sync: auto-sync from HOWARD-HOME at 2026-06-24 17:37:00

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 17:37:00
This commit is contained in:
2026-06-24 17:37:35 -07:00
parent 9d68db953f
commit 2a1a275511
9 changed files with 930 additions and 17 deletions

View File

@@ -112,13 +112,31 @@ Notable: three `98:17:3c:*` devices clustered on one AP at strong signal (-39/-4
| Laptop3 | c0:35:32:66:46:af | 192.168.2.156 | caregiver |
| Laptop4 | 70:08:94:90:26:85 | 169.254.1.9 | caregiver (APIPA — DHCP issue, check) |
### Printers (11) — we reconfigure to the staff/internal network
Canon: `canona93684` (9c:50:d1, .2.67), `canoncbdf73-2` (10:98:c3, .3.232), `canonfb04b5`
(80:a5:89, .3.227), `Canonf46423` (20:0b:74, .3.52).
Brother: `brwc8a3e8dc60fd` (.3.10, 5 GHz), `BRW2C9C5828EC9E` (.3.44), `BRWC8A3E8A2DD9E` (.2.53),
`brw283a4d1ad571` (.2.75), `brw5cea1d4e96af` (.2.145), `brw90324b15f558` (.3.88).
Epson: `EPSON822B7A` (dc:cd:2f, .2.147).
(10 of 11 are on 2.4 GHz — these drop on a 5 GHz-only flip; relocate first.)
### Printers (11) — relocate to CSCNet (keeps 2.4 GHz). 2.4-only band assessment
CSC ENT is going 5 GHz-only, so every printer here moves to **CSCNet** (which retains 2.4+5) — the
2.4-only ones *require* it. **Operationally the action is identical for all 11** (all -> CSCNet);
the model lookup below only labels which physically cannot do 5 GHz.
| Hostname | MAC | IP | Brand | Now on | Band capability | Model |
|---|---|---|---|---|---|---|
| brwc8a3e8dc60fd | c8:a3:e8:dc:60:fd | 192.168.3.10 | Brother | **5 GHz** | **DUAL-BAND (confirmed — it's on 5 GHz)** | TBD |
| BRW2C9C5828EC9E | 2c:9c:58:28:ec:9e | 192.168.3.44 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
| BRWC8A3E8A2DD9E | c8:a3:e8:a2:dd:9e | 192.168.2.53 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
| brw283a4d1ad571 | 28:3a:4d:1a:d5:71 | 192.168.2.75 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
| brw5cea1d4e96af | 5c:ea:1d:4e:96:af | 192.168.2.145 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
| brw90324b15f558 | 90:32:4b:15:f5:58 | 192.168.3.88 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
| canona93684 | 9c:50:d1:aa:f8:9a | 192.168.2.67 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
| canoncbdf73-2 | 10:98:c3:da:33:80 | 192.168.3.232 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
| canonfb04b5 | 80:a5:89:f6:71:9b | 192.168.3.227 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
| Canonf46423 | 20:0b:74:b2:29:08 | 192.168.3.52 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
| EPSON822B7A | dc:cd:2f:82:2b:7a | 192.168.2.147 | Epson | 2.4 | likely 2.4-only (WorkForce-class) | TBD |
**Status:** 1 confirmed dual-band (it's literally on 5 GHz); 10 on 2.4, brand patterns suggest
2.4-only, but **models not yet confirmed** — the authoritative probe (CS-SERVER `Get-Printer`
DriverName + per-IP HTTP/SNMP) was **blocked 2026-06-24** by loss of the Howard-Home -> 172.16.3.x
network path (RMM/UOS/coord all unreachable). Re-run when connectivity returns to fill `Model` +
confirm 2.4-only. Bottom line unaffected: all 11 -> CSCNet.
---

