azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

import: ingested 160 files from C:\Users\howar\Clients

Browse Source 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-16 19:43:58 -07:00
parent 6eaba02b71
commit 8d975c1b44
160 changed files with 16002 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
clients/kittle/docs/cloud/azure.md Normal file
View File

@@ -0,0 +1,28 @@
# Azure / Cloud Services
## Azure Subscription
- Subscription Name:
- Subscription ID:
- Resource Group(s):
- Region:
- Monthly Spend (approx):
## Virtual Machines
| VM Name | Size | OS | IP | Purpose |
|---------------|------------|------------|------------|-----------------|
| | | | | |
## Networking
- Virtual Network:
- Address Space:
- Subnets:
- VPN Gateway to On-Prem: Yes/No
- ExpressRoute: Yes/No
## Other Cloud Services
<!-- AWS, Google Workspace, third-party SaaS -->
| Service | Purpose | Admin URL | Notes |
|-----------------|------------------|------------------|-----------------|
| | | | |
## Notes

52
clients/kittle/docs/cloud/m365.md Normal file
View File

@@ -0,0 +1,52 @@
# Microsoft 365
## Tenant Info
- Tenant Name:
- Tenant ID:
- Primary Domain:
- Admin Portal URL: https://admin.microsoft.com
## Licensing
| License Type | Quantity | Assigned | Available |
|--------------------------|----------|----------|-----------|
| Microsoft 365 Business Basic | | | |
| Microsoft 365 Business Standard | | | |
| Microsoft 365 Business Premium | | | |
| Exchange Online Plan 1/2 | | | |
| Other | | | |
## Exchange Online
- Mail Domain(s):
- MX Record Points To:
- SPF Record:
- DKIM Enabled: Yes/No
- DMARC Policy:
- Shared Mailboxes:
- Distribution Groups:
- Mail Flow Rules: Yes/No (describe below)
## SharePoint / OneDrive
- SharePoint Sites:
- External Sharing: Enabled/Disabled
- OneDrive Storage Limit:
## Teams
- Teams Phone System: Yes/No
- Calling Plan / Direct Routing:
- Auto Attendant:
## Entra ID (Azure AD)
- Hybrid Joined: Yes/No
- Azure AD Connect Server:
- Sync Schedule:
- Password Hash Sync: Yes/No
- MFA Enforced: Yes/No
- Conditional Access Policies:
## Security
- Defender for Office 365: Yes/No
- Safe Links: Yes/No
- Safe Attachments: Yes/No
- Audit Log Retention:
## Notes

