sync: auto-sync from GURU-5070 at 2026-06-12 15:53:59

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-12 15:53:59

session-logs/2026-06-12-mike-jparkinson-mail-migration.md

@@ -88,12 +88,47 @@ it to a mail migration to resolve calendar sync. Comment id 418758100.
 - RMM API `http://172.16.3.30:3001`. (Brief `.30` outage mid-session — networking, Mike fixed.)
 - Imunify360 (cpHulk disabled) gated WHM; whitelisted our IPv4 98.97.118.217 + IPv6 2605:59c0:43a6:9710::/64.
 
+### 7. Continued (post-/scc): autodiscover, DNS cleanup, DKIM, sharing, calendar, contacts
+- **IX WHM API token** recovered the lost access (see thread 3): full-access root token "ClaudeTools"
+  `HAUGCPQGJGDK3YDAMVA0B4ELR9CVNAQ6` vaulted `infrastructure/ix-server` `credentials.whm-api-token`;
+  header auth `Authorization: whm root:<token>`, `curl -4`. Used the ACG **ComputerGuru-Management** app
+  (`0df4e185...`, tenant ce61461e, Application.ReadWrite.All, vault `msp-tools/computerguru-management`) to
+  patch app registrations. **Claude-MSP-Access secret is INVALID** (AADSTS7000215) — rotate.
+- **Outlook autodiscover fix** on Jim's 2 machines (DESKTOP-EDN9UDO `2b24e8de`, DESKTOP-M0GBKF3 `4fdecea6`):
+  undid `C:\Users\guru\ownCloud\Toolbox\!-Utils\RegistryFixes\Exclude365-Final.reg` (HKLM policy + user hives);
+  set `ExcludeHttpsRootDomain=1`; ROOT CAUSE = `jparkinsonaz.com` root A pointed to Neptune so the root-domain
+  autodiscover probe answered on-prem. **Removed root A + all cPanel junk** (mail CNAME, CalDAV/CardDAV SRV,
+  DCV/ACME) -> zone is O365-only -> permanent global fix. **DKIM** selector1/selector2 CNAMEs published
+  (`...lamaddux.a-v1.dkim.mail.microsoft`, new MS format, resolves to live keys) — Mike to flip "Enable" in Defender.
+- **Mailbox sharing:** `jim@` granted **FullAccess (AutoMapping on) + Send-on-Behalf** on `leeann@lamaddux.com` (EXO adminapi).
+- **Calendar reconciliation:** found Jim's events inviting LeeAnn that weren't on her calendar; only **8** genuine
+  (Jim-organized one-off appts, mostly medical) — created them on her calendar (48 others were her own recurring/
+  birthday noise, left alone). Enabler: added `Calendars.ReadWrite`+`Contacts.ReadWrite` (Graph) to the **Exchange
+  Operator** app (objId `bae27250...`), consented in lamaddux, **scoped via ApplicationAccessPolicy RestrictAccess**
+  to mail-enabled group `app-calscope@lamaddux.onmicrosoft.com` (jim@+leeann@ only). Used a Graph-scoped token for
+  the Exchange Operator app (its client_secret). Forward route failed (needs Mail.Send) -> direct-create instead.
+- **Contacts:** Jim's 355 contacts clean of X500/on-prem; created `LeeAnn Maddux <leeann@lamaddux.com>`, removed
+  junk "Audible Leeann@lamaddux.com". Autocomplete cache may still hold legacy X500 for LeeAnn (clear in Outlook).
+
+### 8. Wolkin — Julie Guda MFA/profile (tenant rswolkin.com `ceb6dbe7-82c8-4d8f-9c6b-49aa26208e9b`)
+Removed Julie Guda (`julie@rswolkin.com`, id `acaeb49c...`) cell `702-624-3765` from directory `mobilePhone`
+(was GAL-visible); retained ONLY as MFA phone method `+1 7026243765`. Sign-in unaffected (password + Windows Hello too).
+
+### 9. Syncro #32411 billed
+2.0h remote (`1190473` @ $150) = **$300**, invoice `1650664905`, ticket -> Invoiced. Customer LeeAnn Parkinson (139908,
+not prepaid). Resolution comment on-ticket, no customer email.
+
+### Wiki updated this session
+- CREATED `wiki/clients/lamaddux.md` (household client + full migration).
+- UPDATED `wiki/clients/wolkin.md` (Julie MFA/profile note).
+- UPDATED `wiki/systems/ix-server.md` (WHM API token access + Imunify + jparkinsonaz O365 zone).
+
 ## Pending / next
-1. Mike: copy PST + Outlook-import on M0G/EDN9; confirm it connects to **Microsoft** (root-A removal is the fix).
-2. Mike: **Enable DKIM signing** for jparkinsonaz.com in Defender portal (CNAMEs are live).
-3. After import confirmed: **final delta export + decommission `jparkinsonaz.com` on Neptune** (remove accepted
-   domain/mailbox/DKIM/routing); then **close #32411**. Optional: remove stale `s1`/`default` DKIM TXT;
-   remove the now-redundant `ExcludeHttpsRootDomain` reg value.
-4. GuruRMM: 2 bugs + Feature 4a filed (ROOT-CAUSED) — await build decision.
-5. Future: add `Domain.ReadWrite.All` to Tenant Admin app to automate domain-adds (Mike: "wire this up").
-6. Bardach: Barbara to retry per iPhone steps; sign-in-log lookup on standby.
+1. Mike: copy PST + Outlook-import on M0G/EDN9; confirm Outlook connects to **Microsoft**; clear Jim's autocomplete (legacy X500 for LeeAnn).
+2. Mike: **Enable DKIM signing** for jparkinsonaz.com in Defender (CNAMEs live).
+3. After import confirmed: **final delta export + decommission `jparkinsonaz.com` on Neptune**; then **close #32411**.
+   Optional: remove stale `s1`/`default` DKIM TXT; remove now-redundant `ExcludeHttpsRootDomain` reg value.
+4. Rotate the invalid **Claude-MSP-Access** app secret (vault `msp-tools/claude-msp-access-graph-api`).
+5. GuruRMM: 2 bugs + Feature 4a filed (ROOT-CAUSED) — await build decision.
+6. Future: add `Domain.ReadWrite.All` to Tenant Admin app to automate domain-adds.
+7. Bardach: Barbara to retry per iPhone steps; sign-in-log lookup on standby.