View File

@@ -40,10 +40,18 @@ WiFi5 and is the correct network for them to use."*). This plan formalizes and e
- **Helpany is WPA2-only** — explicitly **NOT** WPA3 or hybrid WPA2/WPA3 (*"we don't support
hybrid, only WPA2"*). The device SSID must stay WPA2-PSK.
- **5 GHz has shorter range** than 2.4 GHz. Both vendors warn: a device with weak 5 GHz signal
will fall back to 2.4 GHz or be orphaned. **Per-room 5 GHz coverage must be verified before
transitioning** (Cascades is 6 floors with steel hallway walls). Leave any weak-signal device
on 2.4 rather than force it.
- **Neither vendor can pin a device to 5 GHz from their side** (confirmed: Poly/Vertical AND
Helpany support, 2026-06-24). The handsets/Pauls choose the band themselves, and band steering
doesn't hold them. **Therefore a 5 GHz-only SSID (2.4 disabled) is the ONLY mechanism** — you
remove 2.4 as an option so the device has nowhere else to associate. This is the whole basis of
the plan.
- **Consequence — 5 GHz coverage is now a HARD GATE, with no safety net.** On a 5 GHz-only SSID
there is **no 2.4 fallback**: a Paul/phone in a weak-5 GHz spot will simply **fail to connect**
(not drop to 2.4). 5 GHz has shorter range and Cascades has steel walls. So per-room 5 GHz
coverage must be **verified and remediated** (AP placement/power/channel) BEFORE cutover — you
cannot "leave a weak device on 2.4," because 2.4 won't exist on this SSID. The 42 Pauls already
holding 5 GHz prove coverage in those spots; the **26 Pauls currently on 2.4** (+ any 2.4 phones)
are the risk set to survey first.
- **Reprogramming is painful on Helpany's side** — they can't reach offline devices, and key
rotations need **72 h notice + the new key**. The SSID/password must be right and stable.
- **Helpany bandwidth is negligible:** < 0.04 Mbps per Paul device; whole fleet ~0.38 Mbps low /
@@ -107,17 +115,28 @@ are the visible-impact set — they need a relocation/reconnection plan before t
## Execution sequence
0. **Evacuate the ~79 non-Helpany clients off CSC ENT** to their correct networks (staff -> CSCNet/
INTERNAL via domain migration; printers -> internal; resident TVs/IoT/phones -> CSCNet resident
PPSK or a dedicated resident SSID). Complete the registry with `stat/alluser` first so offline
resident TVs aren't missed. **This is the gating sub-project** — see the inventory doc.
0. **Remove the ~79 non-Helpany clients from CSC ENT onto EXISTING networks — we do NOT build new
VLANs for them** (scope decision, Howard 2026-06-24): staff PCs -> CSCNet/INTERNAL (domain
migration); resident TVs/IoT/phones -> CSCNet (resident PPSK / per-room). Only the **phones and
Helpany** get dedicated VLANs (30 / 40); internal + resident devices are simply relocated, not
segmented.
- **2.4-only devices must land on a 2.4-capable SSID (CSCNet), because CSC ENT is losing 2.4.**
~10 of the 11 wireless printers are on 2.4 today and several are likely 2.4-only hardware
(SOHO Brother/Canon) — move those to CSCNet (which keeps 2.4+5). Verify model if unsure;
default 2.4 printers to CSCNet.
- Complete the registry with `stat/alluser` first so offline resident TVs aren't missed. **This
is the gating sub-project** — see the inventory doc.
1. **Build VLAN 40** on pfSense (igc1.40, DHCP scope, DNS) + firewall egress rules above; mirror
VLAN 30 isolation.
2. **Enable PPSK on CSC ENT**; add keys: `Ftfd85710#` -> VLAN 40, new voice key -> VLAN 30.
3. **[ONSITE GATE] Verify 5 GHz coverage** in the rooms where Pauls + phones live (per-floor,
account for steel walls). Use `unifi-wifi` skill (`live-stats.sh --clients`, `watch-ap.sh`).
4. **Flip CSC ENT to 5 GHz-only** (`apply-wlan.sh <site> bands 5g --wlan <CSC ENT>`), coordinated
with both vendors during a change window.
4. **Disable 2.4 GHz on CSC ENT (-> 5 GHz-only)** (`apply-wlan.sh <site> bands 5g --wlan <CSC ENT>`),
coordinated with both vendors during a change window. **ORDER MATTERS:** 26 of the 68 Pauls (and
any 2.4 phones) are on 2.4 today; once 2.4 is off CSC ENT there is **no 2.4 fallback** — a Paul
with weak 5 GHz signal goes OFFLINE. So Helpany must verify 5 GHz coverage + move those 26 to
5 GHz FIRST; only then disable 2.4. Likewise confirm no 2.4-only device (printer/IoT) is still on
CSC ENT before flipping.
5. **Vendors transition their devices:**
- **Helpany** remotely moves the Pauls to 5 GHz (we hand them: SSID `CSC ENT`, key
`Ftfd85710#` — unchanged; they confirm strong 2.4 signal per-device first).

