azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adb4b9e92ffc19ce4dec4b79c180695ee4549ef
claudetools/clients/cascades-tucson/docs/servers/cs-server.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

17 KiB
Raw Blame History

Server: CS-SERVER

General Info

  • Hostname: CS-SERVER
  • IP Address: 192.168.2.254
  • Subnet Mask: 255.255.252.0 (/22)
  • Default Gateway: 192.168.0.1 (pfSense)
  • DNS Servers: 127.0.0.1 (itself), 192.168.0.1 (pfSense) — FIXED 2026-03-06
  • OS: Microsoft Windows Server 2019 Standard
  • OS Version: 10.0.17763 Build 17763
  • OS Configuration: Primary Domain Controller
  • Domain: cascades.local
  • Physical / Virtual: Physical (Hyper-V host)
  • Location: Server room (1st Floor)
  • Original Install Date: 8/4/2024
  • Last Boot: 3/14/2026 (uptime 5.9 days as of audit)
  • Timezone: (UTC-07:00) Arizona — FIXED 2026-03-07 (was Pacific Time)

Hardware

  • Make/Model: Dell PowerEdge R610 (CRITICAL: ~2009 era hardware, 16+ years old)
  • BIOS: Dell Inc. 6.6.0, 5/22/2018
  • CPU: 2x Intel Xeon (Nehalem, Model 26) @ 2261 MHz
  • RAM: 48 GB (36.9 GB available)
  • System Type: x64-based PC

Storage

RAID Controller

  • Controller: Dell SAS 6/iR Integrated (Embedded)
  • Type: Hardware RAID (basic, no battery-backed cache)

Physical Disks (5 total)

Disk ID Model Bus Size Mfg Year Serial Role Status
0:0:0 Seagate ST1200MM0088 SAS 1.12 TB 2016 wk52 Z400WHK8 RAID (D: Shares) OK
0:0:1 Seagate ST1200MM0088 SAS 1.12 TB 2015 wk43 S400RL2N RAID (D: Shares) OK
0:0:2 Hitachi HTS545032B9A300 SATA 297.5 GB Unknown 100602PB... RAID (C: OS) OK
0:0:3 WD WD3200BEVT-75ZCT2 SATA 297.5 GB Unknown WD-WXEX... RAID (C: OS) OK
1:0:4 Seagate ST1200MM0088 SAS 1.12 TB 2016 wk52 Z400WHML Global Hot Spare Ready

Failure Predicted on any disk: No (all currently healthy)

Disk Concerns

  • Disks 0:0:2 and 0:0:3 are consumer-grade SATA laptop drives (Hitachi 2.5" and WD Scorpio Blue) running the OS RAID. These are NOT enterprise drives. They have no manufacture date — likely very old.
  • Disks 0:0:0 and 0:0:1 are enterprise SAS drives from 2015-2016 — now 9-10 years old.
  • Disk 1:0:4 is a global hot spare (SAS, 1.12TB) — good, this will auto-rebuild if a SAS drive fails in the D: array. However, there is NO hot spare for the C: SATA array.
  • The SAS 6/iR controller is very basic — does NOT have a battery-backed write cache.

Logical Volumes

Drive Label Filesystem Size Free Used Backed By
C: (OS) NTFS 296.9 GB 152.1 GB 49% 2x SATA laptop drives (RAID 1 likely)
D: Shares NTFS 1.09 TB 584.6 GB 48% 2x SAS enterprise drives (RAID 1 likely) + hot spare
- Recovery NTFS 499 MB 482.8 MB

Network Interfaces

NIC Description MAC Status IP
Ethernet QLogic BCM5709C #37 00:22:19:60:50:E1 Disconnected -
Ethernet 2 QLogic BCM5709C #35 00:22:19:60:50:DD Disconnected -
Ethernet 3 QLogic BCM5709C (used by Hyper-V vSwitch) 00:22:19:60:50:DB Active (underlying) -
Ethernet 4 QLogic BCM5709C #36 00:22:19:60:50:DF Disconnected -
vEthernet Hyper-V Virtual Adapter 00:22:19:60:50:DB Active 192.168.2.254

Only 1 of 4 physical NICs is in use (via Hyper-V virtual switch). 3 NICs disconnected.

