diff --git a/.claude/memory/project_cascades_vlan20_migration_routing.md b/.claude/memory/project_cascades_vlan20_migration_routing.md index d6f4d10d..99521c6e 100644 --- a/.claude/memory/project_cascades_vlan20_migration_routing.md +++ b/.claude/memory/project_cascades_vlan20_migration_routing.md @@ -8,7 +8,18 @@ metadata: Cascades is migrating staff machines + printers off the flat old LAN (192.168.0.0/22, "CSC ENT") onto the isolated **Staff VLAN 20 (10.0.20.0/24, gw 10.0.20.1)** ("CSCNET"). Printers are being re-IP'd to 10.0.20.x (static) and re-shared on the CS-SERVER print -server. Key operational facts learned 2026-06-30 (Howard, front-desk ET-5800 + Life +server. + +**PROGRESS (live-reconciled 2026-07-01):** MACHINES are essentially done — 22 online hosts on +VLAN 20; only CS-SERVER (stays by design) + ~6 stragglers (ASSISTMAN-PC, CascadesProxess, +Laptop2, NurseAssist, 2 roaming laptops) remain on 192.168.x. PRINTERS lag — only 4 of 15 +CS-SERVER shares repointed to 10.0.20.x (FrontDesk .221, BusinessOffice .220, LifeEnrichment +.94, MCReception .78); 11 shares still on old-LAN IPs (MCMedTech still stale 192.168.2.53 though +target 10.0.20.74 is live+reachable). GPO still NOT fleet-live (silent new-driver-install gap +open: reboot vs pre-stage drivers). MEMCARE-STATION rename staged but not yet applied. Full +live inventory (all shares/ports/machines): clients/cascades-tucson/docs/printer-gpo-map.md. + +Key operational facts learned 2026-06-30 (Howard, front-desk ET-5800 + Life Enrichment Canon MF741CDW): **pfSense gotcha (the big one):** CS-SERVER (on the old LAN) could not reach ANY VLAN 20 diff --git a/clients/cascades-tucson/docs/printer-gpo-map.md b/clients/cascades-tucson/docs/printer-gpo-map.md index df7adca1..5ddfc96c 100644 --- a/clients/cascades-tucson/docs/printer-gpo-map.md +++ b/clients/cascades-tucson/docs/printer-gpo-map.md @@ -1,7 +1,24 @@ # Cascades — Printer / VLAN 20 Migration Map (GPO planning) -Living reference for the printer migration onto Staff VLAN 20 (10.0.20.0/24) and the -eventual **printer GPO** build. Update as machines/printers migrate. Started 2026-06-30 (Howard). +Living reference for the migration of staff machines + printers off the flat old LAN +("CSC ENT", 192.168.0.0/22) onto **Staff VLAN 20 (10.0.20.0/24, "CSCNET")** and the eventual +**printer GPO** build. Started 2026-06-30 (Howard). **Last reconciled to LIVE state 2026-07-01** +(full GuruRMM fleet IP pull + CS-SERVER `Get-Printer`/`Get-PrinterPort` + TCP reachability). + +## STATE AT A GLANCE (live 2026-07-01) + +- **Machines: essentially migrated.** 22 online hosts are on VLAN 20 (10.0.20.x). Only CS-SERVER + (stays on the LAN by design) + 6 stragglers (ASSISTMAN-PC, CascadesProxess, Laptop2, + NurseAssist, 2 roaming laptops) remain on 192.168.x. See "Machine migration status" below. +- **Printer shares: lagging — 4 of 15 repointed.** Only FrontDesk, BusinessOffice, LifeEnrichment, + MCReception point at 10.0.20.x. The other 11 CS-SERVER print shares still target old-LAN + printer IPs. (Server-share printing still WORKS for those — CS-SERVER is on the old LAN and + reaches them fine — but the printer hardware hasn't been moved onto VLAN 20 yet.) +- **All 7 VLAN20 printer targets reachable** from CS-SERVER on 9100 (incl. .74, the MCMedTech + target that the share hasn't been repointed to yet). Gateway 10.0.20.1 pings. +- **GPO: not fleet-live.** Point-and-Print GPO is built but scoped to one pilot box; the silent + new-driver-install gap is still open (reboot vs pre-stage drivers — decision pending). See + "PILOT RESULT" below. ## How the GPO needs to be built (two layers) @@ -12,70 +29,126 @@ eventual **printer GPO** build. Update as machines/printers migrate. Started 202 `Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0,` `NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2` (scopes silent driver install to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO - works. Set manually 2026-06-30 on DESKTOP-ROK7VNM + DESKTOP-DLTAGOI; needs to be a GPO. + works. GPO `CSC - Point and Print (CS-SERVER)` `{BFAB721A-513D-4C14-8255-DEB1D4266830}` is + BUILT but scoped to DESKTOP-H6QHRR7 only (see PILOT RESULT). 