wiki: compile valleywide (full) — SERVER3 retirement + G: migration to VWP-FILES + Orders source recovered

2026-06-14 06:44:14 -07:00
parent 65f2045385
commit 3b36ac7192
2 changed files with 98 additions and 128 deletions
--- a/wiki/clients/valleywide.md
+++ b/wiki/clients/valleywide.md
@@ -2,8 +2,8 @@
 type: client
 name: valleywide
 display_name: Valley Wide Plastering
-last_compiled: 2026-05-24
-compiled_by: DESKTOP-0O8A1RL/claude-main
+last_compiled: 2026-06-14
+compiled_by: GURU-5070/claude-main
 sources:
  - clients/valleywide/README.md
  - clients/valleywide/PROJECT_STATE.md
@@ -18,26 +18,31 @@ sources:
  - clients/valleywide/app-modernization/source-analysis/D-drive-2026-05-16/SUMMARY.md
  - clients/valleywide/app-modernization/source-analysis/drive2-2026-05-16/SUMMARY.md
  - clients/valleywide/app-modernization/source-analysis/drive3-2026-05-16/SUMMARY.md
-backlinks: []
+  - clients/valleywide/session-logs/2026-05-16-source-code-recovery-from-backup-drives.md
+  - clients/valleywide/session-logs/2026-06/2026-06-13-mike-vwp-server3-migration-and-orders-source-recovery.md
+  - clients/valleywide/session-logs/2026-06/2026-06-13-mike-vwp-gpo-disable.md
+  - wiki/projects/valleywide-orders-modernization.md
+backlinks:
+  - projects/valleywide-orders-modernization
 ---

 # Valley Wide Plastering

-Plastering / stucco subcontractor based in Arizona. Active ACG client. Primary work has been incident response (RDWeb brute-force, power outage recovery) and an ongoing app modernization project for their custom VB6/Access construction ERP.
+Plastering / stucco subcontractor based in Arizona. Active ACG client. Primary work has been incident response (RDWeb brute-force, power outage recovery), infrastructure migration (G: file share off XenServer to new Hyper-V file server), and an ongoing app modernization project for their custom VB6/Access construction ERP.

 ---

 ## Profile

 - **Company type:** Construction subcontractor (plastering / stucco)
- **Domain / site identifier:** VWP (`vwp.local` internal AD domain, `vwp.us` registered external domain, `valleywideplastering.com` M365 domain)
+- **Domain / site identifier:** VWP (`VWP.US` AD domain — NetBIOS `VWP`; `valleywideplastering.com` M365 domain; `vwp.us` also registered external domain used for internal FQDNs)
 - **Contract type:** Prepaid hour block
- **Hours remaining:** 10.0 hrs as of 2026-05-12 (after billing 1.5 hrs for HP server emergency). Always live-check Syncro before billing.
- **Billing rate:** $150/hr remote labor (`product 1190473 — Labor - Remote Business`)
+- **Hours remaining:** 20.5 hrs as of 2026-06-14 (after billing 3.5 hrs for G: migration on #32418). Always live-check Syncro before billing.
+- **Managed assets (Syncro):** 28
+- **Billing rate:** $150/hr remote labor (product `1190473 — Labor - Remote Business`)
 - **Emergency surcharge pattern:** Bill as two line items — 1.0 hr normal + 0.5 hr surcharge. Use product 1190473 for both (NOT product 26184, which bakes in a 1.5x dollar rate that would double-charge prepaid block customers). Results in 1.5 hr block deduction = 150% charge.
- **Key contact:** Shelly Dooley / Valley Wide P (Syncro customer display name)
+- **Key contact:** Shelly Dooley / Valley Wide P (Syncro display name)
 - **Syncro customer ID:** `31694734`
- **Syncro ticket (2026-05-12 emergency):** #32269 (ID: `110159277`) — HP server powered off, ADSRVR unreachable. Invoiced; invoice #67594 (ID: `1650271395`). Ticket status: Invoiced.
 - **M365 tenant ID:** `5c53ae9f-7071-4248-b834-8685b646450f`
 - **M365 domain:** `valleywideplastering.com`

@@ -49,130 +54,79 @@ Plastering / stucco subcontractor based in Arizona. Active ACG client. Primary w

