azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-11 11:20:07

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-11 11:20:07
This commit is contained in:
Mike Swanson
2026-06-11 11:20:20 -07:00
parent e3459260ec
commit f90110d8e8
2 changed files with 125 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
clients/peaceful-spirit/session-logs/2026-06/2026-06-11-mike-multisite-dfs-dc-plan.md Normal file
View File

@@ -0,0 +1,54 @@
# Peaceful Spirit — multi-site resilience plan (DFS + second DC) — PLAN ONLY
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Planning session (no build) for making the two Peaceful Spirit sites resilient to a site-to-site VPN outage. Goal as Mike stated it: PST-SERVER2 (North West) should be a **DFS** replication partner of PST-SERVER (Country Club) so each site holds a local copy of the data (machines pull local, not over VPN), with **active failover if the S2S VPN drops**. Mike confirmed the direction is **DFS + a second Domain Controller** (he initially typed "WDS"; clarified to DFS).
Established the environment from the wiki: domain `PEACEFULSPIRIT.local`, single DC = PST-SERVER (Country Club, 192.168.0.2, **Windows Server 2016 Essentials**) doing DC/DNS/RRAS-VPN/NPS/Enterprise-Root-CA; PST-SERVER2 (North West) = **Windows Server 2019 Standard**. Flagged the key constraint: Server *Essentials* expects to own all FSMO roles + ~25-user/50-device cap + is awkward with additional DCs, and 2016 hits end-of-support Jan 2027 (Essentials edition discontinued).
Recommended architecture mapped to the three goals: (1) promote **PST-SERVER2 as an additional DC** (AD DS + DNS + GC) → local auth/DNS survives a VPN outage; (2) **AD Sites & Services** (Country-Club 192.168.0.0/24 + North-West subnet, site link) → clients use their local DC/target; (3) **DFS Namespace (domain-based) + DFS-R** with a folder target on each server → local file copies, auto-replicated, site-aware referrals. Surfaced the dependency that matters: DFS gives local *files* but a domain share still needs a reachable DC to *authenticate*, so DFS-only would leave the NW copy unusable during an outage — hence DFS **must** pair with the local DC.
Attempted read-only recon of PST-SERVER and PST-SERVER2 via GuruRMM to scope the data + PST-SERVER2's domain-join state; both are WS-disconnected PST agents so the commands queued (re-armed at 1800s, `421a4904` PST-SERVER data, `2ffc4f54` PST-SERVER2 state — pending). The session then pivoted to fixing a fleet-wide GuruRMM update outage (separate log), which is why those recons are still outstanding.
## Key Decisions
- **DFS + second DC** (not DFS-only): DFS-only meets "local copies" but not "works when VPN down" — a domain DFS namespace/share needs a DC to authenticate, so NW needs a local DC. PST-SERVER2 = both DC and DFS target (standard combo).
- **Keep all FSMO on PST-SERVER (Essentials)** and do NOT route the replicated data through Essentials' Shared-Folders/Anywhere-Access features — use plain DFS-R — to avoid Essentials' single-DC assumptions.
- Recommend a **domain-based** DFS namespace (site-aware referrals + failover), not standalone.
- Recommend a **full writable DC** at NW over an RODC (trusted small office; RODC complicates DFS writes).
- Flagged 2016 Essentials EOL (Jan 2027) as a decision point: lean into it as-is vs. plan its replacement (2022/2025 Standard, plain AD DS).
## Problems Encountered
- PST recon commands queued (PST agents WS-disconnected; need long timeouts). Compounded by the concurrent GuruRMM update outage; recons left pending.
## Configuration Changes
- None — plan only. (RMM recon commands dispatched read-only: `421a4904`, `2ffc4f54`.)
## Infrastructure & Servers
- **PST-SERVER** (Country Club): 192.168.0.2, **Server 2016 Essentials**, DC/DNS/RRAS(L2TP)/NPS/Enterprise-Root-CA. Domain `PEACEFULSPIRIT.local`. RMM `87293069-33b6-45e8-a68f-6811216cdb96`.
- **PST-SERVER2** (North West): **Server 2019 Standard**. RMM `5d2d7ba0-3903-4aa3-9e97-6ca4424ffe65`. Domain-join state TBD (recon pending).
- LAN (Country Club): 192.168.0.0/24; WAN 98.190.129.150 (UCG Ultra). North West: separate UCG (subnet TBD; previously had OpenVPN at 64.139.88.249:1194). S2S VPN existence between the two UCGs = open question.
## Pending / Incomplete Tasks
**Open questions to firm the plan (the deciders):**
1. **What file data must be local at each site, and where is it now?** Share on PST-SERVER? Essentials redirected folders? A line-of-business app (scheduling/QuickBooks) and where it runs? (Mara uses personal OneDrive heavily — may be little on-prem file data.) → drives DFS scope + PST-SERVER2 storage sizing. (Recon `421a4904` will report shares/sizes once PST-SERVER picks it up.)
2. **Is there already a site-to-site VPN between the two UCGs (UniFi Site Magic), or build it?** The whole resilience story rides on this link.
3. **PST-SERVER2 current state** — blank Standard box vs already domain-joined (recon `2ffc4f54`).
4. **DFS-R conflict tolerance** — do both sites edit the same files (last-writer-wins conflict copies) or mostly separate data?
5. **2016 Essentials longevity** — keep as-is vs plan replacement (EOL Jan 2027).
**Next:** once 15 are answered, write a design doc + rollout runbook under `clients/peaceful-spirit/` (promote DC, DNS/GC, AD Sites & Services, DFS-N/DFS-R, per-site DHCP/DNS). Build only on explicit go.
## Reference Information
- Wiki: `wiki/clients/peaceful-spirit.md`. Syncro customer `278525`. Domain `PEACEFULSPIRIT.local`.
- RMM recon cmds (pending): PST-SERVER `421a4904`, PST-SERVER2 `2ffc4f54`.