2. **Printer deployment** — GPP Printers / Deployed Printers mapping `\\CS-SERVER\` - to the right users/OU/room. Existing GPO `CSC - Life Enrichment Printers` likely still - points at OLD share names — repoint. `CSC - Printer Deployment` is disabled/empty (do not use). + to the right users/OU/room. Existing GPO `CSC - Life Enrichment Printers` still points at + OLD share name `RecRoom-Canon` — repoint. `CSC - Printer Deployment` is disabled/empty (do not use). -**Driver trap:** Canon MF741/743 are **UFR II only** — PCL6 produces Error #822 (spools, never +**Driver trap:** Canon MF741/743/751 are **UFR II only** — PCL6 produces Error #822 (spools, never prints). Any GPO/share for those Canons MUST use `Canon Generic Plus UFR II V250` (INF cnlb0ma64.inf). +NOTE: `MCDirector` (Canon MF751CDW) and `Kitchen`/`ExecDirector` (Canon MF743CDW) shares are +currently on **PCL6** on the server — they will hit Error #822 and need the UFR II driver when touched. -## Printer / machine map +## Printer share inventory — CS-SERVER (live 2026-07-01) -| Printer (share / name) | Model | IP (VLAN20) | Driver | Machine | User(s) | Domain? | Status / GPO action | -|---|---|---|---|---|---|---|---| -| `\\CS-SERVER\FrontDesk` | Epson ET-5800 | 10.0.20.221 | EPSON ET-5800 Series | RECEPTIONIST-PC (frontdesk box, S/N MJ0KQHNP) | frontdesk | Domain (cascades.local) | DONE — share repointed, mapped, default. Add to GPO. | -| `\\CS-SERVER\LifeEnrichment` | Canon MF741CDW | 10.0.20.94 | Canon Generic Plus UFR II V250 | DESKTOP-DLTAGOI; DESKTOP-ROK7VNM | sharon.edwards; susan.hicks | Domain | DONE — UFR II driver fixed, mapped (not default). **Repoint `CSC - Life Enrichment Printers` GPO from old `1F-132-RecRoom-Canon` to `LifeEnrichment`.** | -| Dining Room Manager - Canon MF743CDW | Canon MF743CDW (MF741C/743C) | 10.0.20.228 | Canon Generic Plus UFR II V250 | DESKTOP-MD6UQI3 | dining manager (Alyssa) | **WORKGROUP — not domain-joined yet** | DONE as direct-IP (local) printer, default. **TODO: when DESKTOP-MD6UQI3 is domain-joined, add this printer to the GPO and map it to Alyssa's domain account.** | -| Chef Office - Brother MFC-9330CDW | Brother MFC-9330CDW | 10.0.20.236 | Brother MFC-9330CDW Printer | CHEF-PC | chef (all users) | **WORKGROUP — not domain-joined** | DONE as direct-IP (machine-wide / all users), default. **TODO: add to GPO + map to chef's domain account once CHEF-PC is domain-joined.** This is the Chef's printer in the Chef's office (distinct from the kitchen printer with the chefs). | -| Memory Care Front Desk - Epson ET-5800 (`\\CS-SERVER\MCReception`) | Epson ET-5800 | 10.0.20.78 | EPSON ET-5800 Series | MEMRECEPT-PC | memfrtdesk (+ other MemCare front-desk staff) | **WORKGROUP — not domain-joined** | Already shared on CS-SERVER as `MCReception`. Machine currently has the Epson via OLD vendor/WSD ports (`EP833571:ET-5800 SERIES` + WSD), NOT the static .78 — needs direct-IP to 10.0.20.78. **Mark for GPO: MemCare front-desk users (mostly the memfrtdesk machine). TODO: add to GPO + map to domain accounts once domain-joined.** | -| Memory Care MedTech - Brother MFC-L8900CDW (`\\CS-SERVER\MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | Brother MFC-L8900CDW series | RECEPTIONIST-PC (memcare box → **rename to MEMCARE-***); DESKTOP-LPOPV30 | memory care; karen rossini | **WORKGROUP** | DONE direct-IP machine-wide on both; old 192.168.2.53 + WSD connections removed; LPOPV30 default = new printer (was the old one); memcare box default unchanged (iR-ADV). MedTech room in Memory Care. **TODO: GPO + domain accounts once joined.** | -| `\\CS-SERVER\Kitchen` | Canon MF743CDW | 192.168.3.232 (pre-migration) | (verify) | (kitchen) | chefs | — | Kitchen printer (with the chefs). Not yet migrated to VLAN20 this round. | +All shares `Shared=True, Published=False`. "VLAN20?" = does the port point at 10.0.20.x yet. + +| Share | Model | Port host IP | VLAN20? | Driver (on server) | Action | +|---|---|---|---|---|---| +| `FrontDesk` | Epson ET-5800 | 10.0.20.221 | YES | EPSON ET-5800 Series | DONE. Add to GPO. | +| `BusinessOffice` | Brother MFC-L8900CDW | 10.0.20.220 | YES | Brother Generic Jpeg Type2 | DONE (now reachable; was powered-off 6/30). Add to GPO. | +| `LifeEnrichment` | Canon MF741CDW | 10.0.20.94 | YES | Canon Generic Plus UFR II V250 | DONE. **Repoint `CSC - Life Enrichment Printers` GPO `RecRoom-Canon`->`LifeEnrichment`.