 | Host | IP | Role | OS | Notes |
 |---|---|---|---|---|
-| HP ProLiant DL360 Gen10 (SN: MXQ80400X4) | (LAN — no static IP documented) | Hypervisor / VM host for ADSRVR | — | iLO at 172.16.9.125 (SSH port 22, legacy ssh-rsa key). Power outage 2026-04-22 caused NVRAM corruption + factory iLO reset. Was found powered-off 2026-05-12; powered on remotely via iLO. |
-| HP iLO | 172.16.9.125 | Out-of-band management for HP ProLiant | — | SSH port 22. **Requires legacy RSA algorithms** — modern OpenSSH rejects it. Use paramiko with `disabled_algorithms={'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']}`. Credentials in vault: `clients/valleywide/` |
-| VWP_ADSRVR | 192.168.0.25 | Domain Controller for `vwp.local` | Windows Server 2019 Standard (build 17763) | VM on HP ProLiant DL360 Gen10. SSH enabled, key auth working for `vwp\guru` (ed25519, added 2026-04-13). Default shell is cmd.exe — use `powershell -NoProfile -Command` wrappers. |
-| VWP-QBS | 172.16.9.169 | QuickBooks server + RDS/RemoteApp host | Windows Server 2022 Standard | **Physical Dell server** (NOT a VM). Has DRAC. Runs IIS (RD Web Access, RD Gateway). Reach from ADSRVR via `Invoke-Command -ComputerName VWP-QBS -Credential` with `vwp\sysadmin` PSCredential — no direct SSH; Kerberos does not forward over SSH double-hop. WinRM on 5985. |
-| Dell DRAC (VWP-QBS) | [undocumented] | Out-of-band management for VWP-QBS Dell | — | DRAC functional as of 2026-04-22; used to force manual boot after power outage. IP not yet documented. |
-| DC1 | 172.16.9.2 | Domain Controller | — | Confirmed up 2026-05-12. Separate from ADSRVR. |
-| XenServer (older Dell) | 192.168.0.104 | VM hypervisor — hosts BACKUP-SRV, Server 2012 R2, Server 2003 | XenServer | Older Dell hardware. Was offline after 2026-04-22 power outage; status resolved. Credentials: `root` / see vault. |
-| UDM (UniFi Dream Machine) | 172.16.9.1 | Perimeter firewall, OpenVPN server, DHCP, DNS, site router | UniFi OS | DNS override: `vwp-qbs.vwp.us` → 172.16.9.169 (static record in UDM dnsmasq). VPN pushes DNS=192.168.4.1 (UDM). WireGuard site-to-site peers present (wgsts1001, wgsts1003, wgsts1005 — likely UniFi SiteMagic). |
+| HP ProLiant DL360 Gen10 (SN: MXQ80400X4) | (LAN — no static IP documented) | Hypervisor / VM host for ADSRVR | — | iLO at 172.16.9.125. Power outage 2026-04-22 caused NVRAM corruption + factory iLO reset. Found powered-off 2026-05-12; powered on remotely via iLO. |
+| HP iLO | 172.16.9.125 | Out-of-band management for HP ProLiant | — | SSH port 22. **Requires legacy RSA algorithms** — modern OpenSSH rejects it. Use paramiko with `disabled_algorithms={'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']}`. Credentials: vault `clients/valleywide/`. |
+| VWP_ADSRVR | 192.168.0.25 | Domain Controller for `VWP.US` (secondary DC / SSH entry point) | Windows Server 2019 Standard (build 17763) | VM on HP ProLiant DL360 Gen10. SSH enabled, key auth working for `vwp\guru` (ed25519, added 2026-04-13). Default shell is cmd.exe — use `powershell -NoProfile -Command` wrappers. Old Net (VLAN 2). |
+| VWP-DC1 | 172.16.9.2 | PDC emulator for `VWP.US`, NPS/RADIUS | Windows Server 2019 | FQDN `VWP-DC1.VWP.US`. Confirmed up through all sessions. ADWS on this host not reachable over the SSH double-hop from ADSRVR (use LDAP cmdlets instead). |
+| VWP-QBS | 172.16.9.169 | QuickBooks server + RDS/RemoteApp host | Windows Server 2022 Standard | **Physical Dell server** (NOT a VM). Has DRAC. Runs IIS (RD Web Access). WinRM on 5985. Reach from ADSRVR via `Invoke-Command -ComputerName VWP-QBS -Credential` with `vwp\sysadmin` PSCredential. |
+| Dell DRAC (VWP-QBS) | [undocumented] | Out-of-band management for VWP-QBS Dell | — | DRAC functional as of 2026-04-22. IP not yet documented. Vault: `clients/valleywide/quickbooks-server-idrac`. |
+| VWP-HYPERV1 | 172.16.9.184 | Hyper-V host — primary VM host for new infrastructure | Windows Server 2025 | Dell R740, 112 vCPU / 255 GB RAM, C: 10.7 TB. One external vSwitch on Intel 10G NIC. VHDs in `C:\VHD`. GuruRMM agent `bdc3e142-...`. Added 2026-06-13. |
+| VWP-FILES | 172.16.9.132 (primary) + 192.168.0.20 (VLAN 2) | G: file share server (19 SMB shares) | Windows Server 2019 Gen2 VM on VWP-HYPERV1 | Block-migrated from SERVER3 G: VDI (100 GB, ~88 GB used). Dual-homed: primary on 172.16.9.0/24; secondary vNIC tagged VLAN 2 holds 192.168.0.20 for IP-based stragglers (see Patterns). DNS registration disabled on the .20 NIC. GuruRMM enrolled (site Main Office, agent `8e02fbbc-...`). MSP360 backup running green. |
+| XenServer | 192.168.0.104 | VM hypervisor — hosts remaining VMs | XenServer 7.6 (PowerEdge R720) | SERVER3 VM (the old "server 2003", upgraded in-place to 2008) is now **powered off and retired**; snapshots retained for rollback. Vault: `clients/vwp/xenserver`. |
+| WINFileSvr | 192.168.0.35 | File server — O:/P: shares; holds Darv backup | Windows Server 2019 | Old Net (VLAN 2). Holds `F:\Darv\Darv.rar` (51 GB, Darv's dev machine backup) and `F:\Darv\Darv-rar` (135 GB extract). GuruRMM `62db0264-...`. Do not delete `Darv.rar` until VB6 source is verified to compile. |

-**[WARNING] No UPS on HP ProLiant DL360.** The 2026-04-22 power outage caused NVRAM corruption. A UPS assessment is an outstanding priority item — hardware failure from power event is a proven risk.
+**[WARNING] No UPS on HP ProLiant DL360.** The 2026-04-22 power outage caused NVRAM corruption. UPS assessment is an outstanding priority.

