if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Error "Exécutez ce script en tant qu'administrateur."
    exit 1
}

function Get-RandomPassword {
    Add-Type -AssemblyName System.Web
    return ([System.Web.Security.Membership]::GeneratePassword(18, 6))
}

$DomainName = 'entreprisexyz.local'
$InstallDns = $true
$Force = $false
$DRSMPassword = $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force)
$NtdsService = Get-Service -Name ntds -ErrorAction SilentlyContinue

if ($NtdsService) {
    Write-Host "Ce serveur semble déjà être un contrôleur de domaine (service NTDS présent). Rien à faire." -ForegroundColor Yellow
    exit 0
}

$features = @('AD-Domain-Services')
if ($InstallDns) { $features += 'DNS' }

Write-Host "Installation des rôles : $($features -join ', ')"
Install-WindowsFeature -Name $features -IncludeManagementTools -ErrorAction Stop | Out-Null
Write-Host "Rôles installés." -ForegroundColor Green

Import-Module ADDSDeployment -ErrorAction Stop

$installParams = @{
    CreateDnsDelegation           = $false
    DatabasePath                  = "C:\Windows\NTDS"
    DomainMode                    = "Win2025"
    ForestMode                    = "Win2025"
    LogPath                       = "C:\Windows\NTDS"
    NoRebootOnCompletion          = $true
    SysvolPath                    = "C:\Windows\SYSVOL"
    Force                         = $Force.IsPresent
    SafeModeAdministratorPassword = $DRSMPassword
    DomainName                    = $DomainName
    InstallDns                    = $InstallDns.IsPresent
}

try {
    Write-Host "Promotion en contrôleur de domaine pour le domaine '$DomainName'..."
    Install-ADDSForest @installParams -ErrorAction Stop

    Write-Host "Promotion terminée. Le serveur va redémarrer pour finaliser l'installation." -ForegroundColor Green
    Restart-Computer -Force
}
catch {
    Write-Warning "Échec de l'opération : $_"
    exit 1
}