Cascades Network Migration — Revised Operational Plan
Context
Cascades senior living facility (236 rooms, 6 floors). New MSP takeover from previous company that left environment non-compliant. Core mission: HIPAA remediation and compliance. Synology NAS stores PHI, nurses/medtechs access clinical records via ALIS (cloud), and email may contain resident data. See security/hipaa.md for full gap analysis.
Single 16-year-old server (CS-SERVER, 192.168.2.254) on LAN (192.168.0.0/22) running all roles. Staff PCs currently on WiFi (INTERNAL VLAN 20, 10.0.20.0/24). Printers on LAN. No backups, no GPOs, wide-open firewall, 4 PCs not domain-joined.
Revised approach: Network first. Move all devices to INTERNAL VLAN 20, then lock down. Server and printers move to INTERNAL last — no disruption during transition.
Transitional state: Machines on INTERNAL (10.0.20.0/24) → pfSense firewall bridges → CS-SERVER + printers on LAN (192.168.0.0/22). Everything works cross-subnet until we move the server.
HIPAA drives every phase: Backup (Phase 0) → network isolation (Phase 1) → access control + encryption (Phase 2) → centralized management (Phase 3) → PHI migration with audit trails (Phase 4) → shared account elimination (Phase 5).
Schedule
| Session | Steps | Est. Time | Impact |
|---|---|---|---|
| Session 1 (evening) | 1 + 2 | ~3-4 hours | Backup + firewall changes during low usage |
| Session 2 (coordinated) | 3 | ~2-3 hours | Brief disruption per machine during port change |
| Session 3 (business hours) | 4 | ~4-6 hours | No user impact — server-side only |
| Session 4 (coordinated) | 5 | ~4-6 hours | Brief disruption per machine during domain join |
| Session 5 (business hours) | 6 + 8 | ~4-5 hours | Synology cutover + hardening |
| Session 6 (TBD) | 7 | ~3-4 hours | Server/printer IP changes — schedule when stable |
Total: ~20-28 hours across 6 sessions
Steps
| Step | Description | Runbook | Scripts |
|---|---|---|---|
| 1 | Emergency Backup | phase0-safety-net.md | phase0-export-configs.ps1, phase0-remote-checks.ps1 |
| 2 | Firewall & VLAN Setup | phase1-network.md | Manual (pfSense/UniFi web UI) |
| 3 | Identify & Move Switch Ports | step3-switch-ports.md | Manual (UniFi web UI + on-site) |
| 4 | Server Preparation — AD & Shares | phase2-server-prep.md | phase2-dns-cleanup.ps1, phase2-ad-setup.ps1, phase2-sync-synology.ps1, phase2-file-shares.ps1, phase2-print-server.ps1 |
| 5 | Domain Join | phase3-domain-join.md | phase3-pre-join-verify.ps1, phase3-join-domain.ps1, phase3-post-join-verify.ps1 |
| 6 | Synology Transition | phase4-synology.md | phase4-archive-synology.ps1 |
| 7 | Move Server & Printers to INTERNAL | step7-server-move.md | Manual |
| 8 | Hardening & Cleanup | phase5-hardening.md | Manual + documentation updates |
Session Log
| Session | Date | Focus | Status |
|---|---|---|---|
| 1 | 2026-03-06 | Initial audit, data gathering, documentation buildout | Done |
| 2 | 2026-03-06 | Guest WiFi isolation, DNS fixes, firewall aliases | Done |
| 3 | 2026-03-07 | Backup setup, config exports, quick fixes | session3-2026-03-07.md |
| 4 | TBD | Firewall aliases, INTERNAL rules, floating rule #4 | Planned |
| 5 | TBD (onsite) | Test isolation, gather device info, Pro upgrade | Planned |
On-Site Tasks (separate trip)
| Task | Why |
|---|---|
| Fix 9 offline APs | Physical access to check PoE, cables, re-adopt |
| Wire 206 printer (ethernet) | Cable run |
| Locate Bizhub C368 | Physical walkthrough |
| Get printer MAC addresses | If not in pfSense ARP/DHCP table |
| Verify switch port assignments | Physical trace if UniFi doesn't show clearly |
Information Still Needed
- Switch port mappings — Which switch port is each hardwired workstation plugged into? Check UniFi → Clients or trace physically. Only CHEF-PC (USW Lite 8 Port 7) is known.
- DESKTOP-1ISF081 IP and location — What IP does it have and where is it physically?
- MDIRECTOR-PC — Confirm it should move to INTERNAL or stay on LAN (MemCare Director's machine, currently at 192.168.3.20)
- Printer MAC addresses — Need for DHCP reservations if not already in pfSense ARP table
- Step 7 decision — Move CS-SERVER to INTERNAL, dual-home it, or leave on LAN permanently?
Rollback Procedures
Each step has a rollback section. Key rollbacks:
- Step 2: Re-enable floating rule #4, revert Guest SSID, restore pfSense XML backup
- Step 3 (per machine): Revert switch port to native VLAN
- Step 4: Unlink GPOs from GPMC. DNS records exported in Step 1.
- Step 5 (per machine): Log in with MSPAdmin local account,
Remove-Computer -UnjoinDomainCredential (Get-Credential) -Restart - Step 6: Rename archive folder back to SynologyDrive
- Step 7: Revert printer/server IPs, restore firewall rules
Verification
After each step, confirm:
- Step 2: INTERNAL machines can reach server + printers through firewall
- Step 3: Hardwired machines on INTERNAL get correct IPs, reach server + printers
- Step 4: All shares/groups/GPOs created correctly on CS-SERVER
- Step 5: Domain-joined machines get GPOs, drive mappings, printers automatically
- Step 6: Users can access all files via mapped drives (no more Synology Drive Client)
- Step 7: Server/printers accessible on new IPs from all machines
- Step 8: Endpoint security deployed, old accounts/shares cleaned up
Issues Resolved
| Issue | Resolution |
|---|---|
| Floating rule #4 passes all IPv4 | Replaced with scoped rules |
| Guest WiFi on server LAN | Isolated to VLAN 50 |
| No GPOs configured | Security baseline, drives, printers, updates, folder redirection |
| 4 PCs not domain-joined | All joined |
| No backup | Synology ABB + offsite |
| Shared/generic AD accounts | Replaced with individual accounts |
| Stale DNS records | Cleaned up, scavenging enabled |
| Room 218 DHCP (single IP) | Range end fixed |
| Timezone mismatch | Both set to America/Phoenix |
| Room 130 dead firewall rule | Deleted |
| VLAN 10 mismatch | Deleted from UniFi |
| 5 stale disabled AD accounts | Deleted |
| Synology Sync VM | Deleted from Hyper-V |