wiki/clients/lamaddux.md

@@ -0,0 +1,112 @@
+---
+type: client
+name: lamaddux
+display_name: Maddux / Parkinson (Household)
+last_compiled: 2026-06-12
+compiled_by: GURU-5070/claude-main
+sources:
+  - 2026-06-12 Jim Parkinson mail migration (Syncro #32411)
+backlinks:
+  - systems/ix-server
+  - clients/internal-infrastructure
+---
+
+# Maddux / Parkinson (Household)
+
+Household / small-residential client. Two people, one M365 tenant (`lamaddux.com`):
+**LeeAnn Maddux** (mailbox `leeann@lamaddux.com`; also appears as "LeeAnn Parkinson")
+and her husband **Jim Parkinson** (`jim@jparkinsonaz.com`). RMM client name is
+"Leeann Maddux", site "Home".
+
+## Profile
+- **Contract type:** Break-fix / residential (verify — check Syncro)
+- **Key contacts:**
+  - LeeAnn Maddux — `leeann@lamaddux.com` (a.k.a. LeeAnn Parkinson)
+  - Jim Parkinson — `jim@jparkinsonaz.com` (husband)
+- **Active ticket:** Syncro #32411 — Jim Parkinson shared-calendar / mail migration
+
+## Email & Identity (M365 tenant lamaddux.com)
+- **Tenant ID:** `2f0c4c92-c608-4ee0-bdc2-87d5fd8fe929`
+- **Domains:** `lamaddux.com` (primary), `jparkinsonaz.com` (custom domain added + verified
+  2026-06-12 during Jim's migration), `lamaddux.onmicrosoft.com`
+- **Breakglass admin:** `admin@lamaddux.onmicrosoft.com`
+- **Licensing:** 2x Exchange Online Plan 1 (LeeAnn + Jim)
+- **Remediation onboarding:** Onboarded to the ComputerGuru remediation suite via
+  single-consent **2026-06-12** (all apps + directory roles). See [[projects/msp-tools]].
+
+### Mailboxes
+| Mailbox | User | Notes |
+|---|---|---|
+| `leeann@lamaddux.com` | LeeAnn Maddux | Jim has FullAccess (AutoMapping on) + Send-on-Behalf |
+| `jim@jparkinsonaz.com` | Jim Parkinson | Migrated off on-prem Neptune Exchange 2026-06-12 |
+
+## Jim Parkinson mail migration (2026-06-12, Syncro #32411)
+Moved Jim off the on-prem **Neptune** Exchange (where `jparkinsonaz.com` was an accepted
+domain) **into** the `lamaddux.com` M365 tenant to fix shared-calendar sync issues with
+LeeAnn. Neptune background lives in [[clients/internal-infrastructure]].
+
+Steps completed:
+- Added + verified `jparkinsonaz.com` as a custom domain in the tenant.
+- Created `jim@jparkinsonaz.com` + assigned EXO Plan 1; set password + MFA
+  (vault `clients/lamaddux/jim-parkinson-m365.sops.yaml`).
+- PST-exported Jim's 1.78 GB Neptune mailbox via `New-MailboxExportRequest` →
+  `\\NEPTUNE\PSTExport$\jim-jparkinsonaz.pst` (for Outlook import).
+- DNS cut over to O365 (zone hosted on ACG IX — see [[systems/ix-server]]):
+  MX `jparkinsonaz-com.mail.protection.outlook.com`; SPF
+  `v=spf1 include:spf.protection.outlook.com -all`; autodiscover CNAME →
+  `autodiscover.outlook.com`; DKIM selector1/selector2 CNAMEs →
+  `...lamaddux.a-v1.dkim.mail.microsoft`.
+- Stripped the `jparkinsonaz.com` zone to an **O365-only** record set: removed the root A
+  (pointed to Neptune `67.206.163.124`), the `mail` CNAME, all CalDAV/CardDAV SRV records,