 ### Email & Identity

 - **M365 tenant:** `valleywideplastering.com` | Tenant ID: `5c53ae9f-7071-4248-b834-8685b646450f`
- **On-prem AD domain:** `vwp.local` (internal). External registered domain: `vwp.us` (used for internal FQDNs like `vwp-qbs.vwp.us`).
- **MFA status:** [unverified] — No M365 CA or MFA configuration documented. Not investigated.
+- **On-prem AD domain:** `VWP.US` (NetBIOS `VWP`, PDC = `VWP-DC1.VWP.US`). [NOTE: earlier notes said `vwp.local` — the actual AD DNS root is `VWP.US`. SYSVOL: `C:\Windows\SYSVOL\sysvol\vwp.us\Policies\`.]
+- **MFA status:** [unverified] — No M365 CA or MFA configuration documented.
 - **MX / mail flow:** [unverified] — M365 tenant confirmed but mail flow not audited.

 ### Network

- **ISP / WAN:** Public WAN IP `98.168.18.21` (observed via Yealink YMCS last-seen registrar)
+- **ISP / WAN:** Public WAN IP `98.168.18.21` (observed via Yealink YMCS)
 - **Firewall / Router:** UniFi Dream Machine at 172.16.9.1
 - **VPN:** OpenVPN on UDM. Client pool: `192.168.4.0/24`. Pushes routes for `172.16.9.0/24`, `192.168.0.0/24`, `192.168.3.0/24`. DNS pushed as `192.168.4.1` (UDM).
 - **Subnets:**
-  - `172.16.9.0/24` — primary internal network (servers, Dell VWP-QBS, UDM, iLO)
-  - `192.168.0.0/24` — secondary internal (AD server, Yealink phones) [WARNING: conflicts with IMC's LAN — be careful when switching VPN contexts between clients]
+  - `172.16.9.0/24` — primary internal network (new servers, VWP-QBS, UDM, iLO, HYPERV1, VWP-FILES primary NIC); untagged
+  - `192.168.0.0/24` — **"Old Net" = VLAN 2 on UDM** (gw 172.16.9.1, DHCP .100-.199, DNS → 192.168.0.25 + 8.8.8.8). Hosts: VWP_ADSRVR (.25), WINFileSvr (.35), XenServer (.104), Yealink phones (.17/.54/.130/.140/.222), VWP-FILES secondary NIC (.20). **[WARNING: conflicts with IMC's LAN — verify client context when switching VPNs.]**
+  - `192.168.3.0/24` — Management VLAN 99
  - `192.168.4.0/24` — OpenVPN client pool
- **Static DNS (UDM):** `vwp-qbs.vwp.us` → `172.16.9.169` (fixed typo from `qwp-qbs.vwp.us` on 2026-04-16)
+- **Static DNS (UDM):** `vwp-qbs.vwp.us` → `172.16.9.169` (typo `qwp-qbs` fixed 2026-04-16)
+- **GPOs (domain `VWP.US`, as of 2026-06-13):** `MappedDrives` — G: map → `\\VWP-FILES\G-drive`; `Syncro` + `Datto RMM Agent install by immediate scheduled task` — both **AllSettingsDisabled** (flags=3); `Default Domain Policy`, `Enable SMB1 Client`, `Default Domain Controllers Policy`.

 ### RDS / RemoteApp

 - **Session host:** VWP-QBS (Windows Server 2022)
- **Mode:** VPN-only (direct connect, no RD Gateway). Gateway was removed from the deployment 2026-04-16 after the RDWeb public exposure was closed. RDP manifests write `gatewayusagemethod:i:0`.
- **RDS Licensing:** Per User mode. License server pointed at `vwp-qbs.vwp.us` (the same box — RDS-Licensing role was installed and activated on 2026-04-16 but had no real CALs).
- **[WARNING] RDS CALs not purchased.** VWP-QBS license server has only the `Built-in TS Per Device CAL` placeholder. Users will start seeing "no licenses available" errors once grace period expires. Action: purchase Windows Server 2022 RDS Per User CALs, sized to active user count (check distinct interactive logons last 30 days via `licmgr.msc`).
- **Application:** QuickBooks RemoteApp. VPN clients resolve `vwp-qbs.vwp.us` via UDM dnsmasq override and connect directly.
+- **Mode:** VPN-only (direct connect, no RD Gateway since 2026-04-16). RDP manifests write `gatewayusagemethod:i:0`.
+- **RDS Licensing:** Per User mode. License server pointed at `vwp-qbs.vwp.us`.
+- **[WARNING] RDS CALs not purchased.** Only the `Built-in TS Per Device CAL` placeholder exists. Grace period may have expired. Purchase Windows Server 2022 RDS Per User CALs sized to active user count.
+- **Application:** QuickBooks RemoteApp.