View File

@@ -118,6 +118,42 @@ For each area, fill the four input fields: **Responsible person**, **Estimated/a
---
## Part 6 — Cost estimates (verified via live web lookup 2026-06-24)
> Per ACG policy these are verified against current vendor/retail pricing, not estimated from
> memory. Sources cited below the table. "ACG labor" draws the prepaid block (48.25 hrs @ $175/hr)
> unless quoted as a separate project.
| Item | Area | Qty | Cost (verified) | Notes |
|---|---|---|---|---|
| R610 redundant power supply (refurb, RN442 717W) | Hardware / DR | 1 | **~$99 one-time** | Restores lost PSU redundancy; cheap, do soon |
| Enterprise SSD 480 GB (Samsung PM893) | Hardware | 2 | **~$320350 (already purchased)** | Sunk cost; planned install on a maintenance window |
| **M365 Business Premium relicense (31 users)** | Software | 31 | **likely $0 new spend** | Our records show 31 Premium seats already owned + free; reassign the 31 suspended-Standard users to them and drop Standard. If those seats are NOT a paid subscription: $22/user/mo = **$682/mo (~$8,184/yr)**. **Verify subscription status.** |
| Windows Home → Pro upgrade | Software | 5 | **~$495** (~$99/device; ACG to source via CSP, may be lower) | Howard handling keys |
| Replacement workstations (OptiPlex i5 / 16 GB / 512 NVMe, Win 11 Pro) | Hardware | 2 | **~$1,4001,900** (~$700950 ea) | Lupe Sanchez EOL + spare for new hire (#32194) |
| Break-glass FIDO2 YubiKeys (5-series) | Confidentiality | 2 | **~$110** (already ordered per records) | Approximate |
| Azure audit-log retention (Log Analytics 90 d + 6 yr archive) | Security | — | **~$50120/mo** consumption (log-volume dependent) + one-time ACG build | Firm up after measuring actual audit-log volume |
| Managed antivirus, all devices incl. server | Virus protection | — | **Included in existing ACG Bitdefender managed security** + ACG labor to enroll server / remove legacy Datto agents | **Client (Mike) is deploying AV** |
| DR written plan + system-image confirm + restore test | DR | — | **ACG labor (prepaid block)** | Restore test **deferred** per client (revisit after AV + basic items) |
| Security risk assessment (dated package) + file-share audit logging | Security | — | **ACG labor (prepaid block); no license cost** | |
| **Long-term server replacement (PowerEdge T360-class)** | Hardware / DR | 1 | **~$4,0007,000 configured (formal quote required)** | Depends on spec + Windows Server licensing + CALs; separate project |
**One-time hardware/licensing subtotal (excludes the optional server replacement):**
~$2,3002,950, of which ~$320350 (the SSDs) is already spent. Plus ~$50120/mo Azure. The
server replacement is a separate ~$47k project to quote when you're ready.
**Pricing sources (2026-06-24):**
[M365 Business Premium $22/user/mo](https://www.microsoft.com/en-us/microsoft-365/business/microsoft-365-plans-and-pricing) ·
[M365 July 2026 price changes (Premium unchanged)](https://www.stmicro.net/blog/microsoft-365-price-increase-2026/) ·
[Samsung PM893 480 GB ~$160175](https://www.marigoldsystems.com/products/b-samsung-pm893-480gb-enterprise-sata-ssd-1dwpd-b) ·
[Windows 11 Home→Pro upgrade ~$99](https://learn.microsoft.com/en-us/answers/questions/3923910/how-much-does-it-cost-to-upgrade-to-windows-11-pro) ·
[Azure Log Analytics $2.30/GB ingest, ~$0.10/GB/mo retention, ~$0.02/GB/mo archive](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs) ·
[Dell R610 717W redundant PSU refurb ~$99](https://store.flagshiptech.com/dell-poweredge-r610-redundant-power-supply-717w-rn442/) ·
[Dell PowerEdge T360 tower (from ~$1,900 base)](https://www.dell.com/en-us/shop/servers-storage-and-networking/poweredge-t360/spd/poweredge-t360/pe_t360_tm_vi_vp_sb) ·
[Dell OptiPlex business desktop i5/16 GB](https://www.dell.com/en-us/shop/desktop-computers/optiplex-tower/spd/optiplex-7020t-desktop)
---
## What we do once you return this
1. Build the final **CARF Technology and System Plan** (Cascades-branded, ACG as preparer) in CARF
action-document format, complete with your owners/costs/dates.

