- name: Check AD-Controller Service exists
  ansible.builtin.win_service:
    name: NTLD
  register: file_check_ntld
  ignore_unreachable: yes

- name: Install Active-Directory-Service
  ansible.builtin.win_shell:
    Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools -IncludeAllSubFeature
  when: file_check_ntld.exists == False

- name: Reboot ad-controller
  ansible.builtin.win_shell:
    shutdown -t 0 -r
  when: file_check_ntld.exists == False

- name: Wait for Server Reboot
  ansible.builtin.wait_for_connection:
    delay: 10
    timeout: 60
  when: file_check_ntld.exists == False

- name: Disable Local-Administrator-User
  ansible.builtin.win_user:
    name: Administrator
    account_disabled: true
  when: file_check_ntld.exists == False

- name: Install-ADDSForest
  ansible.builtin.win_shell: |
    $password = ConvertTo-SecureString -String "adm.3dfx12" -AsPlainText -Force
    Install-ADDSForest -DomainName {{ kundendomain }} -InstallDNS:$true -SafeModeAdministratorPassword $password -DomainMode WinThreshold -ForestMode WinThreshold -Force
  when: file_check_ntld.exists == False

- name: Wait for Server Reboot
  ansible.builtin.wait_for_connection:
    delay: 10
    # timeout: 300
  when: file_check_ntld.exists == False

- name: Disable AD-Administrator-User
  ansible.builtin.win_shell:
    Disable-ADAccount -Identity "Administrator"
  when: file_check_ntld.exists == False

- name: ADD Reverse DNS Zone
  ansible.builtin.win_shell:
    Add-DnsServerPrimaryZone -NetworkID "{{privatip}}/24" -ReplicationScope "Domain"eml.kommerziale@tnp-gruppe.deeml.kommerziale@tnp-gruppe.de

- name: ADD DNS Roles
  ansible.builtin.win_shell: | 
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-ROU01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.1" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-SMTP01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.2" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-HAPROX01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.3" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-NEXT01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.4" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-DATA01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.5" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-CMS01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.6" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-AD01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.8" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-RDS01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.7" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-EX01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.9" -CreatePtr:$true
    Add-DnsServerResourceRecordA -Name "{{ kundenkürzel }}-APP01" -ZoneName "{{ kundendomain }}" -AllowUpdateAny -IPv4Address "{{privatip}}.10" -CreatePtr:$true

- name: Create OU System-Accounts
  ansible.builtin.win_shell:
    New-ADOrganizationalUnit -Name "System-Accounts" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"

- name: Create OU System-Accounts
  ansible.builtin.win_shell:
    New-ADOrganizationalUnit -Name "System-Gruppen" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"

- name: Create OU Kunden-Gruppen
  ansible.builtin.win_shell:
    New-ADOrganizationalUnit -Name "{{ kundenkürzel }}-Gruppen" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"

- name: Create OU Kunden-Gruppen
  ansible.builtin.win_shell:
    New-ADOrganizationalUnit -Name "{{ kundenkürzel }}-Benutzer" -Path "DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}"

- name: Create Stines Admin
  ansible.builtin.win_shell: |
    $adminpw = ConvertTo-SecureString -String "adm.3dfx12" -AsPlainText -Force
    New-ADUser -Name "Stines Admin" -GivenName "Stines" -Surname "Admin" -SamAccountName "stinessu" -UserPrincipalName "stinessu@{{kundendomain}}" -Path "OU=System-Accounts,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Enabled $true -AccountPassword $adminpw -ChangePasswordAtLogon:$false -PasswordNeverExpires:$true
    Add-ADGroupMember -Identity Domänen-Admins -Members stinessu
    $group = get-adgroup "Domänen-Admins" -properties @("primaryGroupToken")
    get-aduser "stinessu" | set-aduser -replace @{primaryGroupID=$group.primaryGroupToken}

- name: Create LDAP-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "LDAP-Admins" -SamAccountName LDAPAdmins -GroupCategory Security -GroupScope Global -DisplayName "LDAP-Admins" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "LDAP Admins für LDAP Verbindungen"

- name: Create Mail-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "Mail-User" -SamAccountName MailUser -GroupCategory Security -GroupScope Global -DisplayName "Mail-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "E-Mail Mitglieder"

- name: Create Exchange-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "EX-User" -SamAccountName EXUser -GroupCategory Security -GroupScope Global -DisplayName "EX-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Exchange Mitglieder"

- name: Create Bitwarden-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "Bitwarden-User" -SamAccountName BitwardenUser -GroupCategory Security -GroupScope Global -DisplayName "Bitwarden-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Bitwarden Mitglieder"

- name: Create Nextcloud-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "Nextcloud-User" -SamAccountName NextcloudUser -GroupCategory Security -GroupScope Global -DisplayName "Nextcloud-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Nextcloud Mitglieder"

- name: Create RDS-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "RDS-User" -SamAccountName RDSUser -GroupCategory Security -GroupScope Global -DisplayName "RDS-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "RDS Mitglieder"

- name: Create VPN-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "VPN-User" -SamAccountName VPNUser -GroupCategory Security -GroupScope Global -DisplayName "VPN-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "VPN Mitglieder"