 ### Voice / IP Phones

- **Fleet:** 16x Yealink SIP-T54W color IP phones (OUIs `805e0c` and `44dbd2`)
- **YMCS portal:** https://us.ymcs.yealink.com/manager/sip-product/sipManage — account: Valleywide Plastering (VWP)
- **YMCS admin password:** vault — `clients/valleywide/` (Yealink password documented 2026-04-22)
- **Status as of 2026-04-22:** 5 phones previously provisioned (Offline in YMCS), 11 pending first boot
- **Named phones:** `214-ValleyWidePlastering` (extension 214), `Reception` (front desk, 192.168.0.17)
- **Phone subnet:** `192.168.0.0/24` — phones on DHCP, IPs observed at .17, .54, .130, .140, .222
+- **Fleet:** 16x Yealink SIP-T54W (OUIs `805e0c` and `44dbd2`)
+- **YMCS portal:** https://us.ymcs.yealink.com/manager/sip-product/sipManage — account: Valleywide Plastering (VWP). Credentials: vault `clients/valleywide/`.
+- **Phone subnet:** Old Net (VLAN 2) `192.168.0.0/24`; phones on DHCP, IPs at .17, .54, .130, .140, .222
+- **Status as of 2026-04-22:** 5 phones provisioned (Offline in YMCS), 11 pending first boot.
 - **[WARNING] Known-bad firmware:** `96.86.0.20` is a documented T54W brick-maker. Confirm YMCS firmware policy is NOT pushing this version before any mass provisioning.
- **Recovery procedure:** TFTP recovery documented in `clients/valleywide/docs/yealink-t54w-recovery-procedure.md`. Use Tftpd64 with laptop at `192.168.81.100`, phone at `192.168.81.10`. Multiple recovery file sets may be needed (NEW RM → OLD RM → SPEAKER variant).
+- **Recovery procedure:** TFTP recovery in `clients/valleywide/docs/yealink-t54w-recovery-procedure.md`. Laptop at `192.168.81.100`, phone at `192.168.81.10`.

 ---

 ## Access

- **SSH to VWP_ADSRVR:** `ssh vwp\guru@192.168.0.25` (ed25519 key auth — key added 2026-04-13)
- **Double-hop to VWP-QBS:** Via WinRM — `Invoke-Command -ComputerName VWP-QBS -Credential $cred` using `vwp\sysadmin` PSCredential from ADSRVR. SSH won't forward Kerberos for domain double-hop.
- **HP iLO power management:** Paramiko required (not system OpenSSH). SSH to `172.16.9.125:22`. Use `disabled_algorithms={'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']}`. Command: `start system1` to power on.
+- **SSH to VWP_ADSRVR:** `ssh vwp\guru@192.168.0.25` (ed25519 key auth — added 2026-04-13). Default shell cmd.exe; wrap PS commands.
+- **Double-hop to VWP-QBS:** Via WinRM — `Invoke-Command -ComputerName VWP-QBS -Credential $cred` using `vwp\sysadmin` PSCredential from inside ADSRVR SSH session.
+- **HP iLO power management:** Paramiko required (not system OpenSSH). SSH to `172.16.9.125:22`, `disabled_algorithms={'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']}`. Power-on: `start system1`.
 - **VWP-QBS DRAC:** IP undocumented — needs to be recorded. DRAC functional.
- **VPN:** Connect to VWP OpenVPN (UDM) first; this provides access to both the 172.16.9.0/24 and 192.168.0.0/24 subnets.
- **Vault paths:** `clients/valleywide/` (confirmed entries: `adsrvr`, `dc1`, `udm`, `xenserver`, `quickbooks-server-idrac`). Access via `bash "$VAULT" get-field clients/valleywide/<entry> <field>`.
+- **VPN:** Connect to VWP OpenVPN (UDM) first; provides access to both 172.16.9.0/24 and 192.168.0.0/24.
+- **GPO changes over SSH (VWP_ADSRVR):** GPMC (`Get-GPO`/`Set-GPO`) fails with `0x80072020` over SSH double-hop. Use LDAP cmdlets (`Get-ADObject`, `Set-ADObject`) instead.
+- **Vault paths:** `clients/valleywide/` (entries: `adsrvr`, `dc1`, `udm`, `xenserver`, `quickbooks-server-idrac`, `domain-sysadmin`). Read via `bash "$VAULT" get-field clients/vwp/<entry> <field>`.

 ---

 ## App Modernization Project

-> **Dedicated article: [[projects/valleywide-orders-modernization]].**
-> **UPDATE 2026-06-13 — the full VB6 source has been RECOVERED** (from Darv's machine backup
-> `F:\Darv\Darv.rar` on WINFileSvr `192.168.0.35`; staged to the repo). The "source lost /
-> only frmPayroll.frm survived / VB Decompiler" notes below are **superseded** — decompilation
-> is no longer needed.
+> **Dedicated article: [[projects/valleywide-orders-modernization]]** — full stack detail, source locations, modernization strategy, and history.

-VWP's core business application is a custom-built construction ERP. The original developer (known as "Darv") is deceased. The app is hitting the 2GB Jet/Access database file size limit. ACG was engaged to assess modernization feasibility.
+VWP's core business application is a custom construction ERP called **ORDERS** (`Orders_10A.exe`). The original developer ("Darv") is deceased. The app runs VB6 + Jet/Access and is approaching the 2 GB database file-size limit. ACG engaged to assess modernization feasibility.

-### Application Stack (Confirmed)
+**Source recovery status (2026-06-13): COMPLETE.** The full VB6 source (`ORDERS_C.vbp`, 2020-06-09) was recovered from Darv's machine backup (`F:\Darv\Darv.rar` on WINFileSvr `192.168.0.35`). 12.2 MB of pure source (147 `.frm`, 4 `.bas`, 5 `.vbp`) is staged in the repo at `clients/valleywide/app-modernization/source-code/Orders-VWP_Current-2020/`. VB Decompiler Pro is **no longer needed** — modernization proceeds from real 2020 source. See the dedicated project article for detail.