148
clients/kittle/docs/issues/log.md Normal file
View File

@@ -0,0 +1,148 @@
# Issue Log
Record past issues and their resolutions here. This helps the AI learn from historical
troubleshooting and avoid repeating failed approaches.
---
### 2026-03-12 - Windows Server 2025 EVALUATION License — Time Bomb
- **Reported By:** Server audit
- **Severity:** Critical
- **Symptoms:** SERVER (10.0.0.5) is running Windows Server 2025 Standard as an EVALUATION install (Build 26100). Evaluation licenses expire after 180 days, after which the server shuts down every hour. This is the only domain controller for kittle.lan.
- **Root Cause:** Full license never purchased or applied during server setup.
- **Resolution:** OPEN — Purchase and apply a full Windows Server 2025 Standard license immediately. Check remaining evaluation time with `slmgr /dlv`.
- **Time to Resolve:** Pending
- **Lessons Learned:** N/A
---
### 2026-03-12 - No Dedicated Firewall — ISP Router Only
- **Reported By:** Server audit (ARP/network analysis)
- **Severity:** High
- **Symptoms:** The network gateway at 10.0.0.1 (MAC: 42:0f:c1:f0:e6:43) is an ISP-provided router. No dedicated firewall appliance (pfSense, SonicWall, FortiGate, etc.) exists. The ISP router provides basic NAT but likely has no stateful packet inspection, IDS/IPS, content filtering, or granular firewall rules.
- **Root Cause:** No firewall was ever deployed — the ISP router was used as-is.
- **Resolution:** OPEN — Deploy a dedicated firewall appliance. Recommended: pfSense (free), or a commercial UTM (FortiGate, SonicWall). Place it between the ISP router and the LAN switch.
- **Time to Resolve:** Pending
- **Lessons Learned:** N/A
---
### 2026-03-12 - No Backup Solution
- **Reported By:** Server audit
- **Severity:** Critical
- **Symptoms:** No backup solution is visible on SERVER. No Windows Server Backup, no third-party backup agent, no cloud backup. If the server fails, Active Directory, DNS, file shares (C:\Shares\Home), and QuickBooks data are permanently lost.
- **Root Cause:** Backup was never configured.
- **Resolution:** OPEN — Implement backup immediately. Options:
1. Windows Server Backup to external USB drive or NAS
2. Veeam Backup Free Edition
3. Cloud backup (Backblaze B2, Wasabi, etc.)
- **Time to Resolve:** Pending
- **Lessons Learned:** N/A
---
### 2026-03-12 - QuickBooks Pro 2024 Installed on Domain Controller
- **Reported By:** Server audit (installed software)
- **Severity:** High
- **Symptoms:** QuickBooks Pro 2024 (v34) is installed directly on SERVER, the primary domain controller. Business applications on a DC increase attack surface, consume resources needed for AD services, and complicate server migration.
- **Root Cause:** QuickBooks was installed on the only available server rather than a dedicated workstation.
- **Resolution:** OPEN — Migrate QuickBooks to a workstation. QuickBooks can run in multi-user mode with the database on \\SERVER\QBooks. The application itself should run on ACCOUNTING or another workstation.
- **Time to Resolve:** Pending
- **Lessons Learned:** N/A
---
### 2026-03-12 - DHCP Running on ISP Router Instead of Server
- **Reported By:** Server audit
- **Severity:** Medium
- **Symptoms:** DHCP is served by the ISP router at 10.0.0.1. The Windows Server DHCP role is installed but has zero scopes configured. DHCP clients may be receiving the ISP's DNS servers instead of the domain controller (10.0.0.5), which would break AD name resolution.
- **Root Cause:** DHCP was never configured on the server; ISP router default was left in place.
- **Resolution:** OPEN — Migrate DHCP to Windows Server for centralized management and correct DNS distribution. Disable DHCP on the ISP router after migration.
- **Time to Resolve:** Pending
- **Lessons Learned:** N/A
---
### 2026-03-12 - Role-Based AD Account Names
- **Reported By:** Server audit (AD users)
- **Severity:** Medium
- **Symptoms:** Two AD accounts use role-based names instead of individual names: "accountant" and "frontdesk". Role-based accounts cannot be audited to a specific person — if something is deleted or accessed inappropriately, there's no way to trace who did it.
- **Root Cause:** Accounts created for convenience instead of using individual names.
- **Resolution:** OPEN — Identify the actual users of these accounts. Create individual accounts (e.g., darline.cabrera for accountant). Migrate data and disable role-based accounts.
- **Time to Resolve:** Pending
- **Lessons Learned:** N/A
---
### 2026-03-12 - Email Issue: Moved Emails Reappearing in Inbox
- **Reported By:** Users
- **Severity:** Medium
- **Symptoms:** Users report moving emails from Inbox to subfolders, then finding them back in the Inbox days later. Affects multiple users.
- **Root Cause:** Suspected Outlook cached mode issue. When Outlook is in Cached Exchange Mode, moves may not sync properly to the server if the OST file is corrupted or if multiple devices are accessing the same mailbox with conflicting cached states.
- **Resolution:** OPEN — Need M365 admin access to investigate further. Check:
1. Check if Outlook is in Cached or Online mode (File > Account Settings > Account Settings > Change)
2. Check if users access email on multiple devices (phone + PC) — moves on one device may not sync
3. Try switching to Online mode temporarily to see if issue persists
4. If cached mode is the culprit, delete and rebuild the OST file
5. Check if any Outlook rules are moving mail back to Inbox
- **Time to Resolve:** Pending M365 access + investigation
- **Lessons Learned:** N/A
---
### 2026-03-12 - Unknown Service on Port 8019
- **Reported By:** Server audit (listening ports)
- **Severity:** Low
- **Symptoms:** An unidentified service is listening on TCP port 8019 on SERVER. Not a standard Windows or AD port.
- **Root Cause:** Unknown — could be QuickBooks-related, ScreenConnect, or another application.
- **Resolution:** OPEN — Run `netstat -ano | findstr 8019` to identify the PID, then `tasklist /fi "PID eq <pid>"` to identify the process.
- **Time to Resolve:** Quick — 2 minutes to identify
- **Lessons Learned:** N/A
---
### 2026-03-12 - No Reverse DNS Zone for 10.0.0.x
- **Reported By:** Server audit (DNS analysis)
- **Severity:** Low
- **Symptoms:** No reverse lookup zone exists for 10.0.0.0/24. PTR lookups fail for all internal hosts. Some applications and troubleshooting tools rely on reverse DNS.
- **Root Cause:** Reverse zone was never created during AD/DNS setup.
- **Resolution:** OPEN — Create AD-integrated reverse lookup zone: 0.0.10.in-addr.arpa. Enable secure dynamic updates.
- **Time to Resolve:** Quick fix — 5 minutes
- **Lessons Learned:** N/A
---
### 2026-03-12 - 4 Workstations with Generic DESKTOP-xxx Names
- **Reported By:** Server audit (AD computers)
- **Severity:** Low
- **Symptoms:** Four domain-joined computers have generic Windows-assigned names: WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9, DESKTOP-2560Q7R. Generic names make it impossible to identify which user or role a computer belongs to without logging in.
- **Root Cause:** Computers were domain-joined without being renamed first.
- **Resolution:** OPEN — Identify the user at each workstation and rename to match (e.g., ALEXIS-PC, MARCO-PC, etc.). Rename via System Properties and reboot.
- **Time to Resolve:** Pending — need onsite visit to correlate names to users
- **Lessons Learned:** N/A
---
### 2026-03-12 - File Explorer Closing When Browsing Network Shares
- **Reported By:** Users (FRONTDESK, ACCOUNTING, DESKTOP-2560Q7R/Wrex)
- **Severity:** Medium
- **Symptoms:** File Explorer windows close unexpectedly when users browse \\SERVER\Home or \\SERVER\QBooks. No crash logged in Event Viewer. Happens intermittently on 3 of 7 workstations.
- **Root Cause:** HomeFolder GPO drive maps (H: → \\server\home, Q: → \\server\qbooks) were using **Replace** action. Replace disconnects and reconnects the drive every GP refresh (~90 min), killing any open Explorer window on that path.
- **Resolution:** Changed both drive map actions from **Replace** to **Update** in the HomeFolder GPO on 2026-03-12. Update preserves existing connections. Monitoring for confirmation.
- **Time to Resolve:** Same day — awaiting user confirmation 2026-03-13
- **Lessons Learned:** Always use **Update** (not Replace) for GPO drive maps unless there's a specific reason to tear down and recreate the mapping.
---
### 2026-03-25 - FRONTDESK Folder View Keeps Changing Sort Order
- **Reported By:** User
- **Severity:** Low
- **Symptoms:** File Explorer on FRONTDESK would switch from ascending alphabetical to descending or another view when browsing mapped drives to the server. View settings would not persist.
- **Root Cause:** Windows automatic folder type discovery keeps reassigning view templates to network folders, overriding user preferences.
- **Resolution:** RESOLVED — Ran PowerShell script to clear cached folder views (Bags/BagMRU registry keys), disabled folder type auto-detection, and forced all folders to Details view sorted by Name ascending via AllFolders Shell registry key. Explorer restarted to apply.
- **Time to Resolve:** Same day
- **Lessons Learned:** "Apply to Folders" doesn't stick for mapped/network drives. Must clear Bags registry and set AllFolders default via `{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}` shell key.
---
<!-- Add new issues above this line, newest first -->