Roles and Services (Installed)

  • Active Directory Domain Services (Primary DC)
  • DHCP Server
  • DNS Server
  • File Server (D:\Shares)
  • Hyper-V (Hypervisor)
  • Remote Desktop Services (Connection Broker, Session Host, Web Access) — NOT USED, can be removed
  • IIS Web Server (ASP.NET 4.7, Windows Auth)
  • Network Policy and Access Services (NPS/RADIUS)NOT USED, no RADIUS clients configured, can be removed
  • Group Policy Management
  • RSAT Tools

Hyper-V Virtual Machines

VM Name State RAM Assigned Uptime Status Notes
CS-QB Running 2.35 GB 7d 10h Normal VoIP server — seen on network at 192.168.2.228
Synology Sync machine Off 0 - Normal NOT USED — safe to delete, was set up "just in case"
VM-TEMPLATE Off 0 - Normal Template VM for cloning
  • The host's single active NIC is shared via a Hyper-V virtual switch
  • CS-QB is the VoIP-related VM (explains the "CS-QB" device on 1st Floor USW Port 48)
  • Synology Sync machine can be removed to free disk space
  • RAID health: Windows reports virtual disks as healthy, but actual physical drive health is behind the Dell PERC controller. Need Dell OpenManage or omreport / perccli64 to check real disk SMART status

SMB File Shares (audit 2026-03-20)

Share Name Path SMB Perms NTFS Notes
Shares D:\Shares Everyone=Read, Admins=Full, Domain Computers=Read Everyone=FullControl (too permissive)
Culinary D:\Shares\Culinary Admins=Full, Everyone=Full Everyone=FullControl — needs restriction
directoryshare D:\Shares\directoryshare Everyone=Full Everyone=FullControl — needs restriction
IT D:\Shares\IT Admins=Full, Everyone=Full Everyone=ReadAndExecute only (OK)
Receptionist D:\Shares\Receptionist Admins=Full, Everyone=Full Receptionist=Full, admins only
SaleShare D:\Shares\SaleShare Everyone=Read, saleshare=Full saleshare=Full
Roaming D:\Roaming Admins=Full, Everyone=Full Domain Users=FullControl (too broad)
RDVirtualDesktopTemplate C:\RDVirtualDesktopTemplate Network Service/Admins/RDS=Full Standard
MemCare Director Printer (printer share) Everyone=Full Printer share
MemCare MedTech Printer (printer share) Everyone=Full Printer share
NETLOGON C:\Windows\SYSVOL...\SCRIPTS Everyone=Read Standard
SYSVOL C:\Windows\SYSVOL\sysvol Everyone=Read, Admins=Full Standard
ADMIN$, C$, D$ (system) Admin only Default admin shares

Synology Sync

  • Synology Drive Client installed on CS-SERVER (2026-03-07)
  • Syncing all Synology shares to D:\Shares\Main
  • Live continuous sync (Synology → CS-SERVER)
  • Previous install was removed and reinstalled due to incomplete sync config

Installed Software (audit 2026-03-20)

Software Version Notes
QuickBooks Pro 2024 34.0.4008.3401 Should NOT be on a DC
Synology Drive Client 7.5.0.16085 Live sync from Synology NAS to D:\Shares\Main
Datto EDR Agent 3.17.1.4720 Remove when migrating to new AV
Datto RMM 4.4.10748 Previous RMM — remove
Dell EMC OpenManage 9.3.0 Server management — keep
Google Chrome 146.0.7680.154
Mozilla Firefox 148.0.2
PuTTY 0.83 SSH client
Everything 1.4.1.1026 File search tool
KPAX Agent 3.1.2409 Print management
ScreenConnect Client 26.1.18.9566 Remote access
Splashtop Streamer 3.8.0.4 Previous MSP — remove
Syncro 1.0.199.18369 Current RMM
WinRAR 7.20
.NET 6.0.x runtimes Various Required by apps
VC++ 2013 & 2022 Redist Various Runtime dependencies

Security Findings (audit 2026-03-20)

Certificates

  • EXPIRED: CN=CS-SERVER.cascades.local self-signed cert expired 2025-04-02 — causes Schannel errors

Password Policy

  • Min length: 7 (should be 12+)
  • Complexity: enabled
  • Max age: 42 days | Min age: 1 day | History: 24
  • Lockout: 5 attempts / 30 min

Critical Security Issues

Finding Status
No LAPS deployed (legacy or Windows LAPS) Not configured
MachineAccountQuota = 10 Any user can join 10 machines
AD Recycle Bin NOT enabled Deleted objects not recoverable
10 accounts with PasswordNeverExpires Administrator, localadmin, Lois.Lane, sysadmin, QBDataServiceUser34, Culinary, Receptionist, howard, directoryshare, strozzi
23 accounts never set a password PasswordLastSet = null
Protected Users group EMPTY No accounts protected against credential theft
RestrictAnonymous = 0 Null sessions allowed (should be 1+)
LDAP Channel Binding not configured Should be enabled
krbtgt password age: 569 days Last set 2024-08-28, should rotate every 180 days
No screen lock policy No inactivity timeout configured
Object Access auditing DISABLED No file/registry auditing (HIPAA requirement)
TLS 1.0/1.1 and SSL not explicitly disabled All at OS default
Credential Guard NOT running VBS running but CG not enabled
AutomationManagerAgent service Stopped — file not found (orphan)
Windows Server Backup not installed Feature not present
NPS PowerShell module missing Role installed but cmdlets unavailable

