $false)
+    {
+        ADDomainController 'DomainControllerAllProperties'
+        {
+            DomainName                    = $DomainName
+            Credential                    = $Credential
+            SafeModeAdministratorPassword = $SafeModeAdministratorPassword
+            DatabasePath                  = $DatabasePath
+            LogPath                       = $LogPath
+            SysvolPath                    = $SysvolPath
+            SiteName                      = $SiteName
+            ReadOnlyReplica               = $IsReadOnlyReplica
+            IsGlobalCatalog               = $IsGlobalCatalog
+            DependsOn                     = $depOn
+        }
+    }
+    elseif ($IsReadOnlyReplica -eq $true)
+    {
+        ADDomainController 'DomainControllerAllProperties'
+        {
+            DomainName                          = $DomainName
+            Credential                          = $Credential
+            SafeModeAdministratorPassword       = $SafeModeAdministratorPassword
+            DatabasePath                        = $DatabasePath
+            LogPath                             = $LogPath
+            SysvolPath                          = $SysvolPath
+            SiteName                            = $SiteName
+            ReadOnlyReplica                     = $IsReadOnlyReplica
+            IsGlobalCatalog                     = $IsGlobalCatalog
+            AllowPasswordReplicationAccountName = $AllowPWReplication
+            DenyPasswordReplicationAccountName  = $DenyPWReplication
+            DependsOn                           = $depOn
+        }
     }
 }
diff --git a/tests/Unit/DSCResources/Assets/Config/AddsDomainController.yml b/tests/Unit/DSCResources/Assets/Config/AddsDomainController.yml
@@ -1,11 +1,15 @@
 DomainName: contoso.com
 Credential: '[ENC=PE9ianMgVmVyc2lvbj0iMS4xLjAuMSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vcG93ZXJzaGVsbC8yMDA0LzA0Ij4NCiAgPE9iaiBSZWZJZD0iMCI+DQogICAgPFROIFJlZklkPSIwIj4NCiAgICAgIDxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNDdXN0b21PYmplY3Q8L1Q+DQogICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPg0KICAgIDwvVE4+DQogICAgPE1TPg0KICAgICAgPE9iaiBOPSJLZXlEYXRhIiBSZWZJZD0iMSI+DQogICAgICAgIDxUTiBSZWZJZD0iMSI+DQogICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdFtdPC9UPg0KICAgICAgICAgIDxUPlN5c3RlbS5BcnJheTwvVD4NCiAgICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPg0KICAgICAgICA8L1ROPg0KICAgICAgICA8TFNUPg0KICAgICAgICAgIDxPYmogUmVmSWQ9IjIiPg0KICAgICAgICAgICAgPFROUmVmIFJlZklkPSIwIiAvPg0KICAgICAgICAgICAgPE1TPg0KICAgICAgICAgICAgICA8UyBOPSJIYXNoIj44MDg1MzBFQzZDOUMyNENEODIzMjEyMkNBNDAwQUQyQjA4RUYwQTA0QjlGQzM2NUQxOUY1NTY3MjdEQjNDOUJEPC9TPg0KICAgICAgICAgICAgICA8STMyIE49Ikl0ZXJhdGlvbkNvdW50Ij41MDAwMDwvSTMyPg0KICAgICAgICAgICAgICA8QkEgTj0iS2V5Ij5leUt6OUNtWjhFRUoyVmlqR1dhYVVodW9IcEtCeEd6SmZza3F1L3JicWxXZzVoVXkwYWd5QW1xZnI5WWExbDAxPC9CQT4NCiAgICAgICAgICAgICAgPEJBIE49Ikhhc2hTYWx0Ij5nQ3NLTldCTUdRMjF0Smc1QVA1UXcyRGdoWDZpTkx2cy8vZHFQbE5PNExnPTwvQkE+DQogICAgICAgICAgICAgIDxCQSBOPSJTYWx0Ij54OVhLaTVPRVg3SXRsbnQySkRPY0tJdlNZLzN1V2dOQjBjWFpaSitpWjZBPTwvQkE+DQogICAgICAgICAgICAgIDxCQSBOPSJJViI+NUVpcFhyeVBSeDA3dDI2dk1mNGlPR0dURldiT2tzVDdraHRxcjNiM1NsND08L0JBPg0KICAgICAgICAgICAgPC9NUz4NCiAgICAgICAgICA8L09iaj4NCiAgICAgICAgPC9MU1Q+DQogICAgICA8L09iaj4NCiAgICAgIDxCQSBOPSJDaXBoZXJUZXh0Ij54OUp0WXZDbXFKQmpaVitqNmQxK3VUazBEM0FiZ3cvMTRJbk5EMEN2ZXZCVTlkUG5tL091WFR4bWdGVVQzaUlMdGYzRnNxQ0VVc29wYkhSaHBPdjE5dz09PC9CQT4NCiAgICAgIDxCQSBOPSJITUFDIj5pR3FoYkYwR0w5NUF6bDFSTVhMa0twQ2VNRXcwa29QeGtJd1NzMVczWU9vPTwvQkE+DQogICAgICA8UyBOPSJUeXBlIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTQ3JlZGVudGlhbDwvUz4NCiAgICA8L01TPg0KICA8L09iaj4NCjwvT2Jqcz4=]'
 SafeModeAdministratorPassword: '[ENC=PE9ianMgVmVyc2lvbj0iMS4xLjAuMSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vcG93ZXJzaGVsbC8yMDA0LzA0Ij4NCiAgPE9iaiBSZWZJZD0iMCI+DQogICAgPFROIFJlZklkPSIwIj4NCiAgICAgIDxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNDdXN0b21PYmplY3Q8L1Q+DQogICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPg0KICAgIDwvVE4+DQogICAgPE1TPg0KICAgICAgPE9iaiBOPSJLZXlEYXRhIiBSZWZJZD0iMSI+DQogICAgICAgIDxUTiBSZWZJZD0iMSI+DQogICAgICAgICAgPFQ+U3lzdGVtLk9iamVjdFtdPC9UPg0KICAgICAgICAgIDxUPlN5c3RlbS5BcnJheTwvVD4NCiAgICAgICAgICA8VD5TeXN0ZW0uT2JqZWN0PC9UPg0KICAgICAgICA8L1ROPg0KICAgICAgICA8TFNUPg0KICAgICAgICAgIDxPYmogUmVmSWQ9IjIiPg0KICAgICAgICAgICAgPFROUmVmIFJlZklkPSIwIiAvPg0KICAgICAgICAgICAgPE1TPg0KICAgICAgICAgICAgICA8UyBOPSJIYXNoIj44MDg1MzBFQzZDOUMyNENEODIzMjEyMkNBNDAwQUQyQjA4RUYwQTA0QjlGQzM2NUQxOUY1NTY3MjdEQjNDOUJEPC9TPg0KICAgICAgICAgICAgICA8STMyIE49Ikl0ZXJhdGlvbkNvdW50Ij41MDAwMDwvSTMyPg0KICAgICAgICAgICAgICA8QkEgTj0iS2V5Ij5leUt6OUNtWjhFRUoyVmlqR1dhYVVodW9IcEtCeEd6SmZza3F1L3JicWxXZzVoVXkwYWd5QW1xZnI5WWExbDAxPC9CQT4NCiAgICAgICAgICAgICAgPEJBIE49Ikhhc2hTYWx0Ij5nQ3NLTldCTUdRMjF0Smc1QVA1UXcyRGdoWDZpTkx2cy8vZHFQbE5PNExnPTwvQkE+DQogICAgICAgICAgICAgIDxCQSBOPSJTYWx0Ij54OVhLaTVPRVg3SXRsbnQySkRPY0tJdlNZLzN1V2dOQjBjWFpaSitpWjZBPTwvQkE+DQogICAgICAgICAgICAgIDxCQSBOPSJJViI+NUVpcFhyeVBSeDA3dDI2dk1mNGlPR0dURldiT2tzVDdraHRxcjNiM1NsND08L0JBPg0KICAgICAgICAgICAgPC9NUz4NCiAgICAgICAgICA8L09iaj4NCiAgICAgICAgPC9MU1Q+DQogICAgICA8L09iaj4NCiAgICAgIDxCQSBOPSJDaXBoZXJUZXh0Ij54OUp0WXZDbXFKQmpaVitqNmQxK3VUazBEM0FiZ3cvMTRJbk5EMEN2ZXZCVTlkUG5tL091WFR4bWdGVVQzaUlMdGYzRnNxQ0VVc29wYkhSaHBPdjE5dz09PC9CQT4NCiAgICAgIDxCQSBOPSJITUFDIj5pR3FoYkYwR0w5NUF6bDFSTVhMa0twQ2VNRXcwa29QeGtJd1NzMVczWU9vPTwvQkE+DQogICAgICA8UyBOPSJUeXBlIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTQ3JlZGVudGlhbDwvUz4NCiAgICA8L01TPg0KICA8L09iaj4NCjwvT2Jqcz4=]'
-DatabasePath: C:\Windows\NTDS
 LogPath: C:\Windows\Logs
 SysvolPath: C:\Windows\SYSVOL
 SiteName: London
 IsGlobalCatalog: true
-IsReadOnlyReplica: false
+AllowPWReplication:
+  - 'SiteGroup-AllowPasswordReplication'
+  - 'TestGroup'
+DenyPWReplication:
+  - 'SiteGroup-DenyPasswordReplication'
+IsReadOnlyReplica: true
 UnprotectFromAccidentalDeletion: true
 InstallationMediaPath: \\Server\Share
