scripts/domain-join.ps1

#Requires -RunAsAdministrator
<#
.SYNOPSIS
    MABDC Domain Join Script
.DESCRIPTION
    Joins a Windows 11 Pro/Enterprise PC to the MABDC domain,
    installs Chocolatey, adds the MABDC package feed, and
    triggers auto-provisioning of all base packages.
.NOTES
    Run as Administrator on a fresh Windows 11 Pro/Enterprise PC.
    Requires internet access to dc1.mabdc.org and repo.mabdc.com.
#>

param(
    [Parameter(Mandatory=$true)]
    [ValidateSet("IT","Accounting","Design","Management","Teaching","Admin")]
    [string]$Department,
    
    [Parameter(Mandatory=$false)]
    [string]$PCName,
    
    [Parameter(Mandatory=$false)]
    [string]$AdminUser = "Administrator",
    
    [Parameter(Mandatory=$false)]
    [string]$DomainName = "mabdc.org"
)

$ErrorActionPreference = 'Stop'
$LogFile = "C:\MABDC\Logs\domain-join.log"
$WebhookUrl = "https://webhooks.tasklet.ai/v1/public/webhook?token=64e387124cc212b5231a29d04c6e09aa"

function Write-Log {
    param([string]$Message)
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $entry = "[$timestamp] $Message"
    Write-Host $entry -ForegroundColor Green
    $null = New-Item -ItemType Directory -Path (Split-Path $LogFile) -Force -ErrorAction SilentlyContinue
    Add-Content -Path $LogFile -Value $entry -ErrorAction SilentlyContinue
}

function Send-WebhookNotification {
    param([hashtable]$Data)
    try {
        $body = $Data | ConvertTo-Json -Compress
        Invoke-RestMethod -Uri $WebhookUrl -Method POST -Body $body -ContentType "application/json" -UseBasicParsing -ErrorAction SilentlyContinue | Out-Null
        Write-Log "Webhook notification sent"
    } catch {
        Write-Log "Warning: Could not send webhook notification: $_"
    }
}

# Pre-flight checks
Write-Log "=== MABDC Domain Join Script v1.1 ==="
Write-Log "Starting pre-flight checks..."

# Ensure log directory exists
$null = New-Item -ItemType Directory -Path "C:\MABDC\Logs" -Force -ErrorAction SilentlyContinue

# Check Windows edition
$edition = (Get-WindowsEdition -Online).Edition
if ($edition -match "Home|Core") {
    Write-Host "ERROR: Windows 11 Home cannot join a domain. You need Pro or Enterprise." -ForegroundColor Red
    exit 1
}
Write-Log "Windows Edition: $edition OK"

# Check if already domain-joined
$currentDomain = (Get-WmiObject Win32_ComputerSystem).Domain
if ($currentDomain -eq $DomainName) {
    Write-Log "PC is already joined to $DomainName. Skipping domain join."
} else {
    Write-Log "Current domain: $currentDomain (will join $DomainName)"
}

# Create MABDC directories
$dirs = @("C:\MABDC", "C:\MABDC\Config", "C:\MABDC\Logs", "C:\MABDC\Wallpapers", "C:\MABDC\Scripts", "C:\MABDC\Certs")
foreach ($dir in $dirs) {
    if (!(Test-Path $dir)) { 
        New-Item -ItemType Directory -Path $dir -Force | Out-Null 
        Write-Log "Created $dir"
    }
}

# Set PC name if provided
if ($PCName) {
    $currentName = $env:COMPUTERNAME
    if ($currentName -ne $PCName) {
        Rename-Computer -NewName $PCName -Force
        Write-Log "PC renamed to $PCName (will apply after reboot)"
    }
}

# Configure DNS to point to AD server
Write-Log "Configuring DNS..."
$adapters = Get-NetAdapter | Where-Object Status -EQ 'Up'
foreach ($adapter in $adapters) {
    Set-DnsClientServerAddress -InterfaceIndex $adapter.ifIndex -ServerAddresses ("159.195.41.59", "45.90.28.0")
    Write-Log "DNS set on adapter: $($adapter.Name)"
}

# Flush DNS cache
Clear-DnsClientCache
Write-Log "DNS cache flushed"

# Test AD connectivity
Write-Log "Testing connection to AD server..."
$adTest = Test-NetConnection -ComputerName "dc1.mabdc.org" -Port 389 -WarningAction SilentlyContinue
if ($adTest.TcpTestSucceeded) {
    Write-Log "AD server reachable on LDAP (389) OK"
} else {
    Write-Log "WARNING: Cannot reach AD server on port 389. Trying port 636 (LDAPS)..."
    $adTest2 = Test-NetConnection -ComputerName "dc1.mabdc.org" -Port 636 -WarningAction SilentlyContinue
    if ($adTest2.TcpTestSucceeded) {
        Write-Log "AD server reachable on LDAPS (636) OK"
    } else {
        Write-Host "ERROR: Cannot reach AD server. Check network/firewall." -ForegroundColor Red
        exit 1
    }
}