-| Layer | Technology | Evidence |
-|---|---|---|
-| Frontend / logic | Visual Basic 6.0 | `frmPayroll.frm` source file, `.frx` resource files, `VB5!` header in exe |
-| Compilation | **P-Code** (not Native Code) | Entry point `PUSH+CALL` to ThunRTMain by ordinal — not native binary |
-| Database | MS Access Jet 3.x (.mdb) | `VWP.mdb` version byte 0x00, Access 97 format |
-| Reporting | Crystal Reports 8.5 | 791 `.rpt` files (per 2026-04-27 archive); Crystl32.OCX import; SCR85Dev installer found |
-| Installer | InstallShield Denali 2021 | `Denali2021v1` folder on server |
-| OCX controls | TABCTL32, mscomct2, comdlg32, Flp32a30, odg7, todg7 | PE import table |
-
-**P-Code is the best possible outcome for decompilation.** VB Decompiler Pro (~$200) can recover 70-80% of source including form layouts, procedure names, string literals, and all SQL queries. Decompilation was approved as the next step.
-
-### Database: VWP.mdb
-
- **Current size:** 938 MB (last written 2026-04-24). Growth: 671 MB (2020) → 761 MB (2022) → 938 MB (2026). **Approaching the 2 GB Jet hard limit.**
- **Format:** Jet 3.x / Access 97. Modern ACE/DAO drivers refuse to open it — binary scan was used for schema extraction.
- **Scale:** ~130 production tables spanning a full construction ERP.
-
-#### Domain Coverage
-
-| Domain | Key Tables |
-|---|---|
-| Projects & Jobs | tblPROJECT, tblLOTINFO, tblPLANS, tblCHANGE, tblSZONE |
-| Work Orders & Estimating | tblORDERS, tblTAKE, tblMEASURE, tblPlanBill |
-| Inventory & Purchasing | tblINVPRICE, tblINVTRY, tblSUPPLIER, tblPOrder, tblYardOrder |
-| Crew & Payroll | tblCREW, tblHRDAILY, tblPAYHEADER, tblPAYROLL, tblCREWRATE |
-| **Certified Payroll** | **tblCERTIFIED** — government / prevailing wage work. **HARD requirement.** |
-| Accounts Receivable | tblARMASTER, tblARINVOICE, tblARTRANS |
-| Accounts Payable | tblAPMASTER, tblAPTRANS, tblJOBCOST, tblCHECKREC |
-| **Positive Pay (3 banks)** | **tblPosPayVWP, tblPosPayCRD, tblPosPaySWI** — fraud-prevention bank integration. **HARD dependency.** |
-| Scaffold | tblScaffold, tblSC_Crew |
-| Repairs | tblREPAIR, tblRepList |
-| System / Config | tblSECURITY, tblSYSInfo, tblGLAcct |
-
-**Modernization complexity: HIGH.** 791 Crystal Reports files, certified payroll (legal compliance — cannot be dropped), positive pay integration with 3 banks, and full AR/AP/Payroll.
-
-### Source Code Status
-
-The production exe (`Orders_10A.exe`, 13.4 MB) has four shortcuts pointing to it. The original source was on Darv's personal development machine — only one form file (`frmPayroll.frm`, 32 KB) was found on the server at `C:\Users\sysadmin\Desktop\Darv\Source\VWP\`. The remainder of `C:\Users\sysadmin\Desktop\Darv\` (13,231 files, 15.6 GB) includes Darv's installer projects, Crystal Reports, and personal files. VB6 source (`.vbp`, `.frm`) was scanned across multiple server drives (D: and two additional drives as of 2026-05-16). Substantial VB6 source exists across the drives (thousands of `.frm` and `.vbp` files); Mike was searching to confirm which are for the VWP application specifically.
-
-### Project Status (as of 2026-04-27)
-
-| Task | Status |
-|---|---|
-| Stack identification | Complete — VB6 P-Code + Jet 3.x confirmed |
-| Schema mapping (table names) | Complete (~130 tables via binary scan) |
-| Full schema with field types | Pending — needs Access 97/2000 environment or Jet 3.x → Jet 4.x conversion |
-| VB6 source search across server drives | In progress — Mike searching |
-| VB Decompiler Pro purchase and run | Pending ($200 investment) |
-| Crystal Reports audit (791 .rpt files) | Pending |
-| VWP staff workflow interviews | Pending |
-| Feasibility / modernization report | Pending |
+**Tracking ticket:** Syncro **#32280 — Source Code Data Recovery** (New).

 ---

@@ -180,7 +134,7 @@ The production exe (`Orders_10A.exe`, 13.4 MB) has four shortcuts pointing to it

 ### iLO Access (Non-Standard)

-The HP ProLiant iLO at 172.16.9.125 uses legacy SSH host key algorithms (`ssh-rsa`/`ssh-dss`) that are rejected by modern OpenSSH on Windows by default. **Do not use system OpenSSH to connect.** Use Python paramiko with:
+The HP ProLiant iLO at 172.16.9.125 uses legacy SSH host key algorithms (`ssh-rsa`/`ssh-dss`) that are rejected by modern OpenSSH on Windows by default. Do not use system OpenSSH. Use Python paramiko with:

 ```python
 transport.disabled_algorithms = {'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']}
@@ -190,24 +144,30 @@ Power-on command: `start system1`.

 ### RDS Double-Hop Pattern

-SSH to ADSRVR (192.168.0.25) works fine with ed25519 key. But you cannot forward Kerberos over SSH to reach VWP-QBS — the WinRM double-hop must be done inside the SSH session using explicit PSCredential:
+SSH to ADSRVR (192.168.0.25) works fine with ed25519 key. Kerberos cannot be forwarded over SSH to reach VWP-QBS — the WinRM double-hop must be done inside the SSH session using explicit PSCredential:

