Dre4m Shell
Server IP : 85.214.239.14  /  Your IP : 13.59.236.101
Web Server : Apache/2.4.62 (Debian)
System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64
User : www-data ( 33)
PHP Version : 7.4.18
Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
MySQL : OFF  |  cURL : OFF  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : OFF
Directory :  /lib/python3/dist-packages/ansible_collections/microsoft/ad/plugins/modules/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ HOME SHELL ]     

Current File : /lib/python3/dist-packages/ansible_collections/microsoft/ad/plugins/modules/domain_controller.ps1
#!powershell

# Copyright (c) 2022 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

#AnsibleRequires -CSharpUtil Ansible.Basic

$spec = @{
    options = @{
        database_path = @{
            type = 'path'
        }
        dns_domain_name = @{
            type = 'str'
        }
        domain_admin_password = @{
            no_log = $true
            required = $true
            type = 'str'
        }
        domain_admin_user = @{
            required = $true
            type = 'str'
        }
        domain_log_path = @{
            # FUTURE: Add alias for log_path once some time has passed
            type = 'path'
        }
        install_dns = @{
            type = 'bool'
        }
        install_media_path = @{
            type = 'path'
        }
        local_admin_password = @{
            no_log = $true
            type = 'str'
        }
        read_only = @{
            default = $false
            type = 'bool'
        }
        reboot = @{
            default = $false
            type = 'bool'
        }
        safe_mode_password = @{
            no_log = $true
            type = 'str'
        }
        site_name = @{
            type = 'str'
        }
        state = @{
            choices = 'domain_controller', 'member_server'
            required = $true
            type = 'str'
        }
        sysvol_path = @{
            type = 'path'
        }
    }
    required_if = @(
        , @('state', 'domain_controller', @('dns_domain_name', 'safe_mode_password'))
        , @('state', 'member_server', @(, 'local_admin_password'))
    )
    supports_check_mode = $true
}
$module = [Ansible.Basic.AnsibleModule]::Create($args, $spec)

$module.Result.reboot_required = $false
$module.Result._do_action_reboot = $false  # Used by action plugin

$databasePath = $module.Params.database_path
$dnsDomainName = $module.Params.dns_domain_name
$installDns = $module.Params.install_dns
$installMediaPath = $module.Params.install_media_path
$logPath = $module.Params.domain_log_path
$readOnly = $module.Params.read_only
$siteName = $module.Params.site_name
$state = $module.Params.state
$sysvolPath = $module.Params.sysvol_path

$domainCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList @(
    $module.Params.domain_admin_user,
    (ConvertTo-SecureString -AsPlainText -Force -String $module.Params.domain_admin_password)
)

if ([System.Environment]::OSVersion.Version -lt [Version]"6.2") {
    $module.FailJson("microsoft.ad.domain_controller requires Windows Server 2012 or higher")
}

# short-circuit "member server" check, since we don't need feature checks for this...
# role 4/5 - backup/primary DC
$win32CS = Get-CimInstance -ClassName Win32_ComputerSystem -Property Domain, DomainRole
$isKdc = $win32CS.DomainRole -in @(4, 5)
If ($state -eq "member_server" -and -not $isKdc) {
    $module.ExitJson()
}

# all other operations will require the AD-DS and RSAT-ADDS features...
$requiredFeatures = @("AD-Domain-Services", "RSAT-ADDS")
$features = Get-WindowsFeature -Name $requiredFeatures
$unavailableFeatures = Compare-Object -ReferenceObject $requiredFeatures -DifferenceObject $features.Name -PassThru

if ($unavailableFeatures) {
    $module.FailJson("The following features required for a domain controller are unavailable: $($unavailableFeatures -join ',')")
}

$missingFeatures = $features | Where-Object InstallState -NE Installed
if ($missingFeatures) {
    $res = Install-WindowsFeature -Name $missingFeatures -WhatIf:$module.CheckMode
    $module.Result.changed = $true
    $module.Result.reboot_required = [bool]$res.RestartNeeded

    # When in check mode and the prereq was "installed" we need to exit early as
    # the AD cmdlets weren't really installed
    if ($module.CheckMode) {
        $module.ExitJson()
    }
}

$lastBootTime = (Get-CimInstance -ClassName Win32_OperatingSystem -Property LastBootUpTime).LastBootUpTime.ToFileTime()

if ($state -eq 'domain_controller') {
    # ensure that domain admin user is in UPN or down-level domain format (prevent hang from https://support.microsoft.com/en-us/kb/2737935)
    If (-not $domainCredential.UserName.Contains("\") -and -not $domainCredential.UserName.Contains("@")) {
        $module.FailJson("domain_admin_user must be in domain\user or user@domain.com format")
    }

    If ($isKdc) {
        # FUTURE: implement managed Remove/Add to change domains?
        If ($dnsDomainName -ne $win32CS.Domain) {
            $msg = -join @(
                "The host $env:COMPUTERNAME is a domain controller for the domain $($win32CS.Domain); "
                "changing DC domains is not implemented"
            )
            $module.FailJson($msg)
        }
    }
    else {
        $safeModePassword = $module.Params.safe_mode_password | ConvertTo-SecureString -AsPlainText -Force