View File

@@ -295,3 +295,52 @@ before the 5×$99 Cascades invoice.
- Vault: `infrastructure/windows-pro-mak` (credentials.product_key), `clients/cascades-tucson/meredith-kuhn`.
- Generic Pro key VK7JG-NPHTM-C97JM-9MPGT-3V66T (edition flip); MAK in vault (activation).
- Cron job ad0a56a9 @ 18:00 2026-06-24.
---
## Update: 17:36 PT — M365 relicense assessment (Workstream 4): seat shortfall + cleanup opportunity
### Session Summary (continued)
Started the plan's Workstream 4 (M365 relicense) remotely. Pulled the LIVE license state via the
remediation-tool (investigator/Graph token, tenant 207fa277-e9d8-4eb7-ada1-1064d2221498) before
touching anything. The plan's "relicense 31 Standard->Premium" is **blocked by a 3-seat shortfall**
and surfaced a licensing-cleanup opportunity.
**Live SKU state:** SPB (Business Premium) Enabled 34 seats, 6 consumed -> **28 free**.
O365_BUSINESS_PREMIUM (the legacy-named "Business Standard") **SUSPENDED**, **31 users still
assigned**. Also EXCHANGE_S_ESSENTIALS SUSPENDED with 5 users (separate cleanup). AAD_PREMIUM_P2
suspended (1).
**Per-user overlap (decisive):** all **31** Standard users, and **0 of them already hold SPB** -> all
31 need a NEW SPB seat. 31 needed vs 28 free = **3 short** for a straight 1:1 migration.
**Cleanup opportunity:** ~8 of the 31 are shared/role accounts (accounting@, accountingassistant@,
frontdesk@, hr@, security@, memcarereceptionist@, boadmin@, Training@, dax.howard@?) that likely
should be UNLICENSED shared mailboxes, not $22/mo Premium users. The 22 clearly-real people fit in
the 28 free seats with room to spare -> converting the true shared mailboxes to unlicensed both
removes the shortfall AND drops ~8 paid licenses. Caveat: any "shared" account that is actually an
interactive login (e.g. frontdesk@ / memcarereceptionist@ signing into shared reception PCs) must
keep a license (shared mailboxes can't sign in). Presented both paths to Howard; **awaiting his
decision** on which flagged accounts are shared mailboxes vs login accounts (path 1, recommended) vs
buy 3 more SPB seats (path 2). Nothing changed — assessment only.
### Key Decisions (continued)
- Did NOT bulk-assign SPB — live data showed a 3-seat shortfall the wiki/plan didn't capture; a blind
"assign 28, strand 3" would be wrong. Surfaced the shared-mailbox cleanup as the better fix.
### Configuration Changes (continued)
- No changes this segment (read-only M365 license assessment).
### Pending / Incomplete Tasks (continued)
- **M365 relicense (Workstream 4) — BLOCKED on Howard's decision:** path 1 (unlicense the true shared
mailboxes among accounting@/accountingassistant@/frontdesk@/hr@/security@/memcarereceptionist@/
boadmin@/Training@/dax.howard@, then assign SPB to the 22 real people — fits 28 free) vs path 2
(buy 3 more SPB, migrate all 31 as-is). Then execute via user-manager tier.
- **5 users on suspended EXCHANGE_S_ESSENTIALS** — assess/clean up next.
- 6PM cron ad0a56a9 (Home->Pro) still pending its fire.
### Reference Information (continued)
- SKU IDs: SPB cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46; O365_BUSINESS_PREMIUM (Standard, suspended) f245ecc8-75af-4f8e-b61f-27d8114de5f3; EXCHANGE_S_ESSENTIALS e8f81a67-bd96-4074-b108-cf193eb9433b.
- 22 real people on Standard needing SPB: Allison Reibschied, Shelby Trozzi, Alyssa Brooks, Ashley Jensen, Christina DuPras, Christine Nyanzunda, Crystal Rodriguez, JD Martin, Jodi Ramstack, John Trozzi, Karen Rossini, Lauren Hasselman, Lois Lane, Lupe Sanchez, Matthew Brooks, Megan Hiatt, Meredith Kuhn, Ramon Castaneda, Sharon Edwards, Susan Hicks, Tamra Matthews, Veronica Feller.
- Tenant 207fa277-e9d8-4eb7-ada1-1064d2221498 (cascadestucson.com).