- name: Create Daten-Gruppe
  ansible.builtin.win_shell: |
    New-ADGroup -Name "Daten-User" -SamAccountName DatenUser -GroupCategory Security -GroupScope Global -DisplayName "Daten-User" -Path "OU=System-Gruppen,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Description "Daten Mitglieder"

- name: Create LDAP-Admin
  ansible.builtin.win_shell: |
    $adminpw = ConvertTo-SecureString -String "zzLGuggugSG7bwMQruv#3bPLwp4DfQ8Hq9Ldq$D6MPy2m" -AsPlainText -Force
    New-ADUser -Name "LDAP Admin" -GivenName "LDAP" -Surname "Admin" -SamAccountName "ldap-admin" -UserPrincipalName "ldap@{{kundendomain}}" -Path "OU=System-Accounts,DC={{  kundendomain.split(".")[0]}},DC={{  kundendomain.split(".")[1]}}" -Enabled $true -AccountPassword $adminpw -ChangePasswordAtLogon:$false -PasswordNeverExpires:$true
    Add-ADGroupMember -Identity LDAPAdmins -Members ldap-admin
    $group = get-adgroup "LDAPAdmins" -properties @("primaryGroupToken")
    get-aduser "ldap-admin" | set-aduser -replace @{primaryGroupID=$group.primaryGroupToken}

- name: Create Folder deployment
  ansible.builtin.win_file:
    path: C:\deployment\
    state: directory
    
- name: Create Share Folder deployment
  ansible.windows.win_share:
    name: deployment
    description: deployment
    path: C:\deployment
    list: false
    full: Domänen-Admins
    read: RDSUser,Domänen-Benutzer

- name: Create AD-Controller Shortcuts on Stines-Admin Desktop
  community.windows.win_shortcut:
    src: '%SystemRoot%\system32\dsa.msc'
    dest: C:\Users\Public\Desktop\AD-Controller.lnk
    icon: '%SystemRoot%\system32\dsadmin.dll,0'

- name: Create DNS Shortcuts on Stines-Admin Desktop
  community.windows.win_shortcut:
    src: '%SystemRoot%\system32\dnsmgmt.msc'
    dest: C:\Users\Public\Desktop\DNS.lnk
    icon: '%SystemRoot%\system32\dnsmgr.dll'

- name: Create GPO Shortcuts on Stines-Admin Desktop
  community.windows.win_shortcut:
    src: '%SystemRoot%\system32\gpmc.msc'
    dest: C:\Users\Public\Desktop\GPO.lnk
    icon: '%SystemRoot%\system32\gpoadmin.dll'

- name: Copy aduser CSV File
  ansible.builtin.copy:
    src: /root/ansible/playbook/kunden/{{ kunde }}/files/aduser.csv
    dest: C:\deployment\aduser.csv

- name: Install Azure-Client
  ansible.builtin.win_shell: | 
    wget https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi -outfile C:\deployment\AzureADConnect.msi
#     C:\deployment\AzureADConnect.msi /quiet

- name: Create GPO Folder PolicyDefinitions
  ansible.builtin.win_file:
    path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
    state: directory

- name: Create GPO Folder PolicyDefinitions\de
  ansible.builtin.win_file:
    path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\de
    state: directory

- name: Create GPO Folder PolicyDefinitions\de-DE
  ansible.builtin.win_file:
    path: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\de-DE
    state: directory

- name: Import ADMX Files
  ansible.builtin.copy:
    src: all.zip
    dest: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\all.zip

- name: Export ADMX Files
  ansible.builtin.win_shell: |
    Expand-Archive C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\all.zip  -DestinationPath C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\

- name: Copy GPO Settings
  ansible.builtin.copy:
    src: GPO.zip
    dest: C:\deployment\GPO.zip

- name: Export GPO Files
  ansible.builtin.win_shell: |
    Expand-Archive C:\deployment\GPO.zip  -DestinationPath C:\deployment\GPO

- name: Import GPO Settings
  ansible.builtin.win_shell: |
    Import-GPO -BackupGpoName "RDS-Clients" -TargetName "RDS-Clients" -path C:\deployment\GPO\RDS-Clients\ -CreateIfNeeded:$true
    Import-GPO -BackupGpoName "Exchange-Clients" -TargetName "Exchange-Clients" -path C:\deployment\GPO\Exchange-Clients\ -CreateIfNeeded:$true
    Import-GPO -BackupGpoName "Google-Chrome" -TargetName "Google-Chrome" -path C:\deployment\GPO\Google-Chrome\ -CreateIfNeeded:$true

- name: Install Druck-Server-Service
  ansible.builtin.win_shell:
    Install-WindowsFeature -Name Print-Server

# - name: Copy CSV Import Script
#   ansible.builtin.copy:
#     src: /root/ansible/playbook/kunden/{{ kunde }}/files/import_ad_user.ps1
#     dest: C:\deployment\import_ad_user.ps1

# - name: Import ADUser by CSV File
#   ansible.builtin.win_shell: |
#     cd C:\deployment
#     ./import_ad_user.ps1