#Requires -RunAsAdministrator
<#
.SYNOPSIS
    Phase 2.1: DNS cleanup on CS-SERVER.
.DESCRIPTION
    Removes stale DNS records, fixes DomainDnsZones/ForestDnsZones,
    enables scavenging, and creates reverse lookup zones.
    Run on CS-SERVER via ScreenConnect.
#>

Import-Module DnsServer -ErrorAction Stop
Import-Module ActiveDirectory -ErrorAction Stop

$Zone = "cascades.local"

Write-Host "=== Phase 2.1: DNS Cleanup ===" -ForegroundColor Cyan
Write-Host ""

# --- Remove stale A records ---
Write-Host "--- Removing stale A records ---" -ForegroundColor Yellow

$staleRecords = @(
    @{ Name = "@"; IP = "192.168.0.5" }
    @{ Name = "@"; IP = "192.168.2.59" }
    @{ Name = "CRYSTAL-PC"; IP = "192.168.5.115" }
    @{ Name = "CS-QB"; IP = "192.168.5.29" }
    @{ Name = "DESKTOP-1ISF081"; IP = "192.168.5.30" }
    @{ Name = "DomainDnsZones"; IP = "192.168.0.5" }
    @{ Name = "DomainDnsZones"; IP = "192.168.2.59" }
    @{ Name = "ForestDnsZones"; IP = "192.168.0.5" }
    @{ Name = "ForestDnsZones"; IP = "192.168.2.59" }
)

foreach ($rec in $staleRecords) {
    try {
        Remove-DnsServerResourceRecord -ZoneName $Zone -RRType "A" -Name $rec.Name -RecordData $rec.IP -Force -ErrorAction Stop
        Write-Host "  [OK] Removed $($rec.Name) -> $($rec.IP)" -ForegroundColor Green
    }
    catch {
        Write-Host "  [SKIP] $($rec.Name) -> $($rec.IP) not found or already removed" -ForegroundColor DarkGray
    }
}

# --- Fix DomainDnsZones/ForestDnsZones ---
Write-Host "`n--- Fixing DomainDnsZones/ForestDnsZones ---" -ForegroundColor Yellow

try {
    Add-DnsServerResourceRecordA -ZoneName $Zone -Name "DomainDnsZones" -IPv4Address "192.168.2.254" -ErrorAction Stop
    Write-Host "  [OK] Added DomainDnsZones -> 192.168.2.254" -ForegroundColor Green
}
catch {
    Write-Host "  [SKIP] DomainDnsZones -> 192.168.2.254 already exists" -ForegroundColor DarkGray
}

try {
    Add-DnsServerResourceRecordA -ZoneName $Zone -Name "ForestDnsZones" -IPv4Address "192.168.2.254" -ErrorAction Stop
    Write-Host "  [OK] Added ForestDnsZones -> 192.168.2.254" -ForegroundColor Green
}
catch {
    Write-Host "  [SKIP] ForestDnsZones -> 192.168.2.254 already exists" -ForegroundColor DarkGray
}

# --- Enable scavenging ---
Write-Host "`n--- Enabling DNS Scavenging ---" -ForegroundColor Yellow

try {
    Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00 -ErrorAction Stop
    Write-Host "  [OK] Server-level scavenging enabled (7-day interval)" -ForegroundColor Green
}
catch {
    Write-Host "  [ERROR] Failed to enable scavenging: $_" -ForegroundColor Red
}

try {
    Set-DnsServerZoneAging -Name $Zone -Aging $true -ErrorAction Stop
    Write-Host "  [OK] Zone aging enabled on $Zone" -ForegroundColor Green
}
catch {
    Write-Host "  [ERROR] Failed to enable zone aging: $_" -ForegroundColor Red
}

# --- Create reverse lookup zones ---
Write-Host "`n--- Creating Reverse Lookup Zones ---" -ForegroundColor Yellow

# 192.168.0.0/22 - covers 192.168.0.x through 192.168.3.x
# /22 means we need individual /24 reverse zones for each subnet
$reverseSubnets = @("192.168.0.0/24", "192.168.1.0/24", "192.168.2.0/24", "192.168.3.0/24")
foreach ($subnet in $reverseSubnets) {
    try {
        Add-DnsServerPrimaryZone -NetworkId $subnet -ReplicationScope "Domain" -DynamicUpdate "Secure" -ErrorAction Stop
        Write-Host "  [OK] Created reverse zone for $subnet" -ForegroundColor Green
    }
    catch {
        Write-Host "  [SKIP] Reverse zone for $subnet already exists or failed: $_" -ForegroundColor DarkGray
    }
}

# 10.0.20.0/24 - INTERNAL VLAN
try {
    Add-DnsServerPrimaryZone -NetworkId "10.0.20.0/24" -ReplicationScope "Domain" -DynamicUpdate "Secure" -ErrorAction Stop
    Write-Host "  [OK] Created reverse zone for 10.0.20.0/24" -ForegroundColor Green
}
catch {
    Write-Host "  [SKIP] Reverse zone for 10.0.20.0/24 already exists or failed: $_" -ForegroundColor DarkGray
}

# --- Verify ---
Write-Host "`n--- Verification ---" -ForegroundColor Yellow

Write-Host "`nCurrent A records for zone root:" -ForegroundColor Cyan
Get-DnsServerResourceRecord -ZoneName $Zone -Name "@" -RRType "A" | Format-Table -AutoSize

Write-Host "DomainDnsZones records:" -ForegroundColor Cyan
Get-DnsServerResourceRecord -ZoneName $Zone -Name "DomainDnsZones" -RRType "A" | Format-Table -AutoSize

Write-Host "ForestDnsZones records:" -ForegroundColor Cyan
Get-DnsServerResourceRecord -ZoneName $Zone -Name "ForestDnsZones" -RRType "A" | Format-Table -AutoSize

Write-Host "Reverse lookup zones:" -ForegroundColor Cyan
Get-DnsServerZone | Where-Object { $_.IsReverseLookupZone } | Format-Table ZoneName, ZoneType, DynamicUpdate -AutoSize

Write-Host "`n=== DNS Cleanup Complete ===" -ForegroundColor Cyan
Write-Host "Next: Run phase2-ad-setup.ps1" -ForegroundColor Green