Firewall

  • All 3 profiles (Domain, Private, Public) enabled
  • Default inbound/outbound: NotConfigured
  • 341 rules total (206 inbound, 135 outbound) — ALL Allow, no Block rules
  • No logging enabled
  • Notable inbound: RDP (3389), HTTP/HTTPS (80/443), AD/DNS, QuickBooks (8019, 64214), Dell OpenManage (1311), Syncro/Splashtop/Datto (any port)

Domain Admins — Never Logged In

  • Meredith.Kuhn: Domain Admin, never logged in, never set a password
  • John.Trozzi: Domain Admin, never logged in, never set a password

Listening Ports (Key Services)

Port Protocol Service Notes
53 TCP DNS On 192.168.2.254 + localhost
80/443 TCP IIS (HTTP/HTTPS) Bound to 0.0.0.0 — exposed to all interfaces
88 TCP Kerberos AD authentication
135 TCP RPC Endpoint Mapper Standard Windows
389/636 TCP LDAP/LDAPS AD directory services
445 TCP SMB File shares
464 TCP Kerberos kpasswd Password changes
1311 TCP Dell OpenManage Web Management console
2179 TCP Hyper-V VMMS VM management
3268/3269 TCP Global Catalog / GC SSL AD Global Catalog
3387 TCP RDP (alternate) Second RDP listener (RDS?)
3389 TCP RDP Remote Desktop
5357 TCP WSDAPI Web Services Discovery
5504 TCP Unknown Needs identification
5985 TCP WinRM PowerShell remoting
6600 TCP QuickBooks DB Server On 192.168.2.254 + link-local IPv6
6783 TCP Unknown Needs identification
8019 TCP Unknown Needs identification
9389 TCP AD Web Services AD management

Hotfixes Installed (16)

KB5066137, KB4486153, KB4539571, KB4577586, KB4589208, KB5005112, KB5075904, KB5040563, KB5050110, KB5058525, KB5062800, KB5065765, KB5066585, KB5070248, KB5074222, KB5075903

Related Devices

  • MAC 00:22:19:60:50:E1 seen on 1st Floor USW Port 44 (PoE OFF)
  • MAC 00:22:19:60:50:DB seen on 1st Floor USW Port 48 as "CS-QB" (192.168.2.228) — this is the Hyper-V vSwitch NIC

Backup

  • NONE — NO BACKUP EXISTS FOR THIS SERVER
  • HIPAA VIOLATION: §164.308(a)(7) requires backup of all PHI. CS-SERVER stores PHI (synced from Synology + file shares).
  • This server is the ONLY domain controller
  • If this server dies, Active Directory, DNS, DHCP, file shares, and RDS are ALL lost

Known Admin Issues

Folder Redirection CSE silently declines to commit — ROOT CAUSE UNKNOWN

Investigated 2026-04-14. Not fully resolved — currently using manual registry fix as workaround.

Symptoms:

  • GPO CSC - Folder Redirection (LE) is correctly configured (verified via SYSVOL inspection and RSAT on a Win11 PC — both wrote identical, valid fdeploy1.ini with FullPath=\\CS-SERVER\homes\%USERNAME%\Documents and Flags=1231)
  • GPO is correctly linked to OU=Life Enrichment, old CSC - Folder Redirection GPO has been unlinked
  • gpresult /r /scope:user on a Life Enrichment user (Sharon.Edwards) confirms the new GPO is in "Applied Group Policy Objects"
  • At logon, FR client-side extension fires, reads config, and logs event 1006 "Folder Documents has to be redirected" with correct target path
  • Extension then logs event 1001 "finished" — no error events, no event 1013 (success)
  • HKCU\...\User Shell Folders\Personal is never updated, Documents stays at C:\Users\<user>\Documents
  • Multiple logon cycles, gpupdate /force, clearing GP cache do not resolve

What we verified is NOT the cause:

  • GPMC on CS-SERVER writing "broken" files — false. Both CS-SERVER GPMC and Win11 RSAT write identical, valid modern format (User\Documents & Settings\fdeploy1.ini with FullPath= IS the correct modern location; earlier claim this was "legacy XP format" was wrong)
  • SYSVOL ACL problems — SYSVOL writable, dcdiag /test:sysvolcheck passes
  • NTFS permission issues — user has FullControl on their \\CS-SERVER\homes\<user> folder, write test succeeds
  • Extension registration — gPCUserExtensionNames correctly lists {25537BA6-77A8-11D2-9B6C-0000F8080861}
  • Target path unreachable — manual New-Item and Test-Path succeed
  • User OU placement — user is in OU=Life Enrichment, GPO applies per gpresult