46
clients/kittle/docs/network/dhcp.md Normal file
View File

@@ -0,0 +1,46 @@
# DHCP Configuration
## DHCP Server
- Server Name: ISP Router
- Server IP: 10.0.0.1
- Failover Partner: None
**Note:** The Windows Server DHCP role is installed on SERVER (10.0.0.5) but has **zero scopes configured**. All DHCP is handled by the ISP router.
## Scopes
### Scope - LAN (ISP Router)
- Subnet: 10.0.0.0/24
- Range Start: Unknown — need to check ISP router admin interface
- Range End: Unknown
- Subnet Mask: 255.255.255.0
- Default Gateway: 10.0.0.1
- DNS Servers: **Unknown — critical to verify** (should be 10.0.0.5 for AD)
- Lease Duration: Unknown
## Reservations
No reservations documented. Need to check ISP router for any existing DHCP reservations.
| Device Name | MAC Address | IP Address | Scope | Notes |
|------------|-------------|------------|-------|-------|
| SERVER | — | 10.0.0.5 | LAN | DC — should be reserved or static |
| UniFi Switch | 0C:EA:14:8A:8D:7F | 10.0.0.122 | LAN | Should be reserved |
## DHCP Relay
- Not applicable — single subnet, DHCP server on same segment
## Issues
1. **DHCP on ISP router instead of server** — Less control over DHCP options (DNS, NTP, lease times). Cannot manage reservations centrally via Windows tools. ISP router may hand out ISP DNS instead of the DC's DNS (10.0.0.5), which would break AD name resolution.
2. **Windows DHCP role installed but unused** — Creates confusion. Either uninstall or migrate DHCP to the server.
## Recommendations
1. **Migrate DHCP to Windows Server** — Provides centralized management, AD-integrated DNS updates, DHCP reservations via PowerShell, and logging.
2. **Create reservations** for: SERVER (10.0.0.5), UniFi switch (10.0.0.122), printers, and any other infrastructure.
3. **Set DNS option** — Ensure DHCP hands out 10.0.0.5 as the primary DNS server.
## TODO
- [ ] Log into ISP router and document DHCP scope, range, DNS settings, and any reservations
- [ ] Verify what DNS servers DHCP clients receive
- [ ] Plan DHCP migration from ISP router to Windows Server
- [ ] Create DHCP reservations for infrastructure devices

41
clients/kittle/docs/network/dns.md Normal file
View File

@@ -0,0 +1,41 @@
# DNS Configuration
## Windows DNS Server (AD-Integrated)
- Server: SERVER (10.0.0.5)
- Role: Primary DNS for kittle.lan domain
- DNS Client: 127.0.0.1 (correct — DC points to itself)
## DNS Forwarders
- Forwarder 1: 10.0.0.1 (ISP router — for external resolution)
## DNS Zones
| Zone | Type | AD-Integrated | Notes |
|------|------|---------------|-------|
| kittle.lan | Primary | Yes | Main AD zone |
| _msdcs.kittle.lan | Primary | Yes | AD metadata zone (SRV records) |
**No reverse lookup zone exists for 10.0.0.x** — PTR lookups will fail for all internal hosts.
## DNS Architecture
- **Windows DNS** (10.0.0.5): Authoritative for kittle.lan. Handles AD SRV records, Kerberos, LDAP lookups.
- **ISP Router** (10.0.0.1): Acts as forwarder for external (internet) DNS resolution.
- Workstations should use 10.0.0.5 as primary DNS (the DC) so AD name resolution works correctly.
- If workstations are getting DNS from DHCP on the ISP router, they may be pointed at the ISP's DNS instead of the DC — needs verification.
## External DNS
- Registrar: Unknown
- Primary Domain: kittlearizona.com
- Management URL: Unknown
## Issues
1. **No reverse DNS zone** — Create 0.0.10.in-addr.arpa for PTR lookups on 10.0.0.0/24
2. **DHCP DNS settings unknown** — ISP router handles DHCP; unclear if it hands out 10.0.0.5 as DNS or the ISP's own DNS servers. If clients don't use the DC for DNS, AD name resolution and domain joins may have issues.
3. **Single forwarder** — Only forwarding to 10.0.0.1. Consider adding a secondary forwarder (8.8.8.8 or 1.1.1.1) for redundancy if the ISP router's DNS fails.
## TODO
- [ ] Create reverse lookup zone: 0.0.10.in-addr.arpa
- [ ] Verify what DNS server DHCP clients receive from the ISP router
- [ ] Consider adding secondary DNS forwarder for redundancy
- [ ] Enable DNS scavenging to prevent stale records
- [ ] Document external DNS (registrar, MX records, SPF/DKIM/DMARC for kittlearizona.com)