** | +| `MCReception` | Epson ET-5800 | 10.0.20.78 | YES | EPSON ET-5800 Series | DONE (share now on .78). Client-side setup on MEMRECEPT-PC still TBD. | +| `MCMedTech` | Brother (L8900CDW) | **192.168.2.53** | NO — STALE | Brother Generic Jpeg Type2 | **REPOINT to 10.0.20.74** (target is LIVE + reachable). Caregiver GPO deploys this share. | +| `NursesPrinter` | Brother MFC-L8900CDW | 192.168.2.75 | NO | Brother Generic Jpeg Type2 | Re-IP to VLAN20 + repoint. Caregiver GPO default printer. | +| `HealthServices` | Konica Minolta C368 | 192.168.1.138 | NO | KONICA MINOLTA Universal PCL | Re-IP to VLAN20 + repoint. Caregiver GPO. | +| `MCDirector` | Canon MF751CDW | 192.168.3.52 | NO | Canon Generic Plus **PCL6** | Re-IP + repoint; **switch to UFR II** (MF751 = UFR II only). Caregiver GPO. | +| `CopyRoom` | Canon | 192.168.2.230 | NO | Canon Generic Plus PCL6 | Re-IP + repoint; verify model/PDL. Caregiver GPO default fallback. | +| `Kitchen` | Canon MF743CDW | 192.168.3.232 | NO | Canon Generic Plus **PCL6** | Kitchen printer (with chefs). Re-IP + repoint; **UFR II**. Separate from Dining .228. | +| `CulinaryChef` | Brother MFC-9330CDW | 192.168.3.88 | NO | Brother Generic Jpeg Type2 | **Likely redundant** with the Chef direct-IP printer (.236 on CHEF-PC). Verify same device -> retire or repoint. | +| `Accounting` | Canon MF455DW | 192.168.3.227 | NO | Canon Generic Plus PCL6 | Re-IP + repoint (verify PDL; MF455 supports PCL). | +| `AdminOffice` | Brother MFC-9340CDW | 192.168.2.145 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. | +| `ExecDirector` | Canon MF743CDW | 192.168.2.67 | NO | Canon Generic Plus **PCL6** | Re-IP + repoint; **UFR II** (MF743). | +| `SalesMarketing` | Brother MFC-L8900CDW | 192.168.3.44 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. | + +Progress: **4 / 15 shares on VLAN 20.** 11 remain on old-LAN IPs. + +### Direct-IP printers (workgroup machines — no CS-SERVER share) +| Printer | Model | IP (VLAN20) | Machine | User(s) | Status | +|---|---|---|---|---|---| +| Dining Room Manager | Canon MF743CDW | 10.0.20.228 | DESKTOP-MD6UQI3 (workgroup) | dining manager (Alyssa) | DONE direct-IP (UFR II), default. **Domain-join -> move to `\\CS-SERVER\` + GPO.** | +| Chef Office | Brother MFC-9330CDW | 10.0.20.236 | CHEF-PC (workgroup) | chef / JD Martin (USB stays default) | DONE direct-IP machine-wide. **Domain-join -> GPO.** May correspond to stale `CulinaryChef` server share (.88) — reconcile. | +| MedTech (also `MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | RECEPTIONIST-PC (memcare box) + DESKTOP-LPOPV30 | memory care; karen rossini | DONE direct-IP machine-wide on both; server `MCMedTech` share still needs repoint to .74. | + +## Machine migration status — VLAN 20 (live 2026-07-01) + +**On VLAN 20 (10.0.20.x) — 22 online hosts:** ACCT2-PC (.209), ANN-PC (.218), ASSISTNURSE-PC (.181), +CHEF-PC (.232, workgroup), CRYSTAL-PC (.205), DESKTOP-DLTAGOI (.72, sharon.edwards), +DESKTOP-H6QHRR7 (.235, Lauren — P&P pilot box), DESKTOP-LPOPV30 (.100, karen), DESKTOP-MD6UQI3 +(.222, workgroup, Alyssa), DESKTOP-N5G1ROO (.183, Chris Knight), DESKTOP-ROK7VNM (.223, susan.hicks), +DESKTOP-TRCIEJA (.184, Lupe — slated for replacement), Health-Services-Director (.178), +LAPTOP-DRQ5L558 (.237, caregiver device), MAINTENANCE-PC (.96), MDIRECTOR-PC (.71, Shelby Trozzi), +MEMRECEPT-PC (.97, workgroup, memfrtdesk), NURSESTATION-PC (.180, caregiver device), +RECEPTIONIST-PC frontdesk box (.102, S/N MJ0KQHNP), RECEPTIONIST-PC memcare box (.68, S/N MJ0KQH4R +— pending MEMCARE-STATION rename), SALES4-PC (.203), megan (.202). + +**Still on old LAN (192.168.x):** +- CS-SERVER (192.168.2.248 / .254) — DC + print server, **stays on the LAN by design**. +- ASSISTMAN-PC (192.168.2.38, Meredith Kuhn) — known watch-host, not migrated. +- CascadesProxess (192.168.2.178), Laptop2 (192.168.2.118), NurseAssist (192.168.3.254), + LAPTOP-8P7HDSEI (192.168.3.101, roaming), LAPTOP-E0STJJE8 (192.168.3.9, roaming). + +**Offline (last-known IP from DC DNS):** DESKTOP-F94M8UT (10.0.20.171, was on VLAN20 — Alma's old box), +DESKTOP-U2DHAP0 (192.168.3.37, Ashley — old LAN, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned), +Laptop4 (no DNS record). ## Current GPO state (live-inspected 2026-06-30) -- **NO GPO sets the Point-and-Print policy** (`RestrictDriverInstallationToAdministrators` / Point-and-Print Restrictions / Package Point and Print). This is the missing **Layer 1** — without it, GPP-deployed printers fail to install the driver for standard users (event 513 / 0xBCB). Must be added. -- Printer deployment is via **User-side GPP Printers** (not Deployed Printers / not GPP Computer), linked per-department OU: - - **CSC - Caregiver Workstation** -> OU `Departments/Caregivers` (ComputerSettingsDisabled; User GPP Printers + Registry + Shortcuts). Deploys 6 shares (action=Update): `\\CS-SERVER\NursesPrinter`, `HealthServices`, `MCMedTech`, `MCReception`, `MCDirector`, `CopyRoom`; sets default = NursesPrinter and MCMedTech (the two default=1 entries; intended per-location but no item-level targeting currently parsed). - - **CSC - Life Enrichment Printers** -> OU `Departments/Life Enrichment`. Deploys ONE printer `\\CS-SERVER\RecRoom-Canon` (action=Update, no targeting) — **STALE share name; the printer is now shared as `LifeEnrichment`**. - - **CSC - Reception Workstation Policy** -> OU `Workstations/Staff PCs`. Computer Registry only, no printers. +- **NO GPO sets the Point-and-Print policy** (missing **Layer 1**; explains the 513 / 0xBCB failures). `CSC - Point and Print (CS-SERVER)` was built to fill this but is pilot-scoped only. +- Printer deployment is via **User-side GPP Printers**, linked per-department OU: + - **CSC - Caregiver Workstation** -> OU `Departments/Caregivers` (ComputerSettingsDisabled). Deploys 6 shares (action=Update): `NursesPrinter`, `HealthServices`, `MCMedTech`, `MCReception`, `MCDirector`, `CopyRoom`; defaults = NursesPrinter + MCMedTech (default=1, no item-level targeting parsed). **NOTE: 5 of these 6 shares still point at old-LAN IPs (only MCReception is on VLAN20) — repointing them is what actually moves the caregiver fleet's printers onto VLAN 20.** + - **CSC - Life Enrichment Printers** -> OU `Departments/Life Enrichment`. Deploys ONE printer `\\CS-SERVER\RecRoom-Canon` — **STALE share name; now `LifeEnrichment`**. + - **CSC - Reception Workstation Policy** -> OU `Workstations/Staff PCs`. Registry only, no printers. - **CSC - Printer Deployment** -> not linked, empty. Dead — ignore. - AD OU structure in play: `Departments/{Caregivers, Life Enrichment}`, `Workstations/Staff PCs`. ## Target-state design + action list -**Layer 1 — Point-and-Print policy (NEW computer GPO, fleet-wide).** Create e.g. `CSC - Point and Print (CS-SERVER)`, Computer config, set: -`HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers` `RestrictDriverInstallationToAdministrators=0`; subkey `PointAndPrint`: `Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2`. Link at the OU that contains all staff/department workstations (e.g. `Workstations` and/or `Departments`). This makes every GPP/printer install from CS-SERVER silent for standard users. (Same values we set manually on the LE machines this session.) +**Layer 1 — Point-and-Print policy (fleet-wide computer GPO).** `CSC - Point and Print (CS-SERVER)` exists; broaden its link/filter to all staff/department workstation OUs once the silent-install gap below is resolved. -**Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers).** To add a printer going forward: edit the department's GPO -> User Config -> Preferences -> Control Panel Settings -> Printers -> add a **Shared Printer** item, action=Update/Create, path `\\CS-SERVER\`, optional Set this printer as the default + item-level targeting (by security group / location) if needed. Link the GPO to the department OU. +**Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers).** To add a printer: department GPO -> User Config -> Preferences -> Control Panel -> Printers -> Shared Printer item, action=Update/Create, path `\\CS-SERVER\`, + default + item-level targeting as needed. -**Immediate fixes identified:** -1. CREATE the Layer-1 Point-and-Print GPO (above) and link it. (Prerequisite — do first.) -2. REPOINT `CSC - Life Enrichment Printers` from `\\CS-SERVER\RecRoom-Canon` -> `\\CS-SERVER\LifeEnrichment`. -3. UPDATE the CS-SERVER share ports to the new VLAN20 static IPs so the GPO-deployed shares actually print: `MCMedTech` -> 10.0.20.74 (currently 192.168.2.53), `MCReception` -> 10.0.20.78, and audit `NursesPrinter`/`HealthServices`/`MCDirector`/`CopyRoom` ports as those printers migrate. (Front Desk + Life Enrichment shares already repointed this session.) -4. