azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/cascades-tucson/reports/2026-04-22-cs-server-preflight-verification.md
Howard Enos af4ad0aea3 cascades: CS-SERVER preflight verified + Synology discovery complete 
CS-SERVER post-reboot verification: time sync, TLS 1.2 enforcement, and
Windows Server Backup feature all persisted cleanly. dcdiag clean. Ready
for Entra Connect install.

Synology cascadesDS permission inventory captured via DSM API (SSH
disabled by default on Synology). 35 users, 4 groups, 10 shares.
Analysis identifies 7 shared-account role logins (HIPAA violation),
8 departed-employee accounts to clean up, and 4 shares needing
Meredith-side confirmation before migration (pacs most sensitive).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 18:59:38 -07:00

3.9 KiB
Raw Blame History

CS-SERVER Pre-flight Verification — POST-REBOOT (2026-04-22)

Reboot completed: 2026-04-22 18:29 MST (per Last Boot time in readiness check) Verification run: 2026-04-22 18:54 MST (via GuruRMM agent, exit code 0) Result file: reports/2026-04-22-cs-server-entra-readiness-post-reboot.md

Verdict: Ready for Entra Connect install

All three pre-install items applied successfully and survived the reboot.

1. Time sync — FIXED

Before After
Source: Free-running System Clock Source: time.nist.gov,0x8
ReferenceId: 0x4C4F434C (LOCL) ReferenceId: 0x84A36103 (source IP: 132.163.97.3)
Stratum: 1 (local clock) Stratum: 2 (secondary reference, NTP-synced)
Last sync: 21 hours ago Last sync: 0 minutes ago
0 peers active 3 peers active (pool.ntp.org, time.windows.com, time.nist.gov)

2. TLS 1.2 enforcement — FIXED

Setting Before After
.NET SchUseStrongCrypto (64-bit) 1 1
.NET SchUseStrongCrypto (32-bit) (unset) 1
.NET SystemDefaultTlsVersions (64) (unset) 1
.NET SystemDefaultTlsVersions (32) (unset) 1
SCHANNEL TLS 1.0 Client (OS default) Enabled=0, DisabledByDefault=1
SCHANNEL TLS 1.1 Client (OS default) Enabled=0, DisabledByDefault=1
SCHANNEL TLS 1.2 Client (OS default) Enabled=1, DisabledByDefault=0
SCHANNEL TLS 1.0 Server (OS default) Enabled=0, DisabledByDefault=1
SCHANNEL TLS 1.1 Server (OS default) Enabled=0, DisabledByDefault=1
SCHANNEL TLS 1.2 Server (OS default) Enabled=1, DisabledByDefault=0

3. Windows Server Backup — INSTALLED

Before After
Windows-Server-Backup: Available (not installed) Windows-Server-Backup: Installed

Other observations

  • Uptime: 0 days (fresh reboot at 18:29 MST)
  • PowerShell: 5.1.17763.8641 (minor patch bump from 5.1.17763.8510 — Windows Updates applied during reboot)
  • RAM usage: 7.9 GB / 47.9 GB (16%) — down from 12.8 GB before reboot, caches clean
  • CPU: 22% at moment of check — elevated vs pre-reboot but within normal boot settling range
  • DC health dcdiag: Connectivity / Advertising / Services / FsmoCheck all PASS
  • Microsoft sync endpoints: all 7 still reach on HTTPS 443
  • QuickBooksDB34 service: now Running (was Stopped pre-reboot — QB auto-started)

Event log noise (not blockers)

Post-reboot noise is expected and benign. 19 System errors / 15 Application errors in last 24h, top sources:

Source Count Nature
Hyper-V-VmSwitch 6 VM startup ordering
VSS 6 QuickBooks VSS writer reconnecting
Service Control Manager 4 Service start dependency ordering
Schannel 4 TLS reconnect post-reboot (consistent with the TLS changes)
Security-SPP 4 Windows activation checks
DistributedCOM 3 Normal service-start race
.NET Runtime 2 App process restart errors
TPM-WMI 2 Benign on non-TPM hardware
Perflib 2 Counter registration
Firefox agent 1 Noise

None critical, no AD-related errors, no sync-impacting items.

Next step

Entra Connect install can proceed at your next maintenance window. The build-up state is:

  • Wave 0 HIPAA items — most still pending (M365 BAA sign, ALIS BAA, risk analysis, etc.) — see docs/security/hipaa-review-2026-04-22.md
  • Wave 0.5 CS-SERVER readiness — DONE
  • Install Microsoft Entra Connect on CS-SERVER (staging-mode first)
  • Apply Wave 0.5 AD cleanup (renames, UPN suffix add, former-employee deletes) per rollout plan §7
  • Convert M365 role-based accounts to shared mailboxes (frees 11 licenses, clean identity targets)
  • Exit staging + enable sync

The TLS reboot also fulfils an independent HIPAA hygiene fix for the whole tenant (per docs/security/hipaa.md gap tracking). Net benefit beyond Entra Connect prep.

Reference in New Issue View Git Blame Copy Permalink