20 KiB
20 KiB
type, name, display_name, last_compiled, compiled_by, sources, backlinks, aliases
| type | name | display_name | last_compiled | compiled_by | sources | backlinks | aliases | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| client | birth-biologic | BirthBiologic | 2026-06-26 | GURU-5070/claude-main |
|
|
|
BirthBiologic
Profile
- Company type: Biological/healthcare services (cord blood / donor services implied by site structure: Donor Services, Quality Department, Birth Biologic Activity Reports); Stilwell, KS
- Contract type: Prepaid hour block
- Key contacts:
- Annise — primary client contact for migration work; no last name or email documented
- Kristin Steen — ksteen@birthbiologic.com (known Syncro contact; workstation KSTEENBB2025)
- sysadmin@birthbiologic.com — M365/Google shared admin account (ACG-managed); M365 Business Premium license assigned 2026-04-21; SharePoint admin role confirmed
- Billing rate: (verify — check Syncro invoices)
- Hours remaining (prepaid): 10.0 hrs as of 2026-06-26
- Syncro customer ID: 17983014
- Managed assets (Syncro): 13
- Open tickets: 0 as of 2026-06-26
- Historical ticket: #109277420 — Datto Workplace to SharePoint Migration; assigned Mike Swanson; contact Annise; closed/historical
Infrastructure
Servers & Services
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| BB-SERVER | (verify) | On-premise Windows server | Windows Server 2016 | GuruRMM agent 6c02baa7-0f1c-4990-b466-c9ab9eaefd3b installed 2026-04-21; Datto Workplace Server installed; custom Datto→SP migration script artifacts at C:\GuruMigration; state file shows 160 Supply Mgmt + 49 ITSvcs uploaded April 2026 |
| ACG-DWP-X-BB | 172.16.3.45 | ACG-owned Datto/SPMT migration VM (Jupiter libvirt) | Windows Server 2019 build 17763 (libvirt domain label "Windows Server 2016") | Static IP /22, GW 172.16.0.1, DNS 172.16.0.1+1.1.1.1; virtio NIC 52:54:00:d4:8e:59 on br0 (vnet14); Datto Workplace Server (svc datto_workplace_server.default) + SPMT (under Administrator profile); source tree C:\Users\Public\Desktop\Datto Workplace Server Projects; GuruRMM agent a4524e85-8a07-45d0-91b1-51ce7e2ca74a enrolled 2026-06-26 |
Email & Identity
- M365 tenant: birthbiologic.com / tenant ID
19a568e8-9e88-413b-9341-cbc224b39145 - Target delivery domain (migration): birthbiologic.onmicrosoft.com
- Accepted domains: birthbiologic.com (default), birthbiologic.onmicrosoft.com
- MX (as of 2026-06-26): Google Workspace (
aspmx.l.google.com+ alts) — live mail still on Google; M365 cutover NOT yet done - DNS host: SiteGround (
ns1/ns2.us92.siteground.us); Registrar: Name.com;www→ GCP 35.215.115.203 (not in scope) - M365 licensing (all consumed as of 2026-06-26):
- Business Premium (skuId
cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46): 14/14 - Exchange Online Plan 1 — EXCHANGESTANDARD (skuId
4b9405b0-7788-4568-add1-99614e613b69): 7/7 - Active-12 staff + sysadmin@ + operations@ on Business Premium; Dr. Chris Gillis (
medicaldirector@) + Michael Merritt (mmerritt@) created 2026-06-26 with Exchange-only (passwords vaulted); 5 former employees (sabron,aboutte,araso,khoffman,pnelson) Exchange-only with sign-in disabled (future shared-mailbox targets, license reclaimable post-conversion) - Mindi address mismatch:
mindim@(Google) vsmmaher@(M365) — mapped via CSVUsernamecolumn +smtp:mindim@birthbiologic.comproxy added to her mailbox viaSet-Mailbox
- Business Premium (skuId
- MFA status: (verify)
- ACG remediation tool consent status (as of 2026-06-26 — FULLY ONBOARDED):
- Security Investigator: consented (SP
bf684a4b-…) - Tenant Admin: consented (app client_id
709e6eed-0711-4875-9c44-2d3518c47063; SP object7a199b11-97fb-4e65-917d-f8d29a53ba49; consent redirect URI must behttps://azcomputerguru.com, NOThttps://rmm.azcomputerguru.com) - Exchange Operator: consented 2026-06-26 (SP
bab4699b-32a3-4434-9cad-7a4a08cc4d9e; Exchange Administrator role) - User Manager: consented 2026-06-26 (SP
3347ebcc-…) - Defender Add-on: consented 2026-06-26 (SP
161b8f61-…)
- Security Investigator: consented (SP
- Note: sysadmin@birthbiologic.com did not have a SharePoint/M365 license prior to 2026-04-21. For SharePoint app-only access, use Tenant Admin app with
Sites.ReadWrite.All(no user license required for app-only).