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group) is intact, or re-add it. -5. Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30) get direct-IP printers until domain-joined; then move them into the right OU and let the GPO take over. +**Immediate fixes (priority order):** +1. **Resolve the silent-install gap** (see PILOT RESULT): decide reboot-test vs pre-stage-drivers, then take the P&P GPO fleet-live. +2. **Repoint the 5 stale caregiver-GPO shares to VLAN20** as those printers get re-IP'd: `MCMedTech` -> 10.0.20.74 (target already live — do this now), `NursesPrinter` (.75), `HealthServices` (.138), `MCDirector` (.52, +UFR II), `CopyRoom` (.230). This is the highest-leverage remaining printer work. +3. REPOINT `CSC - Life Enrichment Printers` `RecRoom-Canon` -> `LifeEnrichment`. +4. Re-IP + repoint the remaining old-LAN shares: `Kitchen` (+UFR II), `Accounting`, `AdminOffice`, `ExecDirector` (+UFR II), `SalesMarketing`. +5. Reconcile `CulinaryChef` (192.168.3.88) vs the Chef direct-IP (.236) — retire the redundant share if same device. +6. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group). +7. Domain-join the workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMRECEPT-PC, MEMCARE-STATION, DESKTOP-LPOPV30) -> move to GPO-deployed `\\CS-SERVER\`. -## PILOT RESULT (2026-06-30) — important +## PILOT RESULT (2026-06-30) — still the open blocker -Created `CSC - Point and Print (CS-SERVER)` GPO, scoped it (security filter) to ONE machine **DESKTOP-H6QHRR7** (Lauren Hasselman, Staff PCs OU), linked, `gpupdate`. **The policy registry landed correctly via GPO** (RestrictDriverInstallationToAdministrators=0 + full PointAndPrint set verified on the machine). +Created `CSC - Point and Print (CS-SERVER)`, scoped (security filter) to ONE machine +**DESKTOP-H6QHRR7** (Lauren Hasselman, Staff PCs OU), linked, `gpupdate`. **The policy registry +landed correctly via GPO.** BUT the in-session test **still PROMPTED** for a printer whose driver +was NOT already local (front-desk Epson), even after a spooler restart — the driver did not install. +The earlier LE-machine "silent" maps only worked because that driver was already present. -**BUT the in-session test still PROMPTED:** mapping a printer whose driver was NOT already on the machine (front-desk Epson ET-5800) triggered the elevation prompt for the standard user, even after a spooler restart — the driver did not install. The earlier LE-machine "silent" maps only worked because that driver was already present (we never actually exercised the install path). +**Conclusion:** the P&P policy is necessary but NOT sufficient to make a *brand-new driver install* +silent in a running session. Likely: `RestrictDriverInstallationToAdministrators=0` needs a **reboot** +(CVE-2021-34527 mitigation) and/or v3 (non-package) drivers still elevate. -**Conclusion:** the Point-and-Print policy via GPO is necessary but NOT sufficient on its own to make a *brand-new driver install* silent in a running session. Likely causes: `RestrictDriverInstallationToAdministrators=0` needs a **reboot** to fully take effect (it's a CVE-2021-34527 mitigation), and/or v3 (non-package) drivers (Epson/Canon Generic Plus) still elevate. +**Two reliable paths (decide):** +1. **Reboot-dependent:** test — reboot a machine, then confirm a new-driver map is silent. +2. **Pre-stage drivers (recommended):** deploy each printer's driver machine-wide (computer GPO + startup script installing from CS-SERVER as SYSTEM). GPP connection then attaches to an + already-present driver -> always silent, no reboot/P&P-install dependency. -**Two reliable paths (to validate/decide):** -1. **Reboot-dependent:** policy likely only fully effective after the machine reboots (spooler starts with it). Test: reboot a machine, then confirm a new-driver map is silent. Normal