47
clients/kittle/docs/network/firewall.md Normal file
View File

@@ -0,0 +1,47 @@
# Firewall Configuration
## Device Info
- Vendor/Model:
- Firmware Version:
- Management IP:
- Management URL:
- HA Pair: Yes/No
- License Expiry:
## Interfaces
| Interface | Zone | IP Address | VLAN | Description |
|-----------|-----------|-----------------|------|-------------------|
| WAN1 | WAN | | | Primary Internet |
| WAN2 | WAN | | | Backup Internet |
| LAN | LAN | | | |
| DMZ | DMZ | | | |
## NAT Rules
| Name | Source | Destination | Port(s) | NAT To |
|-------------------|---------------|----------------|-------------|-----------------|
| | | | | |
## Key Firewall Policies
| Name | Source Zone | Dest Zone | Service | Action | Notes |
|-------------------|--------------|---------------|-------------|--------|--------|
| | | | | | |
## VPN
### Site-to-Site VPNs
| Peer Name | Peer IP | Local Subnet | Remote Subnet | Status |
|-------------------|--------------|----------------|---------------|--------|
| | | | | |
### SSL/Client VPN
- Enabled: Yes/No
- Portal URL:
- Auth Method:
- IP Pool:
- Split Tunnel: Yes/No
## Content Filtering
- Web Filter Profile:
- App Control Profile:
- DNS Filter:
## Notes

87
clients/kittle/docs/network/topology.md Normal file
View File

@@ -0,0 +1,87 @@
# Network Topology
## Internet Connection
- ISP: Unknown
- Gateway: 10.0.0.1 (MAC: 42:0f:c1:f0:e6:43)
- Type: ISP router — serves as gateway, DHCP server, and only "firewall"
- **No dedicated firewall appliance**
## Network Design
- Single flat subnet: 10.0.0.0/24
- No VLANs
- All devices (server, workstations, printers, APs) on the same broadcast domain
## Switches
### UniFi USW-Lite-16-PoE
- Model: Ubiquiti USW-Lite-16-PoE
- IP Address: 10.0.0.122
- MAC: 0C:EA:14:8A:8D:7F
- Port Count: 16 (PoE)
- Management: Self-hosted UniFi controller (managed by MSP)
## Key Infrastructure Devices
| Device | IP Address | MAC | Notes |
|--------|-----------|-----|-------|
| ISP Router (Gateway) | 10.0.0.1 | 42:0f:c1:f0:e6:43 | Gateway, DHCP, only firewall |
| SERVER (DC) | 10.0.0.5 | — | HPE ProLiant MicroServer Gen11 |
| UniFi Switch | 10.0.0.122 | 0C:EA:14:8A:8D:7F | USW-Lite-16-PoE |
## ARP Table (All Observed Devices)
| IP Address | MAC Address | Identified As |
|-----------|-------------|--------------|
| 10.0.0.1 | 42:0f:c1:f0:e6:43 | ISP Router (Gateway) |
| 10.0.0.5 | — | SERVER (DC) |
| 10.0.0.52 | 00:50:AA:54:8C:EF | Unknown |
| 10.0.0.100 | C4:5A:B1:F9:48:18 | Unknown |
| 10.0.0.105 | 92:CE:74:91:59:AD | Unknown |
| 10.0.0.106 | 5C:47:5E:7E:87:9E | Unknown |
| 10.0.0.110 | 48:25:67:D4:2B:1F | Unknown |
| 10.0.0.117 | 54:E0:19:E2:21:DD | Unknown |
| 10.0.0.120 | A8:9C:6C:58:9C:98 | Unknown |
| 10.0.0.121 | 48:25:67:D4:29:F0 | Unknown |
| 10.0.0.122 | 0C:EA:14:8A:8D:7F | UniFi USW-Lite-16-PoE |
| 10.0.0.123 | C4:5A:B1:F9:B2:9B | Unknown |
| 10.0.0.131 | 54:E0:19:E2:CF:D1 | Unknown |
| 10.0.0.132 | 48:25:67:D4:2A:FB | Unknown |
| 10.0.0.133 | C4:5A:B1:F9:66:BC | Unknown |
| 10.0.0.134 | 78:46:5C:AF:7A:EF | Unknown |
| 10.0.0.144 | 48:25:67:D4:29:3F | Unknown |
| 10.0.0.145 | 54:E0:19:E2:CB:DB | Unknown |
| 10.0.0.152 | E8:65:38:E9:45:CB | Unknown |
| 10.0.0.156 | 5A:37:74:00:8C:37 | Unknown |
| 10.0.0.161 | B0:7B:25:14:3E:F1 | Unknown |
| 10.0.0.162 | A8:9C:6C:4A:0C:78 | Unknown |
| 10.0.0.168 | 48:25:67:D4:29:57 | Unknown |
| 10.0.0.169 | A4:BB:6D:A8:F8:1B | Unknown |
| 10.0.0.171 | 76:8C:A8:6D:60:3C | Unknown |
| 10.0.0.172 | C0:BF:BE:E8:56:1D | Unknown |
| 10.0.0.184 | 22:7B:45:0B:97:9C | Unknown |
| 10.0.0.189 | 30:8D:99:A9:0B:C3 | Unknown |
| 10.0.0.192 | 48:25:67:D4:2B:0D | Unknown |
| 10.0.0.198 | 48:25:67:D4:2B:13 | Unknown |
| 10.0.0.241 | A4:BB:6D:A9:CC:B1 | Unknown |
**Note:** 31 devices observed on the network via ARP. Many are unidentified — need MAC vendor lookups and onsite correlation to map devices to workstations, printers, phones, etc.
## Network Diagram
```
[Internet]
|
[ISP Router: 10.0.0.1] -- DHCP, Gateway, "Firewall"
|
[UniFi USW-Lite-16-PoE: 10.0.0.122]
|
+-- SERVER (DC): 10.0.0.5
+-- 7 Workstations (Win11 Pro)
+-- ~20 other devices (printers, phones, etc.)
```
## Notes
- Flat network with no segmentation — all devices can reach all other devices
- No dedicated firewall — ISP router is the only perimeter device
- MAC 42:0f:c1:f0:e6:43 on the gateway is an unusual/randomized MAC — confirms consumer-grade ISP equipment
- Several MAC prefixes repeat (48:25:67, C4:5A:B1, 54:E0:19, A8:9C:6C) — likely same vendor, possibly UniFi APs, printers, or phones
- Onsite visit needed to correlate ARP entries to physical devices