Google Workspace (source tenant — migration in progress)
- Super-admin: sysadmin@birthbiologic.com; password vaulted at
clients/birth-biologic/google-workspace.sops.yaml(credentials.password) - Domain-wide delegation: acg-msp-access SA (
acg-msp-access@acg-msp-access.iam.gserviceaccount.com); OAuth2 client ID102231607889615995452; GCP projectacg-msp-access(number 806899474449) - Required DWD scopes (5, exact, comma-separated, no spaces):
https://mail.google.com/,https://www.googleapis.com/auth/calendar,https://www.google.com/m8/feeds/,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/contacts - GCP APIs enabled on acg-msp-access: Gmail, Calendar (calendar-json), People
- Google roster (DWD pull, 2026-06-26): 20 accounts — 15 active, 5 suspended
Gmail Migration Status (as of 2026-06-26)
- Method: Native MS "Migration from Google Workspace" via Exchange Operator REST InvokeCommand
- Endpoint:
BB-Gmail(type: Gmail; impersonation admin: sysadmin@birthbiologic.com) - Batch 1 (BB-Batch1): 14 live mailboxes, mail + calendar + contacts, TargetDeliveryDomain
birthbiologic.onmicrosoft.com, AutoStart, NotificationEmails sysadmin@; Status: Syncing (created 2026-06-26) - Batch 2: Not started — 5 former employees; pending un-suspend in Google + free Workspace seats
File Storage
- Pre-migration source: Datto Workplace (server on ACG-DWP-X-BB; original custom-script artifacts on BB-SERVER at
C:\GuruMigration) - Post-migration target: Microsoft SharePoint (M365)
- Migration tools: Custom PowerShell script (
clients/birth-biologic/scripts/migrate-datto-to-sharepoint.ps1) + SPMT (on ACG-DWP-X-BB under Administrator profile)
SharePoint Site Map
| Datto Folder | SharePoint Site | Size / Files | Status |
|---|---|---|---|
| Admin | birthbiologic.sharepoint.com/sites/Admin | 5.8 GB / 6,279 files | SPMT last ran 2026-04-29; completion UNCONFIRMED |
| Birth Biologic Activity Reports | birthbiologic.sharepoint.com/sites/Admin (subfolder) | 1 file | SPMT; SPMT preserves source folder name as subfolder; UNCONFIRMED |
| Donor Services | birthbiologic.sharepoint.com/sites/DonorServices | 109 GB / 56,826 files | SPMT last ran 2026-04-29; completion UNCONFIRMED |
| Quality Department | birthbiologic.sharepoint.com/sites/QualityDepartment | 28 GB / 3,714 files | SPMT last ran 2026-04-29; completion UNCONFIRMED |
| Supply Management | birthbiologic.sharepoint.com/sites/SupplyManagement | 33 MB / 160 files | 160/160 migrated via custom PS script 2026-04-21 — COMPLETE |
| ITSvcs | EXCLUDED | 52 files | ACG-owned folder; never client data |
Site IDs hardcoded in $SITE_MAP hashtable in the migration script.
