ansible_samba_ad_dc/tasks/provision.yml

---
- name: check if domain already provisioned
  ansible.builtin.stat:
    path: /var/lib/samba/private/adsync.conf
  register: samba_provisioned

- name: Provision the Samba AD DC
  ansible.builtin.command: >
    samba-tool domain provision
    --use-rfc2307
    --realm={{ samba_domain_info.realm }}
    --domain={{ samba_domain_info.domain }}
    --server-role={{ samba_domain_info.server_role }}
    --dns-backend={{ samba_domain_info.dns_backend }}
    --adminpass={{ samba_domain_info.adminpass }}
    --option="interfaces={{ samba_domain_info.interfaces }}"
    --option="bind interfaces only={{ samba_domain_info.bind_interfaces_only }}"
  when: not samba_provisioned.stat.exists
  register: samba_provision_output
  changed_when: samba_provision_output.rc == 0
  no_log: true  # You may toggle this if password should be hidden