21
clients/kittle/docs/network/vlans.md Normal file
View File

@@ -0,0 +1,21 @@
# VLANs
## VLAN Table
| VLAN ID | Name | Subnet | Gateway | DHCP Scope | Purpose |
|---------|---------------|-----------------|-----------------|------------------|------------------------|
| 1 | Default | | | | |
| 10 | Management | | | | Network devices |
| 20 | Servers | | | | Server infrastructure |
| 30 | Workstations | | | | End user devices |
| 40 | VoIP | | | | Phone system |
| 50 | WiFi-Corp | | | | Corporate wireless |
| 60 | WiFi-Guest | | | | Guest wireless |
| 100 | Security | | | | Cameras / access ctrl |
## Inter-VLAN Routing
- Performed by:
- Routing device IP:
## VLAN Notes
<!-- Any special considerations, trunk ports, tagged/untagged config -->

93
clients/kittle/docs/overview.md Normal file
View File

@@ -0,0 +1,93 @@
# Client Overview
## Company Name
Kittle Design & Construction LLC — General Contractor
## Primary Contact
- Name: Ken
- Email: ken@kittlearizona.com
## Secondary Contact
- Name: Darline Cabrera (Bookkeeper)
- Email: accounting@kittlearizona.com
## IT Contact
- Name: Howard (Computer Guru, MSP)
- Account: sysadmin (Domain Admin)
## Company Info
- Address: 2539 N Balboa Ave #125, Tucson, AZ 85705
- Phone: 520.299.0404
- Fax: 520.299.0477
- Website: kittlearizona.com
- Industry: Construction (general contractor)
## Environment Summary
- Domain: kittle.lan
- Total Users: 10 (8 regular + sysadmin + QBDataServiceUser34)
- Workstation Count: 7
- Server Count: 1 (HPE ProLiant MicroServer Gen11)
- Network: Single flat 10.0.0.0/24 subnet
- Gateway/Firewall: ISP router at 10.0.0.1 (no dedicated firewall)
- Switch: UniFi USW-Lite-16-PoE at 10.0.0.122
- Remote Access: ScreenConnect
- Key Software: QuickBooks Pro 2024 (on server)
## AD Users
| Name | SamAccountName | Enabled | LastLogonDate | Notes |
|------|---------------|---------|---------------|-------|
| Administrator | Administrator | True | 3/10/2026 | Domain Admin |
| Guest | Guest | False | — | Default, disabled |
| krbtgt | krbtgt | False | — | Default, disabled |
| Alexis | alexis | True | 3/2/2026 | |
| Marco | Marco | True | 3/3/2026 | |
| accountant | accountant | True | 3/5/2026 | Role-based name — should be individual |
| Ken | ken | True | 3/2/2026 | Owner |
| Front Desk | frontdesk | True | 3/6/2026 | Role-based name — should be individual |
| Lori | lori | True | 3/11/2026 | |
| Wrex | wrex | True | 3/9/2026 | |
| Computer Guru | sysadmin | True | 12/23/2025 | MSP admin, Domain Admin |
| QBDataServiceUser34 | QBDataServiceUser34 | True | 2/9/2026 | QuickBooks service account |
**Domain Admins:** Administrator, Computer Guru (sysadmin)
## AD Computers
| Name | OS | LastLogonDate | Notes |
|------|-----|---------------|-------|
| SERVER | Windows Server 2025 Standard Evaluation | 3/10/2026 | DC |
| WINDOWS-QV1B0EL | Windows 11 Pro | 3/6/2026 | Generic name — needs renaming |
| DESKTOP-R0KA2UG | Windows 11 Pro | 3/11/2026 | Generic name — needs renaming |
| DESKTOP-9B2SMD9 | Windows 11 Pro | 3/6/2026 | Generic name — needs renaming |
| FRONTDESK | Windows 11 Pro | 3/9/2026 | |
| ACCOUNTING | Windows 11 Pro for Workstations | 3/9/2026 | |
| CHRISTINE-WIN10 | Windows 11 Pro | 3/9/2026 | Legacy name — OS is actually Win11 |
| DESKTOP-2560Q7R | Windows 11 Pro | 3/6/2026 | Wrex — needs renaming |
## Group Policy Objects
| GPO Name | Modified | Notes |
|----------|----------|-------|
| Default Domain Policy | 12/23/2025 | |
| Default Domain Controllers Policy | 2/9/2026 | |
| HomeFolder | 2/9/2026 | Home folder mapping |
| Intranet Zone - File Server | 3/20/2026 | Adds \\\\SERVER and \\\\10.0.0.5 to Local Intranet zone — fixes PDF preview on shares (Oct 2025 security update) |
## File Shares
| Share Name | Path | Notes |
|-----------|------|-------|
| Home | C:\Shares\Home | User home folders |
| QBooks | C:\Shares\Home\QBooks | QuickBooks data |
## Notes
- Server is running **Windows Server 2025 EVALUATION** — will stop working after 180 days. Must purchase and activate a full license.
- QuickBooks Pro 2024 is installed directly on the domain controller. Should be migrated off the DC.
- No dedicated firewall — only the ISP router at 10.0.0.1.
- No backup solution visible.
- 4 workstations have generic DESKTOP-xxx / WINDOWS-xxx names and should be renamed to match user/role.
- 2 role-based AD accounts (accountant, frontdesk) should be replaced with individual user accounts.
- Email issue reported: users moving emails to folders and they reappear in inbox days later (likely Outlook cached mode issue). M365 access needed.
- Explorer closing issue: HomeFolder GPO drive maps were set to Replace (disconnects on GP refresh). Fixed to Update on 2026-03-12 — awaiting confirmation.
- Machine mapping: FRONTDESK=Front Desk, ACCOUNTING=accountant, CHRISTINE-WIN10=Christine, DESKTOP-2560Q7R=Wrex. Remaining unknown: WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9.