Network
- ACG Jupiter (Datto VM host): LAN 172.16.0.0/22, GW pfSense 172.16.0.1; Jupiter at 172.16.3.20 (Unraid, virsh); guest-exec helper
/root/gx.sh - ACG-DWP-X-BB: 172.16.3.45/22 static (was APIPA after ~2 months parked; pfSense DHCP not leasing that MAC; fixed 2026-06-26)
- ISP / WAN (BirthBio site): (verify)
- Firewall (BirthBio site): (verify)
- VPN: (verify)
GuruRMM
- Client name: BirthBiologic
- Client ID:
da526b38-e832-4159-ab13-a3d94e9897a2 - Site name: Main Office
- Site code:
BRIGHT-PEAK-5980 - Site ID:
3b20ef97-c764-4ef8-9154-79c3d5b486f8 - Agent enrollment key:
clients/birthbiologic/gururmm-site-main.sops.yaml(vault) - Install landing page:
https://rmm.azcomputerguru.com/install/BRIGHT-PEAK-5980 - MSI download:
https://rmm.azcomputerguru.com/sites/3b20ef97-c764-4ef8-9154-79c3d5b486f8/installer - RMM one-liner (Windows):
irm https://rmm.azcomputerguru.com/install/BRIGHT-PEAK-5980/windows | iex
Enrolled Agents
| Agent | Host | OS | Agent ID | IP | Notes |
|---|---|---|---|---|---|
| BB-SERVER | BB-SERVER | Windows Server 2016 | 6c02baa7-0f1c-4990-b466-c9ab9eaefd3b |
(verify) | Installed 2026-04-21; original Datto→SP command channel; Datto Workplace Server; custom migration script artifacts |
| KSTEENBB2025 | KSTEENBB2025 | Windows 11 | ee3c6aea-e9cc-4d2f-9e79-a38dd0eb129e |
— | Kristin Steen's workstation |
| EVO-X1 | EVO-X1 | Windows 11 | 9595f002-5cfe-4db6-b7aa-1df4a20e9f9b |
— | Vicki Fountain's workstation; SmartBadge fleet reference machine |
| BB-Office2 | BB-Office2 | Windows 11 | 48763401-4859-49f9-b64a-7a50d0148b23 |
— | Shared/office workstation |
| ACG-DWP-X-BB | ACG-DWP-X-BB | Windows Server 2019 | a4524e85-8a07-45d0-91b1-51ce7e2ca74a |
172.16.3.45 | ACG-owned; Jupiter libvirt VM; Datto Workplace Server + SPMT migration host; enrolled 2026-06-26 under BirthBiologic/Main Office |
Access
- GuruRMM: Dashboard → BirthBiologic → Main Office
- M365 admin: sysadmin@birthbiologic.com
- Google Workspace admin: sysadmin@birthbiologic.com (same account; password vaulted)
- Vault paths:
clients/birthbiologic/gururmm-site-main.sops.yaml— GuruRMM site enrollment keymsp-tools/computerguru-tenant-admin.sops.yaml→credentials.credential— Tenant Admin app secretmsp-tools/computerguru-exchange-operator.sops.yaml→credentials.client_secret— Exchange Operator app secretmsp-tools/acg-msp-access-google-workspace.sops.yaml→credentials.credential— Google SA JSON key (full)clients/birth-biologic/google-workspace.sops.yaml→credentials.password— Google Workspace super-admin passwordclients/birth-biologic/m365-medicaldirector.sops.yaml— Dr. Chris Gillis M365 initial password (forceChangePasswordNextSignIn=true)clients/birth-biologic/m365-mmerritt.sops.yaml— Michael Merritt M365 initial password (forceChangePasswordNextSignIn=true)
- Tenant Admin app: client_id
709e6eed-0711-4875-9c44-2d3518c47063; consent redirect URI must behttps://azcomputerguru.com(NOThttps://rmm.azcomputerguru.com) - Exchange Operator SP:
bab4699b-32a3-4434-9cad-7a4a08cc4d9e; Exchange Administrator role; drive via REST InvokeCommand (see Patterns) - Migration script:
clients/birth-biologic/scripts/migrate-datto-to-sharepoint.ps1 - Migration runbook:
projects/msp-tools/runbooks/google-workspace-to-m365-migration.md(updated 2026-06-26 — exact 5-scope string, all-or-nothing gotcha, Contacts API retired/People API, GCP-owner requirement)
Patterns & Known Issues
- Datto Workplace fleet standard = "Datto Workplace" v10.53.4 (installs to
C:\Program Files\Datto\Workplace2\). EVO-X1 and BB-Office2 run this version only. Never run the older "Datto Workplace Desktop" v8.50.13 (folder…\Workplace Desktop\) alongside it — having both installed breaks the Excel SmartBadge add-in (see below). Note the confusing naming: despite "Desktop" sounding newer, v8 Desktop is the older product; plain "Datto Workplace" v10 is current. - SmartBadge Excel add-in failure from dual Datto Workplace installs: When both Workplace2 (v10) and Workplace Desktop (v8) are present, the
_CCCOM class{3C639243-95A2-400D-B4B4-4384DA7F61D3}gets a 64-bit InprocServer32 pointing at the wrong DLL (or only a 32-bit WOW64 entry), so 64-bit Excel can't load the shim and silently drops the SmartBadge ribbon tab. Excel then auto-disables the add-in (per-userLoadBehavior=2). Fix = align to fleet: remove Workplace Desktop v8 (Revo for a full leftover sweep), install Workplace v10.53.4, ensure only the_CCadd-in (HKLM+WOW64,LoadBehavior=3) with the_CCCLSID →…\Workplace2\SmartBadge\DattoSmartBadgeShim_x64/x86.dll, and reset the user'sLoadBehaviorto 3 + clear Excel Resiliency. Reference machine: EVO-X1. Scripts:.claude/scripts/ksteen-smartbadge-verify.ps1,.claude/scripts/ksteen-smartbadge-fix.ps1. - Windows Server 2016 TLS: BB-SERVER defaults to TLS 1.0. PowerShell scripts must include
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12at the top or Graph API calls will fail. - GuruRMM command timeout on long-running processes: The RMM command channel times out on operations running longer than ~300 seconds. An 8 MB PDF upload at ~77 KB/s exceeded this limit during the migration. Workaround: base64-encode file on server, capture stdout, decode and upload locally.
