198 lines
6.9 KiB
PowerShell
198 lines
6.9 KiB
PowerShell
#Requires -RunAsAdministrator
|
|
<#
|
|
.SYNOPSIS
|
|
MABDC Domain Join Script
|
|
.DESCRIPTION
|
|
Joins a Windows 11 Pro/Enterprise PC to the MABDC domain,
|
|
installs Chocolatey, adds the MABDC package feed, and
|
|
triggers auto-provisioning of all base packages.
|
|
.NOTES
|
|
Run as Administrator on a fresh Windows 11 Pro/Enterprise PC.
|
|
Requires internet access to dc1.mabdc.org and repo.mabdc.com.
|
|
#>
|
|
|
|
param(
|
|
[Parameter(Mandatory=$true)]
|
|
[string]$Department,
|
|
|
|
[Parameter(Mandatory=$false)]
|
|
[string]$PCName,
|
|
|
|
[Parameter(Mandatory=$false)]
|
|
[string]$AdminUser = "Administrator",
|
|
|
|
[Parameter(Mandatory=$false)]
|
|
[string]$DomainName = "mabdc.org"
|
|
)
|
|
|
|
$ErrorActionPreference = 'Stop'
|
|
$LogFile = "C:\MABDC\Logs\domain-join.log"
|
|
|
|
function Write-Log {
|
|
param([string]$Message)
|
|
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
|
|
$entry = "[$timestamp] $Message"
|
|
Write-Host $entry -ForegroundColor Green
|
|
Add-Content -Path $LogFile -Value $entry -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
# Pre-flight checks
|
|
Write-Log "=== MABDC Domain Join Script v1.0 ==="
|
|
Write-Log "Starting pre-flight checks..."
|
|
|
|
# Check Windows edition
|
|
$edition = (Get-WindowsEdition -Online).Edition
|
|
if ($edition -match "Home|Core") {
|
|
Write-Host "ERROR: Windows 11 Home cannot join a domain. You need Pro or Enterprise." -ForegroundColor Red
|
|
exit 1
|
|
}
|
|
Write-Log "Windows Edition: $edition ✓"
|
|
|
|
# Check if already domain-joined
|
|
$currentDomain = (Get-WmiObject Win32_ComputerSystem).Domain
|
|
if ($currentDomain -eq $DomainName) {
|
|
Write-Log "PC is already joined to $DomainName. Skipping domain join."
|
|
} else {
|
|
Write-Log "Current domain: $currentDomain (will join $DomainName)"
|
|
}
|
|
|
|
# Create MABDC directories
|
|
$dirs = @("C:\MABDC", "C:\MABDC\Config", "C:\MABDC\Logs", "C:\MABDC\Wallpapers", "C:\MABDC\Scripts", "C:\MABDC\Certs")
|
|
foreach ($dir in $dirs) {
|
|
if (!(Test-Path $dir)) {
|
|
New-Item -ItemType Directory -Path $dir -Force | Out-Null
|
|
Write-Log "Created $dir"
|
|
}
|
|
}
|
|
|
|
# Set PC name if provided
|
|
if ($PCName) {
|
|
$currentName = $env:COMPUTERNAME
|
|
if ($currentName -ne $PCName) {
|
|
Rename-Computer -NewName $PCName -Force
|
|
Write-Log "PC renamed to $PCName (reboot required)"
|
|
}
|
|
}
|
|
|
|
# Configure DNS to point to AD server
|
|
Write-Log "Configuring DNS..."
|
|
$adapters = Get-NetAdapter | Where-Object Status -EQ 'Up'
|
|
foreach ($adapter in $adapters) {
|
|
Set-DnsClientServerAddress -InterfaceIndex $adapter.ifIndex -ServerAddresses ("159.195.41.59", "45.90.28.0")
|
|
Write-Log "DNS set on adapter: $($adapter.Name)"
|
|
}
|
|
|
|
# Test AD connectivity
|
|
Write-Log "Testing connection to AD server..."
|
|
$adTest = Test-NetConnection -ComputerName "dc1.mabdc.org" -Port 389 -WarningAction SilentlyContinue
|
|
if ($adTest.TcpTestSucceeded) {
|
|
Write-Log "AD server reachable on LDAP (389) ✓"
|
|
} else {
|
|
Write-Log "WARNING: Cannot reach AD server on port 389. Trying port 636 (LDAPS)..."
|
|
$adTest2 = Test-NetConnection -ComputerName "dc1.mabdc.org" -Port 636 -WarningAction SilentlyContinue
|
|
if ($adTest2.TcpTestSucceeded) {
|
|
Write-Log "AD server reachable on LDAPS (636) ✓"
|
|
} else {
|
|
Write-Host "ERROR: Cannot reach AD server. Check network/firewall." -ForegroundColor Red
|
|
exit 1
|
|
}
|
|
}
|
|
|
|
# Join domain (if not already joined)
|
|
if ($currentDomain -ne $DomainName) {
|
|
Write-Log "Joining domain $DomainName..."
