ADDomain create Tree in existing forest fails - Test-TargetResource: SysVol does not exist

[robertbeudeker]

Problem description

I'm using below config to create a Tree domain in an existing forest
Domain creation succeeds but after reboot the check is done to an invalid location of Sysvol

forest root domain name: ads.adlab.local
treedomain name: intranet.adlab.local

PowerShell DSC resource MSFT_ADDomain failed to execute Test-TargetResource
functionality with error message: System.InvalidOperationException: The expected SysVol Path
'C:\Windows\SYSVOL\sysvol\intranet.adlab.local.ads.adlab.local' does not exist. (ADD0011)

Verbose logs

VERBOSE: [2026-01-16 16:38:59Z] [VERBOSE] [SR04]: LCM:  [ End    Test     ]  [[ADDomain]ChildDomain]  in 0.5270 
seconds.
VERBOSE: [2026-01-16 16:38:59Z] [ERROR] PowerShell DSC resource MSFT_ADDomain  failed to execute Test-TargetResource 
functionality with error message: System.InvalidOperationException: The expected SysVol Path 
'C:\Windows\SYSVOL\sysvol\intranet.adlab.local.ads.adlab.local' does not exist. (ADD0011) 
VERBOSE: [2026-01-16 16:38:59Z] [VERBOSE] [SR04]:                            [] Consistency check completed.

DSC configuration

Configuration AddChildDomain {
param (
    [Parameter(Mandatory = $true)]
    [String]$dnsSuffix,

    [Parameter(Mandatory = $true)]
    [String]$netbiosName,

    [Parameter(Mandatory = $true)]
    [String]$netbiosNameParent,

    [Parameter(Mandatory = $true)]
    [ValidateNotNullorEmpty()]
    [System.Management.Automation.PSCredential]
    $Credential
)
    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName ComputerManagementDsc -ModuleVersion "10.0.0"
    Import-DscResource -ModuleName ActiveDirectoryDsc -ModuleVersion "6.7.1"
    [System.Management.Automation.PSCredential]$ParentDomainCreds = New-Object System.Management.Automation.PSCredential ("$($Credential.UserName)@$netbiosNameParent.$dnsSuffix", $Credential.Password)

    Node localhost
    {
        LocalConfigurationManager
        {
            ActionAfterReboot = 'ContinueConfiguration'
            ConfigurationMode = 'ApplyOnly'
            RebootNodeIfNeeded = $true
        }

        WindowsFeature RSAT
        {
            Ensure = "Present"
            Name = "RSAT"
        }

        WindowsFeature ADDSInstall
        {
            Ensure = "Present"
            Name = "AD-Domain-Services"
        }

        ADDomain ChildDomain
        {
            DomainName                    = "$netbiosName.$dnsSuffix"
            DomainNetbiosName             = $netbiosName
            ParentDomainName              = "$netbiosNameParent.$dnsSuffix"
            Credential                    = $ParentDomainCreds
            SafeModeAdministratorPassword = $Credential
            DomainType                    = 'TreeDomain'
            DependsOn = "[WindowsFeature]ADDSInstall"
        }

        PendingReboot Reboot1 
        { 
            Name = "RebootServer" 
            DependsOn = "[ADDomain]ChildDomain"
        }
    }
}

Suggested solution

Test-TargetResource is somehow looking in the wrong place. seems to concatenate forest root fqdn to the domain fqdn
the correct location is C:\WINDOWS\SYSVOL\sysvol\#domain fqdn*

Operating system the target node is running

Windows server 2025

PowerShell version and build the target node is running

5

ActiveDirectoryDsc version

6.7.1

[robertbeudeker]

I think the problem is with the ResolveDomainFQDN function in MSFT_ADDomain. The function does not take into account the domain type. When $ParentDomainName is present. the domain fqdn of the forest root is appended. This should not be the case with DomainType: TreeDomain. The parentDomain parameters however is mandatory for the resource ADDomain, so the else case to set the domainname without appending the forest fqdn is never hit.

The function is:
function Resolve-DomainFQDN
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DomainName,

    [Parameter()]
    [System.String]
    $ParentDomainName
)

if ($ParentDomainName)
{
    $domainFQDN = '{0}.{1}' -f $DomainName, $ParentDomainName
}
else
{
    $domainFQDN = $DomainName
}

return $domainFQDN

}

I propose to change de function to include the DomainType and test it on the first case.
proposed function:
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DomainName,

    [Parameter()]
    [System.String]
    $ParentDomainName,

    [Parameter()]
    [ValidateSet('ChildDomain', 'TreeDomain')]
    [System.String]
    $DomainType

)

if ($ParentDomainName -and $DomainType -eq 'ChildDomain')
{
    $domainFQDN = '{0}.{1}' -f $DomainName, $ParentDomainName
}
else
{
    $domainFQDN = $DomainName
}

return $domainFQDN

}

[Borgquite]

Haven't got time to test myself but your solution looks good to me - feel free to raise a PR!

[Borgquite]

P.S. You should probably change the DomainType parameter description.

It currently implies that DomainType is only used when installing a new domain but if we need to use it in Get-TargetResource and required to check Sysvol, that's not true.