34
clients/kittle/docs/rmm/rmm.md Normal file
View File

@@ -0,0 +1,34 @@
# RMM / Monitoring
## RMM Solution
- Product:
- Console URL:
- Agent Version:
## Agent Deployment
- Total Devices:
- Servers Monitored:
- Workstations Monitored:
- Network Devices Monitored:
## Monitoring Policies
| Policy Name | Applies To | Alert Condition | Action |
|-------------------|----------------|-------------------------|---------------|
| Disk Space | All Servers | < 10% free | Alert + Ticket|
| CPU | All Servers | > 90% for 15 min | Alert |
| Service Monitor | All Servers | | |
| Backup Monitor | | | |
| Offline Alert | All Agents | Offline > 30 min | Alert |
## Patch Management
- Patch Policy:
- Patch Window:
- Auto-approve: Yes/No
- Exclusions:
## Scripting / Automation
| Script Name | Schedule | Purpose |
|---------------------|-------------|--------------------------|
| | | |
## Notes

61
clients/kittle/docs/scripts/fix-pdf-preview.ps1 Normal file
View File

@@ -0,0 +1,61 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Adds the Kittle file server to the Local Intranet zone so PDF preview
works on network shares (blocked by Oct 2025 security update).
.DESCRIPTION
Windows security updates from October 14, 2025 onward disable preview
for files in the "Internet Zone". UNC shares may be classified as Internet
Zone if not explicitly added to Local Intranet or Trusted Sites.
This script adds \\SERVER and \\10.0.0.5 to the Local Intranet zone
(zone 1) via HKLM registry so it applies to all users on the machine.
Run on WORKSTATIONS ONLY — not needed on the server.
.NOTES
Ref: https://support.microsoft.com/en-us/topic/56d55920-6187-4aae-a4f6-102454ef61fb
#>
$ErrorActionPreference = 'Stop'
# Zone 1 = Local Intranet
$zone = 1
$basePath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
# Add server by hostname
$hostKey = Join-Path $basePath 'Domains\SERVER'
if (-not (Test-Path $hostKey)) {
New-Item -Path $hostKey -Force | Out-Null
}
Set-ItemProperty -Path $hostKey -Name 'file' -Value $zone -Type DWord
Write-Host "Added \\SERVER to Local Intranet zone" -ForegroundColor Green
# Add server by IP
$ipKey = Join-Path $basePath 'Domains\10.0.0.5'
if (-not (Test-Path $ipKey)) {
New-Item -Path $ipKey -Force | Out-Null
}
Set-ItemProperty -Path $ipKey -Name 'file' -Value $zone -Type DWord
Write-Host "Added \\10.0.0.5 to Local Intranet zone" -ForegroundColor Green
# Also add to EscDomains in case IE ESC is somehow enabled
$escBase = Join-Path $basePath 'EscDomains'
if (Test-Path $escBase) {
$escHostKey = Join-Path $escBase 'SERVER'
if (-not (Test-Path $escHostKey)) {
New-Item -Path $escHostKey -Force | Out-Null
}
Set-ItemProperty -Path $escHostKey -Name 'file' -Value $zone -Type DWord
$escIpKey = Join-Path $escBase '10.0.0.5'
if (-not (Test-Path $escIpKey)) {
New-Item -Path $escIpKey -Force | Out-Null
}
Set-ItemProperty -Path $escIpKey -Name 'file' -Value $zone -Type DWord
Write-Host "Added to EscDomains as well" -ForegroundColor Green
}
Write-Host "`nDone. Restart File Explorer or log off/on for changes to take effect." -ForegroundColor Cyan
Write-Host "Verify: Internet Options > Security > Local Intranet > Sites > Advanced" -ForegroundColor Cyan