        $installParams = @{
            Confirm = $false
            Credential = $domainCredential
            DomainName = $dnsDomainName
            Force = $true
            NoRebootOnCompletion = $true
            SafeModeAdministratorPassword = $safeModePassword
            SkipPreChecks = $true
            WhatIf = $module.CheckMode
        }
        if ($databasePath) {
            $installParams.DatabasePath = $databasePath
        }
        if ($logPath) {
            $installParams.LogPath = $logPath
        }
        if ($sysvolPath) {
            $installParams.SysvolPath = $sysvolPath
        }
        if ($installMediaPath) {
            $installParams.InstallationMediaPath = $installMediaPath
        }
        if ($readOnly) {
            # while this is a switch value, if we set on $false site_name is required
            # https://github.com/ansible/ansible/issues/35858
            $installParams.ReadOnlyReplica = $true
        }
        if ($siteName) {
            $installParams.SiteName = $siteName
        }
        if ($null -ne $installDns) {
            $installParams.InstallDns = $installDns
        }

        try {
            $null = Install-ADDSDomainController @installParams
        }
        catch [Microsoft.DirectoryServices.Deployment.DCPromoExecutionException] {
            # ExitCode 15 == 'Role change is in progress or this computer needs to be restarted.'
            # DCPromo exit codes details can be found at
            # https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment
            if ($_.Exception.ExitCode -in @(15, 19)) {
                $module.Result.reboot_required = $true
                $module.Result._do_action_reboot = $true
            }

            $module.FailJson("Failed to install ADDSDomainController, DCPromo exited with $($_.Exception.ExitCode): $($_.Exception.Message)", $_)
        }
        finally {
            # The Netlogon service is set to auto start but is not started. This is
            # required for Ansible to connect back to the host and reboot in a
            # later task. Even if this fails Ansible can still connect but only
            # with ansible_winrm_transport=basic so we just display a warning if
            # this fails.
            if (-not $module.CheckMode) {
                try {
                    Start-Service -Name Netlogon
                }
                catch {
                    $msg = -join @(
                        "Failed to start the Netlogon service after promoting the host, "
                        "Ansible may be unable to connect until the host is manually rebooting: $($_.Exception.Message)"
                    )
                    $module.Warn($msg)
                }
            }
        }

        $module.Result.changed = $true
        $module.Result.reboot_required = $true
    }
}
else {
    # at this point we already know we're a DC and shouldn't be (due to short circuit check)...
    $assignedRoles = @((Get-ADDomainController -Server localhost).OperationMasterRoles)
    $localAdminPassword = $module.Params.local_admin_password | ConvertTo-SecureString -AsPlainText -Force

    # FUTURE: figure out a sane way to hand off roles automatically (designated recipient server, randomly look one up?)
    If ($assignedRoles.Count -gt 0) {
        $msg = -join @(
            "This domain controller has operation master role(s) ({0}) assigned; they must be moved to other "
            "DCs before demotion (see Move-ADDirectoryServerOperationMasterRole)" -f ($assignedRoles -join ", ")
        )
        $module.FailJson($msg)
    }

    # While the cmdlet has -WhatIf, it doesn't seem to work properly. Only run
    # when not in check mode.
    if (-not $module.CheckMode) {
        $uninstallParams = @{
            Confirm = $false
            Credential = $domainCredential
            Force = $true
            LocalAdministratorPassword = $localAdminPassword
            NoRebootOnCompletion = $true
        }
        $null = Uninstall-ADDSDomainController @uninstallParams
    }

    $module.Result.changed = $true
    $module.Result.reboot_required = $true
}

if ($module.Result.reboot_required -and $module.Params.reboot -and -not $module.CheckMode) {
    # Promoting or depromoting puts the server in a very funky state and it may
    # not be possible for Ansible to connect back without a reboot is done. If
    # the user requested the action plugin to perform the reboot then start it
    # here and get the action plugin to continue where this left off.

    $module.Result._previous_boot_time = $lastBootTime

    $shutdownRegPath = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked'
    Remove-Item -LiteralPath $shutdownRegPath -Force -ErrorAction SilentlyContinue

    $comment = 'Reboot initiated by Ansible'
    $stdout = $null
    $stderr = . { shutdown.exe /r /t 10 /c $comment | Set-Variable stdout } 2>&1 | ForEach-Object ToString
    if ($LASTEXITCODE -eq 1190) {
        # A reboot was already scheduled, abort it and try again
        shutdown.exe /a
        $stdout = $null
        $stderr = . { shutdown.exe /r /t 10 /c $comment | Set-Variable stdout } 2>&1 | ForEach-Object ToString
    }

    if ($LASTEXITCODE) {
        $module.Result.rc = $LASTEXITCODE
        $module.Result.stdout = $stdout
        $module.Result.stderr = $stderr
        $module.FailJson("Failed to initiate reboot, see rc, stdout, stderr for more information")
    }
}

$module.ExitJson()

Anon7 - 2022
AnonSec Team