 ```powershell
 $cred = Get-Credential  # vwp\sysadmin
 Invoke-Command -ComputerName VWP-QBS -Credential $cred -ScriptBlock { ... }
 ```

+Same double-hop constraint applies to GPMC (`Get-GPO`/`Set-GPO`) — fails `0x80072020`. Use LDAP cmdlets (`Get-ADObject`, `Set-ADObject`) for GPO status changes over SSH.
+
 ### 192.168.0.0/24 Subnet Conflict

-VWP's AD/phone subnet (`192.168.0.0/24`) is the same RFC1918 range as IMC (another ACG client). When switching between client VPN contexts, verify which 192.168.0.x addresses are being targeted. This is a silent risk — wrong subnet = wrong client.
+VWP's Old Net (VLAN 2, `192.168.0.0/24`) is the same RFC1918 range as IMC (another ACG client). When switching between client VPN contexts, verify which 192.168.0.x addresses are targeted. This is a silent risk.
+
+### VWP-FILES Dual-NIC / Asymmetric Routing
+
+VWP-FILES is dual-homed: 172.16.9.132 (primary, new net) + 192.168.0.20 (VLAN 2, Old Net — for IP-based stragglers whose UNC paths hard-code `.20`). DNS registration is **disabled** on the .20 NIC so that name resolution always returns .132. Asymmetric routing applies: cross-subnet or VPN clients cannot reach .20 (VWP-FILES replies via its .132 NIC); only same-VLAN Old Net devices can use .20 directly. Use 172.16.9.132 for all management and file pulls from outside Old Net.

 ### Syncro Billing for Prepaid Block Emergency

-Do not use product 26184 (Labor - Emergency) for prepaid block customers. That product has the 1.5x rate baked in, which would result in double-charging when combined with the surcharge line item pattern. Always use product 1190473 for both normal and surcharge line items.
+Do not use product 26184 (Labor - Emergency) for prepaid block customers. That product has the 1.5x rate baked in. Always use product 1190473 for both normal and surcharge line items.

 ### AD Account: `scanner`

-The `scanner` AD account is used by some device or process (original purpose unknown). Its password was last set 2024-10-17. During the 2026-04-13 brute-force incident, it was being locked out every ~20 minutes by attacker attempts through the public-facing RDWeb. **Password rotation is an outstanding hygiene item.**
+The `scanner` AD account is used by some device or process (original purpose unknown). During the 2026-04-13 brute-force incident, it was being locked out every ~20 minutes by attacker attempts through the public-facing RDWeb. **Password rotation is an outstanding hygiene item.**

 ### LastLogonDate Anomaly

@@ -215,20 +175,27 @@ VWP-QBS AD object showed `LastLogonDate: 9/28/2049` — flagged as a time-skew a

 ---

-## Active Work (as of 2026-05-12)
+## Active Work (as of 2026-06-14)

-| Item | Status | Priority |
+| Ticket / Item | Status | Priority |
 |---|---|---|
-| App modernization: VB Decompiler Pro run against Orders_10A.exe | Pending — decompiler not yet purchased | High |
-| App modernization: Full schema extraction with field types | Pending — needs Access 97/2000 environment | High |
-| App modernization: VB6 source search across server drives | In progress | High |
-| RDS CAL purchase (Windows Server 2022 Per User, sized to user count) | Outstanding — grace period may expire | High |
-| HP iLO reconfiguration (post factory-reset 2026-04-22) | [unverified — may have been configured during 2026-04-22 onsite; confirm credentials in vault] | Medium |
+| #32280 — Source Code Data Recovery / App modernization | New — source recovered; next: stand up VB6 build env, confirm `ORDERS_C.vbp` compiles | High |
+| #32418 — G-Drive Migration | Invoiced — 3.5 h billed, prepay 24.0→20.5 | Closed |
+| #32396 — Printer | Waiting | Medium |
+| #32375 — New Phone Install | New | Medium |
+| #32348 — Bizhub print | New | Medium |
+| #32208 — Folder access | New | Medium |
+| #32039 — Onsite setup | New | Medium |
+| RDS CAL purchase (Server 2022 Per User, sized to active user count) | Outstanding — grace period status unknown | High |
+| Yealink phone fleet provisioning (11 pending phones) | Outstanding since 2026-04-22 | Medium |
+| Cleanup: delete `C:\VHD\server3-g.vhd` (99 GB) on HYPERV1 + XenServer G: snapshot + `F:\Darv\Darv-rar` (135 GB) once source compiles | Pending | Low |
 | UPS assessment for HP ProLiant | Outstanding since 2026-04-22 | Medium |
-| Yealink phone fleet provisioning (11 pending phones) | Outstanding — 11 of 16 phones never connected to YMCS | Medium |
+| HP iLO reconfiguration post factory-reset (2026-04-22) | [verify — was accessible 2026-05-12 so credentials re-established] | Medium |
 | `scanner` AD account password rotation | Outstanding since 2026-04-13 | Low |
 | UDM UPnP audit | Outstanding since 2026-04-13 | Low |
 | DRAC IP documentation for VWP-QBS | Not yet recorded | Low |
+| Existing Syncro + Datto RMM agent uninstalls | GPOs disabled 2026-06-13 (stops new installs); existing agents still on machines — awaiting user direction | Low |
+| Old-Net DHCP secondary DNS (8.8.8.8) | Consider replacing with second internal DC | Low |

 ---