68
clients/kittle/docs/scripts/gpo-intranet-zone.ps1 Normal file
View File

@@ -0,0 +1,68 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Creates a GPO that adds \\SERVER and \\10.0.0.5 to the Local Intranet zone.
Fixes PDF preview on network shares blocked by Oct 2025 security update.
.DESCRIPTION
Uses the "Site to Zone Assignment List" policy under:
Computer Config > Admin Templates > Windows Components > Internet Explorer >
Internet Control Panel > Security Page
Zone 1 = Local Intranet. Applies to all domain-joined machines.
.NOTES
Run on SERVER (10.0.0.5) as Domain Admin.
Ref: https://support.microsoft.com/en-us/topic/56d55920-6187-4aae-a4f6-102454ef61fb
#>
$ErrorActionPreference = 'Stop'
Import-Module GroupPolicy
$gpoName = 'Intranet Zone - File Server'
$domain = 'kittle.lan'
# Sites to add to Local Intranet (zone 1)
$sites = @(
'file://SERVER'
'file://10.0.0.5'
'\\SERVER'
'\\10.0.0.5'
)
# Registry path for the Site to Zone Assignment List policy
$policyKey = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey'
# Check if GPO already exists
$existing = Get-GPO -Name $gpoName -Domain $domain -ErrorAction SilentlyContinue
if ($existing) {
Write-Host "GPO '$gpoName' already exists (ID: $($existing.Id)). Updating..." -ForegroundColor Yellow
} else {
Write-Host "Creating GPO: $gpoName" -ForegroundColor Cyan
New-GPO -Name $gpoName -Domain $domain -Comment 'Adds file server to Local Intranet zone for PDF preview on shares' | Out-Null
}
# Set each site to zone 1 (Local Intranet)
foreach ($site in $sites) {
Set-GPRegistryValue -Name $gpoName -Domain $domain `
-Key $policyKey `
-ValueName $site `
-Type String `
-Value '1' | Out-Null
Write-Host " Added: $site -> Local Intranet" -ForegroundColor Green
}
# Link the GPO to the domain root (applies to all machines)
$linked = (Get-GPInheritance -Target $domain).GpoLinks | Where-Object { $_.DisplayName -eq $gpoName }
if (-not $linked) {
New-GPLink -Name $gpoName -Target "DC=kittle,DC=lan" -LinkEnabled Yes | Out-Null
Write-Host "`nGPO linked to $domain" -ForegroundColor Green
} else {
Write-Host "`nGPO already linked to $domain" -ForegroundColor Yellow
}
# Summary
Write-Host "`n=== Done ===" -ForegroundColor Cyan
Write-Host "GPO '$gpoName' is active. Workstations will pick it up at next GP refresh."
Write-Host "To force now, run on workstations: gpupdate /force" -ForegroundColor Cyan
Write-Host "`nVerify: gpresult /r on a workstation should show '$gpoName' under Computer Settings" -ForegroundColor Cyan

26
clients/kittle/docs/security/antivirus.md Normal file
View File

@@ -0,0 +1,26 @@
# Endpoint Security / Antivirus
## Solution
- Product:
- Console URL:
- License Count:
- License Expiry:
- Managed By:
## Policy
- Real-time Protection: Yes/No
- Scheduled Scans: (frequency)
- Exclusions:
## Deployment Status
- Total Endpoints:
- Protected:
- Missing Agent:
- Out of Date:
## EDR / XDR
- EDR Enabled: Yes/No
- Product:
- Console URL:
## Notes

34
clients/kittle/docs/security/backup.md Normal file
View File

@@ -0,0 +1,34 @@
# Backup and Disaster Recovery
## Backup Solution
- Product:
- Console URL:
- License/Subscription:
## Backup Targets
| Target Name | Type | Location | Capacity | Encrypted |
|----------------|----------------|-----------------|--------------|-----------|
| | Local NAS | | | Yes/No |
| | Cloud | | | Yes/No |
| | Offsite | | | Yes/No |
## Backup Jobs
| Job Name | Source | Target | Schedule | Retention | Status |
|-----------------|-------------------|------------|---------------|-------------|--------|
| | | | | | |
## M365 Backup
- M365 Backup Product:
- Exchange Backed Up: Yes/No
- SharePoint Backed Up: Yes/No
- OneDrive Backed Up: Yes/No
- Teams Backed Up: Yes/No
## Disaster Recovery Plan
- RTO Target:
- RPO Target:
- DR Site:
- Last DR Test Date:
- DR Test Result:
## Notes

