claudetools/clients/cascades-tucson/docs/migration

Cascades Network Migration — Revised Operational Plan

Context

Cascades senior living facility (236 rooms, 6 floors). New MSP takeover from previous company that left environment non-compliant. Core mission: HIPAA remediation and compliance. Synology NAS stores PHI, nurses/medtechs access clinical records via ALIS (cloud), and email may contain resident data. See security/hipaa.md for full gap analysis.

Single 16-year-old server (CS-SERVER, 192.168.2.254) on LAN (192.168.0.0/22) running all roles. Staff PCs currently on WiFi (INTERNAL VLAN 20, 10.0.20.0/24). Printers on LAN. No backups, no GPOs, wide-open firewall, 4 PCs not domain-joined.

Revised approach: Network first. Move all devices to INTERNAL VLAN 20, then lock down. Server and printers move to INTERNAL last — no disruption during transition.

Transitional state: Machines on INTERNAL (10.0.20.0/24) → pfSense firewall bridges → CS-SERVER + printers on LAN (192.168.0.0/22). Everything works cross-subnet until we move the server.

HIPAA drives every phase: Backup (Phase 0) → network isolation (Phase 1) → access control + encryption (Phase 2) → centralized management (Phase 3) → PHI migration with audit trails (Phase 4) → shared account elimination (Phase 5).

---

Schedule

Session	Steps	Est. Time	Impact
Session 1 (evening)	1 + 2	~3-4 hours	Backup + firewall changes during low usage
Session 2 (coordinated)	3	~2-3 hours	Brief disruption per machine during port change
Session 3 (business hours)	4	~4-6 hours	No user impact — server-side only
Session 4 (coordinated)	5	~4-6 hours	Brief disruption per machine during domain join
Session 5 (business hours)	6 + 8	~4-5 hours	Synology cutover + hardening
Session 6 (TBD)	7	~3-4 hours	Server/printer IP changes — schedule when stable

Total: ~20-28 hours across 6 sessions

---

Steps

Step	Description	Runbook	Scripts
1	Emergency Backup	phase0-safety-net.md	phase0-export-configs.ps1, phase0-remote-checks.ps1
2	Firewall & VLAN Setup	phase1-network.md	Manual (pfSense/UniFi web UI)
3	Identify & Move Switch Ports	step3-switch-ports.md	Manual (UniFi web UI + on-site)
4	Server Preparation — AD & Shares	phase2-server-prep.md	phase2-dns-cleanup.ps1, phase2-ad-setup.ps1, phase2-sync-synology.ps1, phase2-file-shares.ps1, phase2-print-server.ps1
5	Domain Join	phase3-domain-join.md	phase3-pre-join-verify.ps1, phase3-join-domain.ps1, phase3-post-join-verify.ps1
6	Synology Transition	phase4-synology.md	phase4-archive-synology.ps1
7	Move Server & Printers to INTERNAL	step7-server-move.md	Manual
8	Hardening & Cleanup	phase5-hardening.md	Manual + documentation updates

---

Session Log

Session	Date	Focus	Status
1	2026-03-06	Initial audit, data gathering, documentation buildout	Done
2	2026-03-06	Guest WiFi isolation, DNS fixes, firewall aliases	Done
3	2026-03-07	Backup setup, config exports, quick fixes	session3-2026-03-07.md
4	TBD	Firewall aliases, INTERNAL rules, floating rule #4	Planned
5	TBD (onsite)	Test isolation, gather device info, Pro upgrade	Planned

---

On-Site Tasks (separate trip)

Task	Why
Fix 9 offline APs	Physical access to check PoE, cables, re-adopt
Wire 206 printer (ethernet)	Cable run
Locate Bizhub C368	Physical walkthrough
Get printer MAC addresses	If not in pfSense ARP/DHCP table
Verify switch port assignments	Physical trace if UniFi doesn't show clearly

---

Information Still Needed

1. Switch port mappings — Which switch port is each hardwired workstation plugged into? Check UniFi → Clients or trace physically. Only CHEF-PC (USW Lite 8 Port 7) is known.
2. DESKTOP-1ISF081 IP and location — What IP does it have and where is it physically?
3. MDIRECTOR-PC — Confirm it should move to INTERNAL or stay on LAN (MemCare Director's machine, currently at 192.168.3.20)
4. Printer MAC addresses — Need for DHCP reservations if not already in pfSense ARP table
5. Step 7 decision — Move CS-SERVER to INTERNAL, dual-home it, or leave on LAN permanently?

---

Rollback Procedures

Each step has a rollback section. Key rollbacks:

• Step 2: Re-enable floating rule #4, revert Guest SSID, restore pfSense XML backup
• Step 3 (per machine): Revert switch port to native VLAN
• Step 4: Unlink GPOs from GPMC. DNS records exported in Step 1.
• Step 5 (per machine): Log in with MSPAdmin local account, Remove-Computer -UnjoinDomainCredential (Get-Credential) -Restart
• Step 6: Rename archive folder back to SynologyDrive
• Step 7: Revert printer/server IPs, restore firewall rules

---

Verification

After each step, confirm:

• Step 2: INTERNAL machines can reach server + printers through firewall
• Step 3: Hardwired machines on INTERNAL get correct IPs, reach server + printers
• Step 4: All shares/groups/GPOs created correctly on CS-SERVER
• Step 5: Domain-joined machines get GPOs, drive mappings, printers automatically
• Step 6: Users can access all files via mapped drives (no more Synology Drive Client)
• Step 7: Server/printers accessible on new IPs from all machines
• Step 8: Endpoint security deployed, old accounts/shares cleaned up

---

Issues Resolved

Issue	Resolution
Floating rule #4 passes all IPv4	Replaced with scoped rules
Guest WiFi on server LAN	Isolated to VLAN 50
No GPOs configured	Security baseline, drives, printers, updates, folder redirection
4 PCs not domain-joined	All joined
No backup	Synology ABB + offsite
Shared/generic AD accounts	Replaced with individual accounts
Stale DNS records	Cleaned up, scavenging enabled
Room 218 DHCP (single IP)	Range end fixed
Timezone mismatch	Both set to America/Phoenix
Room 130 dead firewall rule	Deleted
VLAN 10 mismatch	Deleted from UniFi
5 stale disabled AD accounts	Deleted
Synology Sync VM	Deleted from Hyper-V