- SharePoint 409 Conflict on retry: If a chunked upload session is interrupted, a partial item remains in SharePoint. Subsequent upload sessions against the same path return 409 Conflict. Fix: DELETE the item before creating a new upload session.
- SPMT requires sysadmin to be SharePoint admin: SPMT destination access requires the running account to have SharePoint admin rights. Confirm before scheduling future SPMT runs.
- Syncro comment rendering: Use
<br>for line breaks in Syncro comments.<ul>/<li>collapses into a single line in the Syncro renderer. - Syncro duplicate comments on #109277420: Two duplicate comments were noted in the session log. GUI deletion only (no API delete for comments). Verify status next time in ticket view.
- ITSvcs folder exclusion: The
ITSvcsfolder on the Datto share is ACG-owned, not client data. Always exclude from any migration or client-facing file audit. - GuruRMM command body requirements:
command_typefield is required (use"powershell"for PS scripts). Missing field returns 422. JWT must includesub,role,orgs,exp,iatclaims — any missing claim returns 401. - GuruRMM
.stdoutnull handling in watch scripts:jq -r '.stdout'emits the literal 4-char string"null"when the API returns JSONnullfor stdout. Always use.stdout // empty(or.stdout // "") so that a null field becomes an empty string, not the word "null". Affects any script that greps command output for a sentinel line. - PS5.1 quirks on BB-SERVER: No Unicode box-drawing characters (parse error in PS5.1); no
@{} + @{}hashtable merge (use foreach loop); use${encodedPath}not$encodedPath:in URL strings (colon interpreted as drive reference). - Google→M365 migration requires exactly Microsoft's 5-scope DWD set: Google rejects the migration token all-or-nothing if any scope is missing (
unauthorized_client: … not authorized for any of the scopes requested). The original DWD grant had only 3 of 5; missing werem8/feedsandgmail.settings.sharing. Them8/feedsscope is a still-valid alias for contacts auth, served by the People API; the standalone Contacts API was retired 2022 (not enableable in GCP, not needed). See exact 5-scope string in the Google Workspace section above. - Enabling GCP APIs in acg-msp-access requires ACG project owner identity: Running
gcloud services enableas a client super-admin (sysadmin@birthbiologic.com) fails — that account has no rights to ACG'sacg-msp-accessGCP project. Must be authenticated as the ACG GCP project owner. - Exchange driven via REST InvokeCommand — EXO PS module not available: Exchange Operator app token (
scope=https://outlook.office365.com/.default), endpointPOST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand, body{"CmdletInput":{"CmdletName":"…","Parameters":{…}}}. EXO PowerShell module not installed; the app has no vaulted cert, soConnect-ExchangeOnlineapp-only auth is not available. Byte-array parameters (ServiceAccountKeyFileData,CSVData) must be passed as base64 strings. vault.sh get-fieldrequires dotted field path for nested secrets:credentials.client_secretandcredentials.credentialwork; bare leaf names (client_secret) return a literal 4-charnull. Always specify the full dotted path.- Tenant's real Business Premium skuId is
cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46: The scope doc had a stale GUID (cbdc14ab-d96c-4132-b7f4-1f3a3a819bb4). License assign 400'd until corrected. Pull skuId live from Graph/subscribedSkusbefore any license assignment.
