<#
.SYNOPSIS
  Auto-switch the global DNS suffix search order based on network location.

.DESCRIPTION
  Office LAN (physical NIC in 10.10.10.x / 10.10.40.x) -> intern.beletage.ro first.
  Home / remote / VPN-from-anywhere               -> lan first.

  Rationale: LBOOK is domain-joined to intern.beletage.ro. When the AD suffix is
  searched first, every single-label home name (e.g. "home-ws") is first tried as
  <name>.intern.beletage.ro, which the NRPT rule routes to the AD DNS 10.10.10.2.
  Off the office LAN that server is only reachable over VPN (and not at all when the
  VPN is down), so the query stalls on a timeout before falling back to <name>.lan.
  Putting "lan" first makes home names resolve locally (~3 ms); work names still
  resolve via the NRPT rule after a fast local .lan NXDOMAIN.

  The Sophos TAP adapter is excluded from detection so that starting the VPN from
  home (which may assign a 10.10.x address on the tunnel) does not flip us to the
  "office" ordering.

  Installed as a SYSTEM scheduled task (see install-dns-location-task.ps1), triggered
  on network-connect events and at logon. Idempotent: only writes when the order
  actually needs to change.
#>

$ErrorActionPreference = 'Stop'
$log = 'C:\ProgramData\Beletage\dns-location.log'

$dir = Split-Path $log
if (-not (Test-Path $dir)) { New-Item -ItemType Directory -Force -Path $dir | Out-Null }

function Write-Log($msg) {
    $line = '{0}  {1}' -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $msg
    Add-Content -Path $log -Value $line -Encoding UTF8
}

try {
    $officePrefixes = @('10.10.10.', '10.10.40.')

    # Indices of VPN/tunnel adapters to ignore (Sophos SSL VPN TAP).
    $vpnIdx = (Get-NetAdapter -ErrorAction SilentlyContinue |
               Where-Object { $_.InterfaceDescription -like '*Sophos*' }).ifIndex

    $ips = (Get-NetIPAddress -AddressFamily IPv4 -ErrorAction SilentlyContinue |
            Where-Object {
                $_.IPAddress -notlike '169.254.*' -and
                $_.IPAddress -ne '127.0.0.1' -and
                ($vpnIdx -notcontains $_.InterfaceIndex)
            }).IPAddress

    $atOffice = $false
    foreach ($ip in $ips) {
        foreach ($p in $officePrefixes) {
            if ($ip.StartsWith($p)) { $atOffice = $true }
        }
    }

    $desired = if ($atOffice) { @('intern.beletage.ro', 'lan') } else { @('lan', 'intern.beletage.ro') }
    $current = (Get-DnsClientGlobalSetting).SuffixSearchList

    if (($current -join ',') -ne ($desired -join ',')) {
        Set-DnsClientGlobalSetting -SuffixSearchList $desired
        Clear-DnsClientCache
        Write-Log ('CHANGED  ips=[{0}] office={1}  [{2}] -> [{3}]' -f ($ips -join ' '), $atOffice, ($current -join ','), ($desired -join ','))
    }
    else {
        Write-Log ('OK       ips=[{0}] office={1}  already [{2}]' -f ($ips -join ' '), $atOffice, ($desired -join ','))
    }
}
catch {
    Write-Log ('ERROR    {0}' -f $_.Exception.Message)
}