for GPO rollout, but unproven for v3 drivers here. -2. **Pre-stage drivers (most reliable, recommended):** deploy each printer's driver machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM, or the direct-IP/SYSTEM method we used on workgroup boxes). Then the User GPP printer connection attaches to an already-present driver -> always silent, no reboot/point-and-print-install dependency. - -**State:** GPO is scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). Lauren's machine cleaned (no test artifacts). NOT yet rolled out. Next: decide reboot-test vs pre-stage-drivers, then go live. +**State:** GPO scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). NOT rolled out. ## Machine rename TODO -- **RECEPTIONIST-PC** (the Memory Care box, "memory care" user, S/N MJ0KQH4R, agent 57f19e17) shares its hostname with the front-desk RECEPTIONIST-PC box — too hard to tell apart in the agent list. **Rename STAGED 2026-06-30 -> `MEMCARE-STATION`; applies on next reboot** (not forced; user was active). The OTHER RECEPTIONIST-PC (frontdesk user, S/N MJ0KQHNP) is the actual front desk. +- **RECEPTIONIST-PC** (Memory Care box, S/N MJ0KQH4R, 10.0.20.68, agent 57f19e17) -> `MEMCARE-STATION` + rename was STAGED 2026-06-30 but **NOT YET APPLIED (live 2026-07-01 still reports RECEPTIONIST-PC)** — + needs the reboot. The OTHER RECEPTIONIST-PC (frontdesk, S/N MJ0KQHNP, 10.0.20.102) is the real front desk. ## Notes -- Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC) get **direct-IP local printers** for now - (no domain auth / no point-and-print needed). Once domain-joined, switch them to the - GPO-deployed `\\CS-SERVER\` model and map to the domain account. +- Server-share printing works even while a printer is still on the old-LAN IP (CS-SERVER is on the + old LAN and reaches it). Re-IP'ing printers to 10.0.20.x is about VLAN isolation, not print function. +- Workgroup machines get **direct-IP local printers** until domain-joined, then switch to + GPO-deployed `\\CS-SERVER\`. +- Some Brother shares use the generic **"Brother Generic Jpeg Type2 Class Driver"**, not a + model-specific driver (BusinessOffice, MCMedTech, NursesPrinter, CulinaryChef, AdminOffice, SalesMarketing). - Detailed how-to + pfSense routing fix: `.claude/memory/project_cascades_vlan20_migration_routing.md` and session log `clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md`. diff --git a/clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-vlan20-migration-live-reconcile.md b/clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-vlan20-migration-live-reconcile.md new file mode 100644 index 00000000..6c34d3c4 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-vlan20-migration-live-reconcile.md @@ -0,0 +1,78 @@ +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Picked up the Cascades of Tucson network migration — moving staff machines and printers off the flat old LAN ("CSC ENT", 192.168.0.0/22) onto the isolated Staff VLAN 20 ("CSCNET", 10.0.20.0/24). Howard reported he had moved additional machines and printers since the 2026-06-30 work and asked where things stood. Loaded context from the wiki (clients/cascades-tucson) and the 2026-06-30 VLAN 20 printer-migration session log, then confirmed the terminology: the "CSCNET" target is pfSense VLAN 20, distinct from the WiFi "CSC ENT device-island" track. + +Because Howard did not specify which machines/printers he had moved, ran a live GuruRMM reconciliation (delegated the high-volume RMM pull to a sub-agent) to discover current state: a full fleet IP map (10.0.20.x = migrated; 192.168.x = still on old LAN), CS-SERVER print-share/port inventory, and TCP reachability to every VLAN20 printer target. CS-SERVER agent id resolved live = c39f1de7-d5b6-45ae-b132-e06977ab1713 (unchanged). + +The live pull showed the migration is much further along than the docs captured: 22 online hosts are now on VLAN 20, with only CS-SERVER (stays by design) plus ~6 stragglers left on the old LAN. Printers lag — only 4 of 15 CS-SERVER shares are repointed to 10.0.20.x. All 7 VLAN20 printer targets are reachable on 9100, including 10.0.20.74 (the MCMedTech target) even though its share still points at the stale 192.168.2.53. The MEMCARE-STATION