Suspected causes (to investigate later):

  • Stale entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\{25537BA6-77A8-11D2-9B6C-0000F8080861} referencing the old unlinked GPO. Key is SYSTEM-protected — can't delete from user context, need elevated sysadmin access via HKU\
  • Profile corruption from prior failed redirection attempts / GP Preferences registry hack
  • Competing shell folder state (e.g., Desktop is already at UNC via the original registry hack, Personal is local — mixed state may confuse FR)

Current workaround (works reliably): Set the User Shell Folders registry values directly — same pattern as the original GP Preferences Registry hack:

Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" `
  -Name "Personal" `
  -Value "\\CS-SERVER\homes\<username>\Documents" -Type ExpandString

Then robocopy /MOVE local content to server, sign out, sign in. This works; FR does not.

Admin console note: RSAT GPMC on a Win11 Pro domain-joined workstation is now installed on ASSISTNURSE-PC (and Sharon Edwards' PC during testing). All future GPO edits should happen from RSAT — best practice regardless of this issue.

Next debug steps (not tonight — fresh eyes needed):

  1. Test FR on a brand new user (no profile history) in OU=Life Enrichment to rule out profile-level corruption
  2. If new user works → profile issue, proceed with per-user manual fix + eventual profile reset
  3. If new user also fails → policy or CSE issue, dig into FR debug logging (fdeploy.log verbose mode, enable via registry)
  4. Clear Group Policy\History\{25537BA6...} key from elevated sysadmin via HKU\<SID> path to rule out stale history

CRITICAL ISSUES (all impact HIPAA compliance)

1. Hardware Age — EXTREME FAILURE RISK

The Dell PowerEdge R610 was released in 2009. This server is 16+ years old. PERC RAID controllers, power supplies, and disks from this era have very high failure rates. This is the single most critical risk at Cascades.

2. Single Domain Controller — No Redundancy

CS-SERVER is the ONLY DC for cascades.local. If it fails:

  • No Active Directory authentication
  • No DNS resolution (for domain-joined devices)
  • No DHCP (if clients use this DHCP)
  • No file shares
  • No RDS sessions
  • Complete business disruption

3. No Backup

There is no backup solution. The Synology NAS at 192.168.0.120 is available as a target but is not configured to back up this server.

4. DHCP — RESOLVED (No Conflict)

Windows DHCP role is installed but has NO scopes configured. pfSense handles all DHCP. No conflict exists. The DHCP role could be uninstalled to reduce confusion, but it's not causing harm.

5. DNS Client Misconfiguration — FIXED (2026-03-06)

CS-SERVER pointed to pfSense (192.168.0.1) + 8.8.8.8 as its DNS servers. Fixed: now uses 127.0.0.1 (itself) as primary, 192.168.0.1 (pfSense) as secondary. Verified working — both AD and external resolution resolve correctly through localhost.

7. CS-QB VM — VoIP Server on Ancient Hardware

The CS-QB VM (2.35 GB RAM, running) is the VoIP server at 192.168.2.228. VoIP was noted as not MSP-managed, but the VM runs on CS-SERVER. If CS-SERVER hardware fails, phones go down too.

8. Synology Sync Machine VM is OFF

A VM called "Synology Sync machine" exists but is powered off. Unclear if this is intentional or if it should be running to sync data to the Synology NAS. Needs investigation.

6. Too Many Roles on One Box

This single server runs: DC, DNS, DHCP, File Server, Hyper-V, RDS, IIS, NPS. Any one role failure or resource contention affects everything.

TODO (Priority Order)

  • IMMEDIATE: Set up backup — Synology Active Backup for Business → back up C: and D: nightly
  • IMMEDIATE: Document VMs — Run Get-VM to see what's running in Hyper-V
  • URGENT: Plan DC migration — This hardware WILL fail. Plan migration to new hardware or cloud
  • URGENT: Add second DC — Deploy a second DC (VM or cloud) for AD redundancy
  • Check RAID controller type and health: Get-StorageSubSystem, or Dell OpenManage
  • Verify DHCP scope split between pfSense and CS-SERVER
  • Document DNS forwarding chain (pfSense <-> Windows DNS)
  • Check RDS licensing status
  • List Hyper-V VMs and their purposes
Reference in New Issue View Git Blame Copy Permalink