# Join domain (if not already joined)
if ($currentDomain -ne $DomainName) {
    Write-Log "Joining domain $DomainName..."
    $cred = Get-Credential -Message "Enter domain admin credentials for $DomainName (e.g. MABDC\Administrator)"
    
    # OU path: department sub-OU under Staff
    $ouPath = "OU=$Department,OU=Staff,DC=mabdc,DC=org"
    try {
        Add-Computer -DomainName $DomainName -OUPath $ouPath -Credential $cred -Force -ErrorAction Stop
        Write-Log "Successfully joined $DomainName in $ouPath OK"
    } catch {
        Write-Log "Could not join with OU path ($ouPath), trying default OU..."
        Add-Computer -DomainName $DomainName -Credential $cred -Force
        Write-Log "Successfully joined $DomainName (default OU) OK"
    }
} else {
    Write-Log "Already in domain - skipping domain join"
}

# Install Chocolatey
Write-Log "Installing Chocolatey package manager..."
if (!(Get-Command choco -ErrorAction SilentlyContinue)) {
    Set-ExecutionPolicy Bypass -Scope Process -Force
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
    Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
    Write-Log "Chocolatey installed OK"
} else {
    Write-Log "Chocolatey already installed OK"
}

# Refresh PATH
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")

# Add MABDC Chocolatey source
Write-Log "Adding MABDC package repository..."
choco source add --name=mabdc --source="https://repo.mabdc.com/api/packages/mabdc/nuget/v2" --priority=1 -y 2>&1 | Out-Null
Write-Log "MABDC repo added OK"

# Install base packages from public Chocolatey
Write-Log "Installing base packages..."

$basePackages = @(
    @{name="googlechrome"; source="chocolatey"},
    @{name="7zip"; source="chocolatey"},
    @{name="notepadplusplus"; source="chocolatey"},
    @{name="vlc"; source="chocolatey"}
)

foreach ($pkg in $basePackages) {
    Write-Log "Installing $($pkg.name)..."
    choco install $pkg.name --source=$($pkg.source) -y --no-progress 2>&1 | Out-Null
    if ($LASTEXITCODE -eq 0) {
        Write-Log "$($pkg.name) installed OK"
    } else {
        Write-Log "WARNING: $($pkg.name) may have had issues (exit code: $LASTEXITCODE)"
    }
}

# Try MABDC-specific packages (optional - skip if not available)
Write-Log "Checking for MABDC department packages..."
$mabdcPackages = @("mabdc-base-config", "mabdc-wallpaper", "mabdc-rustdesk")
foreach ($pkg in $mabdcPackages) {
    $available = choco search $pkg --source=mabdc --exact 2>&1 | Select-String -Pattern $pkg -Quiet
    if ($available) {
        choco install $pkg --source=mabdc -y --no-progress 2>&1 | Out-Null
        Write-Log "$pkg installed OK"
    } else {
        Write-Log "Skipping $pkg (not yet published in MABDC repo)"
    }
}

# Set up auto-update scheduled task
Write-Log "Setting up automatic package updates..."
$action = New-ScheduledTaskAction -Execute "choco" -Argument "upgrade all -y --source=mabdc --no-progress"
$trigger = New-ScheduledTaskTrigger -Daily -At "2:00AM"
$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -DontStopOnIdleEnd
Register-ScheduledTask -TaskName "MABDC-AutoUpdate" -Action $action -Trigger $trigger -Settings $settings -User "SYSTEM" -RunLevel Highest -Force | Out-Null
Write-Log "Auto-update scheduled for 2:00 AM daily OK"

# Save join metadata
$metadata = @{
    pcName       = $env:COMPUTERNAME
    department   = $Department
    joinedAt     = (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
    joinedBy     = $env:USERNAME
    windowsEdition = $edition
    windowsVersion = [System.Environment]::OSVersion.Version.ToString()
    domainName   = $DomainName
    ouPath       = "OU=$Department,OU=Staff,DC=mabdc,DC=org"
    status       = "provisioned"
} | ConvertTo-Json -Depth 3

Set-Content -Path "C:\MABDC\Config\join-metadata.json" -Value $metadata -Force

# Notify webhook
Send-WebhookNotification -Data @{
    event      = "pc_provisioned"
    pcName     = $env:COMPUTERNAME
    department = $Department
    domain     = $DomainName
    status     = "success"
    timestamp  = (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
}

Write-Host ""
Write-Host "  =============================================" -ForegroundColor Cyan
Write-Host "    MABDC Domain Join Complete!" -ForegroundColor Green
Write-Host "    Domain    : $DomainName" -ForegroundColor White
Write-Host "    Department: $Department" -ForegroundColor White
Write-Host "    PC Name   : $env:COMPUTERNAME" -ForegroundColor White
Write-Host "    OU        : OU=$Department,OU=Staff" -ForegroundColor White
Write-Host "  =============================================" -ForegroundColor Cyan
Write-Host ""
Write-Log "Provisioning complete."

$restart = Read-Host "Restart now to complete domain join? (Y/N)"
if ($restart -eq 'Y' -or $restart -eq 'y') {
    Restart-Computer -Force
}