@@ -236,17 +203,17 @@ VWP-QBS AD object showed `LastLogonDate: 9/28/2049` — flagged as a time-skew a

 ### 2026-04-13: RDWeb Brute-Force Incident

-RDWeb (`https://VWP-QBS/RDWeb/Pages/login.aspx`) was publicly exposed via UDM port-forward on port 443. A distributed brute-force botnet (residential proxy infrastructure, IPs from China, Belarus, UAE, and others) was hammering `POST /RDWeb/Pages/en-US/login.aspx` at ~6 req/min, hitting usernames `scanner`, `Guest`, `Receptionist`. This triggered AD lockouts every ~20 minutes (lockout threshold 5, 16-min window) which initially appeared to be a stale internal credential problem.
+RDWeb (`https://VWP-QBS/RDWeb/Pages/login.aspx`) was publicly exposed via UDM port-forward on port 443. A distributed brute-force botnet (residential proxies, IPs from China, Belarus, UAE) hammered `POST /RDWeb/Pages/en-US/login.aspx` at ~6 req/min, hitting usernames `scanner`, `Guest`, `Receptionist`, triggering AD lockouts.

-**Resolution:** UDM port-forward removed (same day), IIS reset to drain in-flight sessions, lockout policy restored. 30-day audit of Event 4624 confirmed **zero successful external logons — no compromise**.
+**Resolution:** UDM port-forward removed same day. 30-day audit of Event 4624 confirmed **zero successful external logons — no compromise.**

-**Current state:** RDWeb accessible from VPN and internal LAN only (port 443 on VWP-QBS, 172.16.9.0/24). Not reachable from public internet.
+**Current state:** RDWeb accessible from VPN and internal LAN only.

-**Outstanding recommendation:** If RDWeb must be re-exposed publicly, require: IPBan (https://github.com/DigitalRuby/IPBan), firewall restriction to known source IPs, and 2FA/Conditional Access.
+**Recommendation:** If re-exposed publicly — require IPBan, firewall restriction to known IPs, and 2FA/CA.

 ### 2026-04-22: Power Outage / NVRAM Corruption

-Power outage caused HP ProLiant NVRAM corruption (BIOS/iLO factory reset). VWP-QBS Dell server had a boot retry loop (resolved via DRAC). XenServer (older Dell) was offline. All recovered onsite. **Root cause: no UPS on HP server.**
+Power outage caused HP ProLiant NVRAM corruption (BIOS/iLO factory reset). VWP-QBS Dell had a boot retry loop (resolved via DRAC). XenServer was offline. All recovered onsite. **Root cause: no UPS on HP server.**

 ---

@@ -255,23 +222,27 @@ Power outage caused HP ProLiant NVRAM corruption (BIOS/iLO factory reset). VWP-Q
 | Date | Event |
 |---|---|
 | 2026-04-13 | RDWeb brute-force incident discovered and contained. SSH key deployed to ADSRVR. 30-day audit — no compromise. |
-| 2026-04-13 | Domain lockout policy temporarily disabled during diagnosis (threshold=0), restored to 5/16min/16min. 15-minute window of reduced lockout protection. |
-| 2026-04-16 | RDS reconfigured to VPN-only (gateway removed). UDM DNS typo fixed (`qwp-qbs` → `vwp-qbs`). RDS licensing mode set Per User, pointed at local license server. |
+| 2026-04-13 | Domain lockout policy temporarily disabled during diagnosis (threshold=0), restored to 5/16min/16min. |
+| 2026-04-16 | RDS reconfigured to VPN-only (gateway removed). UDM DNS typo fixed (`qwp-qbs` → `vwp-qbs`). RDS licensing mode set Per User. |
 | 2026-04-22 | Emergency onsite: power outage, HP ProLiant NVRAM corruption + iLO factory reset, VWP-QBS boot loop (DRAC), XenServer offline. All resolved ~12:00 MST. |
-| 2026-04-22 | Yealink SIP-T54W fleet (16 devices) added to YMCS device management. 5 previously-provisioned, 11 pending. |
-| 2026-04-27 | App modernization project initiated. VB6 P-Code + Jet 3.x stack confirmed. ~130 table schema extracted via binary scan. Crystal Reports 8.5 (791 .rpt files) documented. |
-| 2026-05-12 | HP ProLiant found powered-off (ADSRVR unreachable). Powered on remotely via iLO paramiko. Syncro ticket #32269, invoice #67594, 1.5 hr block deduction (10.0 hrs remaining). |
+| 2026-04-22 | Yealink SIP-T54W fleet (16 devices) added to YMCS. 5 provisioned, 11 pending. |
+| 2026-04-27 | App modernization project initiated. VB6 P-Code + Jet 3.x stack confirmed; ~130 tables extracted via binary scan; Crystal Reports 8.5 (791 .rpt) documented. Decompilation planned. |
+| 2026-05-12 | HP ProLiant found powered-off (ADSRVR unreachable). Powered on remotely via iLO paramiko. Syncro ticket #32269, invoice #67594, 1.5 hr block deduction. |
+| 2026-05-16 | VB6 source search across 3 backup rotation drives. Production location identified (`G:\VWP2\` on 97-Server); 4-year gap resolved (Darv worked on compiled EXE only after 2020-06 — no .vbp evolution past `ORDERS_C.vbp` 2020-06-09). `Orders_10A.exe` staged to repo. |
+| 2026-06-13 | SERVER3 (XenServer "server 2003" VM, upgraded to 2008 in-place) retired. G: file share (100 GB) block-migrated via VDI export→VHDX to new **VWP-FILES** (Gen2 Server 2019 on **VWP-HYPERV1** 172.16.9.184). 19 SMB shares recreated; **MappedDrives GPO** repointed to `\\VWP-FILES\G-drive`. IP takeover: VWP-FILES holds 192.168.0.20 (VLAN 2) for IP-based stragglers. SERVER3 snapshotted and powered off. VWP-FILES enrolled in GuruRMM (site Main Office) + MSP360 backup green. Billed 3.5 h on #32418 (prepay 24.0→20.5). |