rename staged on 6/30 has not applied (box still reports RECEPTIONIST-PC). + +Reconciled both living docs to the live state: rewrote clients/cascades-tucson/docs/printer-gpo-map.md with the full 15-share inventory + 2 direct-IP printers + the 22-machine VLAN20 roster + a re-prioritized action list, and added a 2026-07-01 progress snapshot to the project_cascades_vlan20_migration_routing memory. No production changes were made this session (read-only investigation + doc updates). Offered to do the safe MCMedTech share repoint (.53 -> .74) but held pending Howard's decision on the GPO silent-install path. + +## Key Decisions + +- Used the live RMM fleet IP pull as the discovery mechanism for "which machines/printers moved," rather than asking Howard to enumerate them — machines' current IPs directly reveal VLAN20 vs old-LAN membership. +- Delegated the live data-gathering (fleet enumeration + CS-SERVER printer state + reachability) to a sub-agent because it was high-volume RMM tool output; kept the reconciliation and doc writes in the main context. +- Did NOT hand-edit the wiki article (compiled artifact — `/wiki-compile` only); updated the running doc + memory, which is what "update the running map + memory" scopes to. +- Held on the MCMedTech share repoint (safe — target .74 is live/reachable) until Howard decides reboot-test vs pre-stage-drivers for the GPO, to keep printer changes batched with the GPO go-live rather than one-off. + +## Problems Encountered + +- RMM/coord were initially unreachable from Howard-Home: Tailscale was stuck in `NoState` and disconnecting because unattended mode was off. Sub-agent set `HKLM\SOFTWARE\Tailscale IPN\UnattendedMode = always` and restarted the service — now stable at 100.103.198.108, subnet route to 172.16.3.30 up. Persistent fix; flagged to Howard. +- Docs undercounted migration progress (tracked only a handful of machines/printers). Resolved by the full live pull + doc rewrite. + +## Configuration Changes + +- **Modified:** `clients/cascades-tucson/docs/printer-gpo-map.md` — full rewrite reconciled to live 2026-07-01 state (15-share inventory with current port IPs + VLAN20 status, 2 direct-IP printers, 22-machine VLAN20 roster + stragglers/offline, re-prioritized action list, driver traps for MF751/MF743 PCL6 shares). +- **Modified:** `.claude/memory/project_cascades_vlan20_migration_routing.md` — added 2026-07-01 progress snapshot (machines done, printers 4/15, GPO not live, rename pending); mechanics/gotchas retained. +- **Created:** this session log. +- **Machine config (Howard-Home, by sub-agent):** `HKLM\SOFTWARE\Tailscale IPN\UnattendedMode = always` + Tailscale service restart. Not a repo change. +- No changes to CS-SERVER, pfSense, printers, or GPOs this session. + +## Credentials & Secrets + +- No credentials created or discovered. RMM commands ran as the agent (SYSTEM); no vaulted cred needed for the read-only local queries. Vaulted CS-SERVER admin (`clients/cascades-tucson/cs-server.sops.yaml`) was NOT used this session. + +## Infrastructure & Servers + +- **CS-SERVER** 192.168.2.248 (SMB) / 192.168.2.254 (Hyper-V vEth) — DC + print server; stays on old LAN by design. GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713` (resolved live, unchanged). Holds no DHCP scopes (VLAN20 DHCP served by the UniFi gateway). +- **VLAN 20 ("CSCNET")** 10.0.20.0/24, gw 10.0.20.1 (pings from CS-SERVER). +- **VLAN20 hosts (22 online):** ACCT2-PC .209, ANN-PC .218, ASSISTNURSE-PC .181, CHEF-PC .232 (workgroup), CRYSTAL-PC .205, DESKTOP-DLTAGOI .72, DESKTOP-H6QHRR7 .235 (P&P pilot), DESKTOP-LPOPV30 .100, DESKTOP-MD6UQI3 .222 (workgroup), DESKTOP-N5G1ROO .183, DESKTOP-ROK7VNM .223, DESKTOP-TRCIEJA .184, Health-Services-Director .178, LAPTOP-DRQ5L558 .237, MAINTENANCE-PC .96, MDIRECTOR-PC .71, MEMRECEPT-PC .97 (workgroup), NURSESTATION-PC .180, RECEPTIONIST-PC frontdesk .102 (S/N MJ0KQHNP), RECEPTIONIST-PC memcare .68 (S/N MJ0KQH4R, pending rename), SALES4-PC .203, megan .202. +- **Still on old LAN:** CS-SERVER (by design), ASSISTMAN-PC 192.168.2.38, CascadesProxess 192.168.2.178, Laptop2 192.168.2.118, NurseAssist 192.168.3.254, LAPTOP-8P7HDSEI 192.168.3.101 (roaming), LAPTOP-E0STJJE8 192.168.3.9 (roaming). +- **Offline (last DNS IP):** DESKTOP-F94M8UT 10.0.20.171 (VLAN20), DESKTOP-U2DHAP0 192.168.3.37 (old LAN, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned), Laptop4 (no DNS). +- **CS-SERVER print shares (share -> port IP, VLAN20?):** FrontDesk -> 10.0.20.221 YES; BusinessOffice -> 10.0.20.220 YES; LifeEnrichment -> 10.0.20.94 YES (UFR II); MCReception -> 10.0.20.78 YES; MCMedTech -> 192.168.2.53 NO (target .74 live); NursesPrinter -> 192.168.2.75 NO; HealthServices -> 192.168.1.138 NO (Konica C368); MCDirector -> 192.168.3.52 NO (Canon MF751, PCL6 -> needs UFR II); CopyRoom -> 192.168.2.230 NO; Kitchen -> 192.168.3.232 NO (Canon MF743, PCL6 -> UFR II); CulinaryChef -> 192.168.3.88 NO (Brother 9330, likely redundant w/ Chef direct-IP); Accounting -> 192.168.3.227 NO (Canon MF455); AdminOffice -> 192.168.2.145 NO (Brother 9340); ExecDirector -> 192.168.2.67 NO (Canon MF743, PCL6 -> UFR II); SalesMarketing -> 192.168.3.44 NO (Brother L8900). +- **Direct-IP printers (workgroup):** Dining Canon MF743CDW 10.0.20.228 (DESKTOP-MD6UQI3, UFR II); Chef Brother MFC-9330CDW 10.0.20.236 (CHEF-PC); MedTech Brother L8900CDW 10.0.20.74 (memcare box + DESKTOP-LPOPV30). +- **Howard-Home:** Tailscale 100.103.198.108 (now unattended/stable). + +## Commands & Outputs + +- VLAN20 printer reachability from CS-SERVER (TCP 9100, 2s timeout): 10.0.20.221 True, .220 True, .94 True, .78 True, .74 True, .228 True, .236 True. Gateway 10.0.20.1 ping True. No asleep/off false negatives. +- Data sources: live `Get-NetIPAddress` + `Win32_BIOS` serial on 29 online agents; CS-SERVER DNS zone for offline hosts; CS-SERVER `Get-Printer`/`Get-PrinterPort`. + +## Pending / Incomplete Tasks + +- **Decide the GPO silent-install path:** reboot-test vs pre-stage-drivers (recommended). This is the blocker to taking `CSC - Point and Print (CS-SERVER)` fleet-live (currently pilot-scoped to DESKTOP-H6QHRR7). +- **Repoint MCMedTech share 192.168.2.53 -> 10.0.20.74** (safe; target live) — offered, held for Howard's go. +- **Repoint remaining stale caregiver-GPO shares** as printers re-IP: NursesPrinter (.75), HealthServices (.138), MCDirector (.52, +UFR II), CopyRoom (.230). +- **Repoint `CSC - Life Enrichment Printers` GPO** `RecRoom-Canon` -> `LifeEnrichment`. +- **Re-IP + repoint remaining old-LAN shares:** Kitchen (+UFR II), Accounting, AdminOffice, ExecDirector (+UFR II), SalesMarketing. +- **Reconcile CulinaryChef (192.168.3.88) vs Chef direct-IP (.236)** — retire redundant share if same device. +- **Apply MEMCARE-STATION rename** (needs reboot; memcare box still reports RECEPTIONIST-PC). +- **Domain-join workgroup machines** (DESKTOP-MD6UQI3, CHEF-PC, MEMRECEPT-PC, MEMCARE-STATION, DESKTOP-LPOPV30) -> switch direct-IP printers to `\\CS-SERVER\` + GPO. +- **Optional:** save a harness memory for the Howard-Home Tailscale UnattendedMode fix. +- Cascades printer skill (Howard's idea) — package the migration how-to into a reusable skill. + +## Reference Information + +- Running map: `clients/cascades-tucson/docs/printer-gpo-map.md`. +- Migration memory: `.claude/memory/project_cascades_vlan20_migration_routing.md`. +- Prior session: `clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md`. +- GuruRMM API: http://172.16.3.30:3001 (vault `infrastructure/gururmm-server.sops.yaml`). +- P&P GPO: `CSC - Point and Print (CS-SERVER)` guid `{BFAB721A-513D-4C14-8255-DEB1D4266830}`. +- UFR II driver for Canon MF741/743/751: `Canon Generic Plus UFR II V250`, INF `cnlb0ma64.inf`. +- pfSense LAN routing fix (6/30): top LAN pass rule src 192.168.2.248 -> dst 10.0.20.0/24, gw=default. +- Syncro customer 20149445; 0 open tickets, 37.5 prepaid hrs (as of 2026-06-30). diff --git a/errorlog.md b/errorlog.md index 7cb9717d..37814ea0 100644 --- a/errorlog.md +++ b/errorlog.md @@ -23,6 +23,10 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · 2026-07-01 | GURU-5070 | agy | gemini returned no response (empty after 3 attempts) [ctx: mode=verify err= at process.processTicksAndRejections (node:internal/process/task_queues:104:] +2026-07-01 | Howard-Home | rmm-search | RMM auth failed via rmm-auth.sh (no TOKEN/RMM) + +2026-07-01 | Howard-Home | coord | coord API call failed (HTTP 0) [ctx: http=0 cmd=lock claim resp={"error": "