|
|
$cred = Get-Credential -Message "Enter domain admin credentials for $DomainName"
|
|
|
|
$ouPath = "OU=$Department,DC=mabdc,DC=org"
|
|
try {
|
|
Add-Computer -DomainName $DomainName -OUPath $ouPath -Credential $cred -Force
|
|
Write-Log "Successfully joined $DomainName in OU=$Department ✓"
|
|
} catch {
|
|
Write-Log "Trying without OU specification..."
|
|
Add-Computer -DomainName $DomainName -Credential $cred -Force
|
|
Write-Log "Successfully joined $DomainName (default OU) ✓"
|
|
}
|
|
}
|
|
|
|
# Install Chocolatey
|
|
Write-Log "Installing Chocolatey package manager..."
|
|
if (!(Get-Command choco -ErrorAction SilentlyContinue)) {
|
|
Set-ExecutionPolicy Bypass -Scope Process -Force
|
|
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
|
|
Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
|
|
Write-Log "Chocolatey installed ✓"
|
|
} else {
|
|
Write-Log "Chocolatey already installed ✓"
|
|
}
|
|
|
|
# Refresh PATH
|
|
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")
|
|
|
|
# Add MABDC Chocolatey source
|
|
Write-Log "Adding MABDC package repository..."
|
|
choco source add --name=mabdc --source="https://repo.mabdc.com/api/packages/mabdc/nuget/v2" --priority=1 -y
|
|
Write-Log "MABDC repo added ✓"
|
|
|
|
# Install base packages
|
|
Write-Log "Installing base packages (this may take several minutes)..."
|
|
|
|
$basePackages = @(
|
|
"mabdc-base-config",
|
|
"mabdc-debloat",
|
|
"mabdc-nextdns-config",
|
|
"mabdc-wallpaper",
|
|
"mabdc-chrome-enterprise",
|
|
"mabdc-rustdesk"
|
|
)
|
|
|
|
foreach ($pkg in $basePackages) {
|
|
Write-Log "Installing $pkg..."
|
|
choco install $pkg --source=mabdc -y --no-progress 2>&1 | Out-Null
|
|
if ($LASTEXITCODE -eq 0) {
|
|
Write-Log "$pkg installed ✓"
|
|
} else {
|
|
Write-Log "WARNING: $pkg may have had issues (exit code: $LASTEXITCODE)"
|
|
}
|
|
}
|
|
|
|
# Install department-specific packages
|
|
Write-Log "Installing department packages for: $Department"
|
|
$deptPackage = "dept-$($Department.ToLower())"
|
|
choco install $deptPackage --source=mabdc -y --no-progress 2>&1 | Out-Null
|
|
|
|
# Set up auto-update scheduled task
|
|
Write-Log "Setting up automatic package updates..."
|
|
$action = New-ScheduledTaskAction -Execute "choco" -Argument "upgrade all -y --source=mabdc --no-progress"
|
|
$trigger = New-ScheduledTaskTrigger -Daily -At "2:00AM"
|
|
$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -DontStopOnIdleEnd
|
|
Register-ScheduledTask -TaskName "MABDC-AutoUpdate" -Action $action -Trigger $trigger -Settings $settings -User "SYSTEM" -RunLevel Highest -Force | Out-Null
|
|
Write-Log "Auto-update scheduled for 2:00 AM daily ✓"
|
|
|
|
# Save join metadata
|
|
$metadata = @{
|
|
pcName = $env:COMPUTERNAME
|
|
department = $Department
|
|
joinedAt = (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
|
|
joinedBy = $env:USERNAME
|
|
windowsEdition = $edition
|
|
windowsVersion = [System.Environment]::OSVersion.Version.ToString()
|
|
domainName = $DomainName
|
|
packagesInstalled = $basePackages
|
|
} | ConvertTo-Json -Depth 3
|
|
Set-Content -Path "C:\MABDC\Config\join-metadata.json" -Value $metadata -Force
|
|
|
|
Write-Log ""
|
|
Write-Log "========================================="
|
|
Write-Log " MABDC Domain Join Complete! 🎉"
|
|
Write-Log " Domain: $DomainName"
|
|
Write-Log " Department: $Department"
|
|
Write-Log " PC Name: $env:COMPUTERNAME"
|
|
Write-Log "========================================="
|
|
Write-Log ""
|
|
Write-Log "A restart is required to complete the domain join."
|
|
|
|
$restart = Read-Host "Restart now? (Y/N)"
|
|
if ($restart -eq 'Y' -or $restart -eq 'y') {
|
|
Restart-Computer -Force
|
|
}
|