+| 2026-06-13 | VB6 Orders source **fully recovered** from `F:\Darv\Darv.rar` on WINFileSvr (192.168.0.35). 12.2 MB staged to repo (`source-code/Orders-VWP_Current-2020/`). VB Decompiler Pro no longer needed. See [[projects/valleywide-orders-modernization]]. |
+| 2026-06-13 | **Syncro** and **Datto RMM Agent** deployment GPOs disabled (`AllSettingsDisabled`, flags=3) via LDAP on VWP_ADSRVR. Existing agents not yet uninstalled — awaiting direction. |

 ---

 ## Compilation Notes

-**Date range covered:** 2026-04-13 through 2026-05-12.
+**Date range covered:** 2026-04-13 through 2026-06-13.

 **Items flagged [unverified]:**
 - M365 MFA and mail flow configuration — never investigated
- HP iLO credentials post factory-reset — should be confirmed via vault; iLO was accessible 2026-05-12 so credentials were re-established at some point
- XenServer resolution detail after 2026-04-22 outage — session log notes it offline/critical, subsequent sessions confirm it was up by 2026-05-12
+- HP iLO credentials post factory-reset — accessible 2026-05-12 so credentials were re-established; confirm vault entry
 - DRAC IP for VWP-QBS — functional but undocumented
- Yealink provisioning status — 11 phones still pending as of 2026-04-22; no follow-up session
- RDS CAL grace period expiry timing — unknown; may have already expired
+- Yealink provisioning status — 11 phones pending as of 2026-04-22; no follow-up confirmed
+- RDS CAL grace period — may have expired
+- AD replication of GPO `flags=3` changes to VWP-DC1 — ADWS not reachable over SSH from ADSRVR; normal replication expected but not spot-checked
--- a/wiki/index.md
+++ b/wiki/index.md
@@ -21,7 +21,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **55.75 hrs remaining** (live 2026-06-13); senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; caregiver restricted-access model PROVEN 2026-06-05: Hybrid Entra Join + CA allow-list + ALIS SSO validated on NURSESTATION-PC/pilot.test; GPO `CSC - Caregiver Workstation` (shortcuts + printers) built + validated; GPO `CSC - Caregiver Device Lockdown` deployed (HIPAA auto-logoff, activates on reboot); INTUNE_A PendingInput tenant-wide (MS case open; GPO path used instead); folder-redirection root cause fixed 2026-06-08 (fdeploy.ini); shared mailboxes grievances@/Surveys@ created + delegated 2026-06-12 (#32417); Monday cutover to real caregivers pending; open ticket #32370 (eFax + scanner); #32383 (bill.com/BOK chris.knight) Resolved | 2026-06-13 |
 | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, 34.5 hrs remaining; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery + incomplete restore (files dropped across shares — migration-gap audit in progress); 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-04 SP1366 file recovery (19/20 PDFs restored from HGHAUBNER pre-attack backup); GuruRMM fleet 13→45 agents; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-04 |
 | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
-| [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |
+| [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-06-14 |
 | [ACG Internal Infrastructure](clients/internal-infrastructure.md) | ACG's own hosting infra — Neptune Exchange (cert expires 2026-05-31, DkimSigner disabled), IX server, Cloudflare tunnel workaround, ACG M365 tenant gaps | 2026-05-24 |
 | [BirthBiologic](clients/birth-biologic.md) | Bio/healthcare; BB-SERVER (WS2016) GuruRMM enrolled; Datto→SharePoint migration incomplete; M365 apps partially consented | 2026-05-24 |
 | [CryoWeave](clients/cryoweave.md) | Custom cryogenic cable assemblies; cPanel on IX; website redesign + SEO project in progress; Syncro ID not documented | 2026-05-24 |
@@ -73,7 +73,6 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | [GuruRMM Agent](projects/gururmm-agent.md) | Cross-platform endpoint agent (Rust) for the GuruRMM platform — metrics, remote execution (system/user_session contexts), BSOD detection, VSS shadow copy, self-update w/ rollback, watchdog, compliance reporting; Windows/Linux/macOS. Companion to [GuruRMM](projects/gururmm.md) | 2026-06-12 |
 | [MSP Tools (umbrella)](projects/msp-tools.md) | Umbrella directory for ACG's MSP tooling — hosts the GuruRMM + GuruConnect submodules plus GuruScan, audit scripts, quote-wizard, and operational utilities | 2026-06-12 |
 | [Valley Wide "Orders" Modernization](projects/valleywide-orders-modernization.md) | VWP's custom VB6 construction ERP ("ORDERS" / Orders_10A.exe) — Jet/Access, Crystal 7, True DBGrid, FarPoint Spread, ~130 tables (2GB Jet wall). **Full VB6 source RECOVERED 2026-06-13** from Darv's machine backup (Darv.rar on WINFileSvr); staged to repo (147 .frm/4 .bas, newest 2020-06-09). Decompilation retired. Path: VBUC→.NET, Jet→SQL Server, OCX→MESCIUS successors. Ticket #32280 | 2026-06-14 |
-
 ## Systems

 | Article | Summary | Last Compiled |