Active Work
- Google → M365 mail migration (IN PROGRESS): BB-Batch1 auto-started 2026-06-26, Status: Syncing, 14 live mailboxes (mail + calendar + contacts). Pending:
- Monitor BB-Batch1: Provisioning → Syncing → Synced
- When Synced: flip MX in SiteGround DNS → M365; update SPF (
include:spf.protection.outlook.com); enable/publish DKIM (2 CNAMEs); autodiscover CNAME →autodiscover.outlook.com; review DMARC; run final delta; complete batch - Batch 2 — 5 former employees → shared mailboxes: un-suspend each in Google (free Workspace seats by suspending migrated live users first), run Gmail migration batch (
aboutte,araso,khoffman,pnelson,sabron— already EXO-licensed, sign-in disabled), convert to shared mailboxes (<=50 GB = free), reclaim 5 EXO licenses - Confirm Valerie VanEaton's status (active or departed since mid-May; if departed → former/shared track)
- Confirm Michael Merritt's long-term licensing tier
- Confirm
operations@fate post-cutover (retain BP or convert to shared)
- Datto → SharePoint migration reconciliation (BLOCKED — awaiting ACG-DWP-X-BB Datto re-sync):
- Supply Management complete (160/160 files, 2026-04-21)
- 4 large SPMT folders (Admin 5.8 GB, Donor Services 109 GB, Quality 28 GB, Activity Reports) last SPMT run 2026-04-29; completion UNCONFIRMED — reconciliation pending Datto re-sync on ACG-DWP-X-BB
- After re-sync: compare source vs each SharePoint site, determine what April SPMT run left incomplete, schedule completion run(s)
- Notify Annise to test SharePoint access once confirmed complete; run delta sync (
-DeltaOnly) post-confirmation
- pfSense: add DHCP reservation for 172.16.3.45 (MAC
52:54:00:d4:8e:59) or confirm it is outside the DHCP pool
History Highlights
| Date | Event |
|---|---|
| 2026-06-26 | Mike (GURU-5070): Google→M365 mail migration initiated; BB-Batch1 live (14 mailboxes, Status: Syncing). Identified Datto/SPMT migration VM as Jupiter libvirt domain ACG-DWP-X-BB (actual WS2019 build 17763); had APIPA after ~2 months parked (pfSense not leasing MAC); fixed with static IP 172.16.3.45/22; GuruRMM agent enrolled (a4524e85-…); Datto Workplace Server reconnected + re-syncing. Confirmed April SPMT run (4 large folders) completion unconfirmed. Fully onboarded BirthBio M365 to ACG suite (Exchange Operator + User Manager + Defender Add-on consented via onboard365.sh provision). Provisioned Exchange-only mailboxes for Dr. Chris Gillis (medicaldirector@) and Michael Merritt (mmerritt@); license redistribution: Mei Mei + Valerie +BP, Savanna BP→EXO, 4 disabled formers +EXO. Created Gmail migration endpoint BB-Gmail; created + auto-started BB-Batch1 (14 mailboxes, TargetDeliveryDomain birthbiologic.onmicrosoft.com). Vaulted Google super-admin creds + new M365 user passwords. |
| 2026-06-02 | Mike (BEAST/discord-bot): SMARTBADGE-WATCH fired a false-positive DRIFT alert. Root cause: jq -r '.stdout' emitting literal "null" when RMM API returned JSON null stdout. Live re-verify via RMM confirmed KSTEENBB2025 clean (RESULT: PASS). Fixed check-ksteen-smartbadge.sh (commit 551aaf2): .stdout // empty coercion, INFRA-ERROR vs DRIFT distinction, stderr/exit_code in diagnostics, poll window 80s→120s. |
| 2026-05-29 | Mike: Corrected the SmartBadge fix — Kristin's machine had been left on the older Workplace Desktop v8 (diverged from fleet). Revo-removed v8, installed Workplace v10.53.4 (Workplace2), aligned SmartBadge _CC add-in/CLSID to EVO-X1, cleared her stuck per-user LoadBehavior=2. Verified working. Public tech notes + 1hr warranty on Syncro #32339. Stood up a 7-day daily verification (scheduled task on GURU-5070 + coord todo 4a5b09b3, expires 2026-06-05). |
| 2026-05-28 | Mike: Initial Kristin Steen SmartBadge remediation (Syncro #32339) — diagnosed dual Workplace2/Workplace Desktop install; uninstalled the wrong one (Workplace2 v10), leaving v8 Desktop (corrected 2026-05-29). |
| 2026-04-21 | Mike: New client onboarded to GuruRMM (client + site created, vault entry saved). Tenant Admin app consented. sysadmin@birthbiologic.com assigned M365 Business Premium. GuruRMM agent installed on BB-SERVER. Custom Datto→SharePoint migration script built. Supply Management (160 files) migrated via script. SPMT launched for 4 remaining folders. Syncro ticket #109277420 opened. |
Backlinks
- projects/gururmm — BB-SERVER + ACG-DWP-X-BB enrolled (site: Main Office)