+  and cPanel DCV/ACME records.
+
+### Mailbox sharing & calendar reconciliation
+- **Sharing:** Jim granted **FullAccess (AutoMapping on) + Send-on-Behalf** on
+  `leeann@lamaddux.com`.
+- **Calendar fix:** 8 Jim-organized appointments that had invited LeeAnn but never reached
+  her (the on-prem box couldn't deliver) were copied onto her calendar.
+- **App scoping for the calendar fix:** `Calendars.ReadWrite` + `Contacts.ReadWrite` (Graph)
+  were added to the **ComputerGuru Exchange Operator** app
+  (appId `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) and constrained by an EXO
+  **ApplicationAccessPolicy (RestrictAccess)** bound to the mail-enabled security group
+  `app-calscope@lamaddux.onmicrosoft.com` (guid `d5cf1564-...`), which contains only `jim@`
+  and `leeann@`. Net effect: the app's Graph mailbox reach in this tenant is limited to
+  those two mailboxes.
+- **Contacts cleanup:** created a clean contact "LeeAnn Maddux `<leeann@lamaddux.com>`" in
+  Jim's mailbox; removed a junk "Audible Leeann@lamaddux.com" (no-address) contact. Jim's
+  contacts folder had no on-prem/X500 addresses.
+
+## Endpoints (GuruRMM)
+- **RMM client:** "Leeann Maddux" · **Site:** "Home" · **Site ID:** `DARK-OCEAN-9950`
+- Jim's two machines: **DESKTOP-EDN9UDO**, **DESKTOP-M0GBKF3**
+
+### Outlook autodiscover fix (Jim's machines)
+Jim's Outlook had been pinned to the old on-prem (acghosting / Neptune) endpoints by a
+legacy `Exclude365-Final.reg`. Remediation:
+- Undid `Exclude365-Final.reg`.
+- Set `ExcludeHttpsRootDomain=1` as an interim measure.
+- **Permanent fix:** removing the root A record (above) so the root-domain autodiscover
+  probe no longer resolves to Neptune.
+
+> [WARNING] Outlook **autocomplete cache** on Jim's PC may still hold the legacy on-prem
+> X500 address for LeeAnn (`/o=First Organization/.../cn=LEEANN_LAMADDUX.COM`). If mail to
+> her NDRs, clear the autocomplete entry in Outlook — Graph cannot touch the autocomplete
+> cache.
+
+## Access
+- **Vault paths** (do NOT inline secrets):
+  - `clients/lamaddux/jim-parkinson-m365.sops.yaml` — Jim's M365 password + MFA
+  - `clients/lamaddux/gururmm-site-home.sops.yaml` — RMM site "Home"
+- **Breakglass admin:** `admin@lamaddux.onmicrosoft.com` (password in vault)
+
+## Active Work / Open Items
+- Confirm Jim's Outlook PST import looks good.
+- Final delta export, then **decommission `jparkinsonaz.com` on Neptune** (remove the
+  accepted domain, the mailbox, and the old DKIM).
+- Remove the now-redundant `ExcludeHttpsRootDomain` registry value once stable.
+- Clear Jim's Outlook autocomplete cache (legacy LeeAnn X500 entry).
+
+## Backlinks
+- [[systems/ix-server]] — DNS for `lamaddux.com` + `jparkinsonaz.com` zones hosted on ACG IX
+- [[clients/internal-infrastructure]] — Neptune Exchange (Jim's old mail host) + PST export share
+- [[projects/msp-tools]] — remediation-suite onboarding + Exchange Operator app scoping