120
clients/kittle/docs/servers/server.md Normal file
View File

@@ -0,0 +1,120 @@
# Server: SERVER
## General Info
- Hostname: SERVER
- IP Address: 10.0.0.5
- Subnet Mask: 255.255.255.0 (/24)
- Default Gateway: 10.0.0.1
- DNS Servers: 127.0.0.1 (itself — correct for DC)
- OS: Microsoft Windows Server 2025 Standard **EVALUATION**
- OS Version: Build 26100
- OS Configuration: **Primary Domain Controller**
- Domain: kittle.lan
- Physical / Virtual: Physical
- Location: Office
## Hardware
- Make/Model: HPE ProLiant MicroServer Gen11
- BIOS: HPE 2.22 (5/16/2025)
- CPU: Intel Xeon E-2414 (4 cores)
- RAM: 80 GB
## Storage
| Drive | Label | Filesystem | Size | Notes |
|-------|-------|------------|------|-------|
| C: | (OS) | NTFS | ~11 TB | Primary volume |
| (secondary) | Server2 2022_03_31 | — | ~2 TB | Secondary storage — possibly old server backup or migration data |
## Network Interfaces
- 4x Embedded LOM ports (Port 1-4)
- Only Port 1 is active
- 3 ports unused
## Roles and Services (Installed)
- [x] **Active Directory Domain Services** (Primary DC)
- [x] **DNS Server**
- [x] **DHCP Server** (installed but scopes are empty — DHCP runs on ISP router)
- [x] **File Server** (C:\Shares)
- [x] **Print Server**
- [x] Group Policy Management
## SMB File Shares
| Share Name | Path | Notes |
|-----------|------|-------|
| Home | C:\Shares\Home | User home folders |
| QBooks | C:\Shares\Home\QBooks | QuickBooks data files |
| NETLOGON | (default) | AD logon scripts |
| SYSVOL | (default) | Group Policy store |
## Installed Software
| Software | Version | Notes |
|----------|---------|-------|
| **QuickBooks Pro 2024** | 34 | **Should NOT be on a DC** — migrate to workstation |
| ScreenConnect | — | Remote access agent |
| Microsoft Edge | — | Browser |
## Listening Ports (Key Services)
| Port | Protocol | Service | Notes |
|------|----------|---------|-------|
| 53 | TCP | DNS | AD DNS server |
| 88 | TCP | Kerberos | AD authentication |
| 135 | TCP | RPC | Endpoint Mapper |
| 139 | TCP | NetBIOS | Legacy name service |
| 389 | TCP | LDAP | AD directory |
| 445 | TCP | SMB | File shares |
| 464 | TCP | Kerberos kpasswd | Password changes |
| 636 | TCP | LDAPS | LDAP over SSL |
| 3268 | TCP | Global Catalog | AD GC |
| 3269 | TCP | GC SSL | AD GC over SSL |
| 5985 | TCP | WinRM | PowerShell remoting |
| 8019 | TCP | **Unknown** | Needs identification |
| 9389 | TCP | AD Web Services | AD management |
## DNS Configuration
- DNS Forwarders: 10.0.0.1 (ISP router)
- DNS Zones: kittle.lan, _msdcs.kittle.lan
- No reverse lookup zone for 10.0.0.x
## Group Policy Objects
| GPO Name | Modified | Notes |
|----------|----------|-------|
| Default Domain Policy | 12/23/2025 | |
| Default Domain Controllers Policy | 2/9/2026 | |
| HomeFolder | 2/9/2026 | Maps home folders |
| Intranet Zone - File Server | 3/20/2026 | Adds \\\\SERVER + \\\\10.0.0.5 to Local Intranet zone for PDF preview on shares |
## Backup
- **NONE — NO BACKUP EXISTS FOR THIS SERVER**
- This server is the ONLY domain controller
- If this server dies, Active Directory, DNS, file shares, and QuickBooks data are ALL lost
## CRITICAL ISSUES
### 1. EVALUATION LICENSE — Time Bomb
Windows Server 2025 Standard is running as an **EVALUATION** install. Evaluation licenses expire after 180 days, after which the server will shut down every hour. A full license must be purchased and applied immediately.
### 2. QuickBooks on the Domain Controller
QuickBooks Pro 2024 is installed directly on the DC. Business applications increase attack surface and resource contention on the DC. Should be migrated to a dedicated workstation.
### 3. No Backup
No backup solution is configured. Total data loss if the server fails.
### 4. DHCP Role Installed But Not Used
Windows DHCP role is installed but all scopes are empty. DHCP is handled by the ISP router at 10.0.0.1. The DHCP role could be uninstalled to reduce confusion, or properly configured to take over from the ISP router (recommended).
### 5. Unknown Port 8019
An unidentified service is listening on port 8019. Needs investigation.
## TODO (Priority Order)
- [ ] **IMMEDIATE: Activate full Windows Server license** — Evaluation will expire
- [ ] **IMMEDIATE: Set up backup** — No backup exists
- [ ] **HIGH: Migrate QuickBooks off the DC** — Install on a workstation instead
- [ ] Create reverse DNS zone for 10.0.0.x
- [ ] Investigate port 8019
- [ ] Consider moving DHCP from ISP router to server for better control
- [ ] Identify purpose of "Server2 2022_03_31" secondary volume

49
clients/kittle/docs/servers/server_template.md Normal file
View File

@@ -0,0 +1,49 @@
# Server: [SERVER NAME]
## General Info
- Hostname:
- IP Address:
- OS:
- OS Version:
- Physical / Virtual:
- Host (if virtual):
- Location:
- Last Patched:
## Hardware (if physical)
- Make/Model:
- CPU:
- RAM:
- Storage:
- Warranty Expiry:
## Roles and Services
<!-- List all roles this server performs -->
- [ ] Domain Controller
- [ ] DNS Server
- [ ] DHCP Server
- [ ] File Server
- [ ] Print Server
- [ ] Application Server
- [ ] Database Server
- [ ] Backup Target
- [ ] RDS / Terminal Server
- [ ] Hyper-V Host
## Shares (if file server)
| Share Name | Path | Permissions Group | Notes |
|---------------|-------------------|---------------------|----------------|
| | | | |
## Applications Installed
| Application | Version | Purpose | License |
|-------------------|------------|----------------------|---------------|
| | | | |
## Backup
- Backup Method:
- Backup Schedule:
- Backup Target:
- Last Verified Restore:
## Notes