wiki/clients/wolkin.md

@@ -65,6 +65,10 @@ backlinks: []
   - robert@rswolkin.com (primary)
   - julie@rswolkin.com (assistant - has FullAccess delegation to robert@'s mailbox)
 - **Mailbox Delegation:** Julie has FullAccess permissions to Robert's mailbox (configured 2026-06-07)
+- **2026-06-12 — Julie Guda (`julie@rswolkin.com`) directory cleanup:** removed her cell
+  `702-624-3765` from the directory profile `mobilePhone` field (it was visible in the GAL /
+  Outlook / Teams). The number is retained **only** as her MFA authentication phone method
+  (`+1 7026243765`). MFA / sign-in unaffected — she also has password + Windows Hello.
 
 ### Network
 - **Office LAN:** 192.168.1.0/24 (corrected 2026-06-07 — the earlier 172.17.110.x was wrong; the 172.17.110.110 "RICOH" port was an orphan with no device)

wiki/systems/ix-server.md

@@ -53,6 +53,29 @@ community forum, Matomo analytics, and ~72 client cPanel accounts (185 domains,
 | WHM API | `whmapi1 <fn>` over SSH (e.g. `whmapi1 listaccts`) |
 | RMM | `gururmm-agent.service` is enrolled and running — drive via `/rmm` when SSH isn't handy |
 
+### WHM / cPanel API access
+
+Programmatic WHM/cPanel API access to `ix.azcomputerguru.com:2087` uses the **full-access
+root WHM API token "ClaudeTools"**, stored at vault `infrastructure/ix-server` field
+`credentials.whm-api-token`. Authenticate with header `Authorization: whm root:<token>`
+and force IPv4 (`curl -4`).
+
+- **Password basic-auth on the legacy `/json-api/` now returns 403 pre-auth** — do NOT use
+  the root password for API calls. (The password remains valid for SSH / console only;
+  vault `infrastructure/ix-server.sops.yaml`.)
+- The box is gated by **Imunify360** (cPHulk is disabled). If API calls fail with 403 +
+  HTTP 000 / connection-reset symptoms, check the Imunify allow-list. Our egress IPs were
+  whitelisted 2026-06-12: IPv4 `98.97.118.217`, IPv6 `2605:59c0:43a6:9710::/64`.
+
+### DNS (BIND) notes
+
+- Public nameservers for IX-hosted zones are `ns1`/`ns2.acghosting.com` (`52.52.94.202`);
+  the cluster auto-syncs zone edits.
+- **2026-06-12** — the `jparkinsonaz.com` zone (hosted here) was cleaned to an **O365-only**
+  record set during Jim Parkinson's mail migration: removed the root A (was Neptune
+  `67.206.163.124`), the `mail` CNAME, all CalDAV/CardDAV SRV records, and cPanel DCV/ACME
+  records; left M365 MX / SPF / autodiscover / DKIM only. See [[clients/lamaddux]].
+
 ### Edge / routing
 
 Cloudflare tunnel **`acg-origin`** (UUID `78d3e58f-1979-4f0e-a28b-98d6b3c3d867`,
@@ -230,4 +253,5 @@ account data), `/etc/trueuserdomains` (primary domain → account), `/etc/userdo
 - [`wiki/clients/internal-infrastructure.md`](../clients/internal-infrastructure.md) — IX operational record (cPanel/WordPress hygiene, mail, Cox/Cloudflare tunnel)
 - [`wiki/projects/radio-show.md`](../projects/radio-show.md) — radio show project (audio pipeline + post-show workflow)
 - [`wiki/systems/jupiter.md`](jupiter.md) — runs the `cloudflared` tunnel container fronting IX
+- [[clients/lamaddux]] — `lamaddux.com` + `jparkinsonaz.com` DNS zones hosted here (jparkinsonaz cleaned to O365-only 2026-06-12)
 - Memory: `reference_radio_website.md`, `reference_ix_server_access.md`, `reference_resource_map.md`