Howard Enos
8d975c1b44
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6.3 KiB
6.3 KiB
DNS Configuration
Internal DNS Server (Unbound Resolver)
- Server: pfSense (pfsense.cascades.local)
- Server IP: 192.168.0.1
- DNSSEC: Enabled
- Prefetch: Enabled
- Active Interface: All
- Outgoing Interface: WAN
DNS Forwarders (System DNS)
- Forwarder 1: 8.8.8.8 (Google)
- Forwarder 2: 1.1.1.1 (Cloudflare)
Cache Settings
- Message Cache Size: 512
- Max TTL: 86400 (24 hours)
- Min TTL: 0
- Infra Host TTL: 900
- Infra Cache Hosts: 10000
DHCP Integration
- Register DHCP leases in DNS: Yes
- Register DHCP static mappings: Yes
Host Overrides
| Hostname | Domain | IP Address | Aliases |
|---|---|---|---|
| cascadesds | cascades.local | 192.168.0.120 | synology.cascades.local |
Windows DNS Server (AD-Integrated)
- Server: CS-SERVER (192.168.2.254)
- Required for: Active Directory domain resolution, SRV records, Kerberos, LDAP
DNS Zones
| Zone | Type | AD-Integrated | Auto-Created | Notes |
|---|---|---|---|---|
| cascades.local | Primary | Yes | No | Main AD zone |
| _msdcs.cascades.local | Primary | Yes | No | AD metadata zone |
| 0.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 127.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 255.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| TrustAnchors | Primary | Yes | No | DNSSEC trust anchors |
NOTE: No real reverse lookup zones exist for any production subnet (192.168.0.0/22, 10.0.20.0/24, room VLANs). Only auto-created placeholder zones.
Key DNS Records (cascades.local zone)
| Hostname | Type | IP / Data | Timestamp | Notes |
|---|---|---|---|---|
| @ (cascades.local) | A | 192.168.0.5 | 3/25/2025 | STALE — not current DC IP |
| @ (cascades.local) | A | 192.168.2.59 | 9/22/2024 | STALE — not current DC IP |
| cs-server | A | 192.168.2.254 | Static | Correct DC record |
| ACCT2-PC | A | 10.0.20.209 | 3/2/2026 | Current |
| CRYSTAL-PC | A | 192.168.5.115 | 3/27/2025 | STALE — should be 10.0.20.205 |
| CS-QB | A | 192.168.5.29 | 3/27/2025 | STALE — should be 192.168.2.228 |
| DESKTOP-1ISF081 | A | 192.168.5.30 | 3/27/2025 | 192.168.5.x not a documented subnet |
| DESKTOP-H6QHRR7 | A | 10.0.20.235 | 3/2/2026 | Current |
| Cascades-Probe | A | 192.168.3.155 | 4/23/2025 | Monitoring probe? |
| Probe | A | 192.168.5.160 | 3/14/2025 | Monitoring probe? |
| DomainDnsZones | A | 192.168.0.5 | 3/25/2025 | STALE |
| DomainDnsZones | A | 192.168.2.59 | 9/22/2024 | STALE |
| ForestDnsZones | A | 192.168.0.5 | 3/25/2025 | STALE |
| ForestDnsZones | A | 192.168.2.59 | 9/22/2024 | STALE |
AD SRV Records (all point to cs-server.cascades.local)
- _gc._tcp (Global Catalog, port 3268)
- _kerberos._tcp (Kerberos, port 88)
- _kpasswd._tcp (Kerberos password, port 464)
- _ldap._tcp (LDAP, port 389)
- All registered 8/28/2024 — normal for single-DC environment
DNS Issues — Status
Stale @ records— FIXED 2026-03-06. Removed old 192.168.0.5 and 192.168.2.59. Added correct 192.168.2.254.Stale computer records— FIXED 2026-03-06. Removed CRYSTAL-PC (192.168.5.115), CS-QB (192.168.5.29), DESKTOP-1ISF081 (192.168.5.30).No reverse lookup zones— FIXED 2026-03-06. Created 5 reverse zones covering LAN /22 and INTERNAL.DomainDnsZones/ForestDnsZones stale— FIXED 2026-03-06. Removed old IPs, added 192.168.2.254.
DNS Architecture (pfSense + Windows DNS)
- pfSense Unbound (192.168.0.1): Primary DNS resolver for all clients. Forwards external queries to 8.8.8.8 / 1.1.1.1. Registers DHCP leases.
- Windows DNS (192.168.2.254): Authoritative for cascades.local zone. Required for AD SRV records, Kerberos, LDAP lookups.
- Forwarding relationship: Needs verification — pfSense should forward cascades.local queries to 192.168.2.254, and Windows DNS should forward external queries to pfSense or directly to internet resolvers.
- Domain-joined PCs likely use 192.168.2.254 as DNS (per server's own config) or 192.168.0.1 (per DHCP).
Migration Plan — DNS Changes (Phase 1.4 + 2.1)
See migration/phase2-server-prep.md and migration/scripts/phase2-dns-cleanup.ps1.
pfSense Domain Overrides (Phase 1.4) — DONE 2026-03-06
| Domain | Forward to | Purpose | Status |
|---|---|---|---|
cascades.local |
192.168.2.254 | AD domain resolution | ✅ Added |
_msdcs.cascades.local |
192.168.2.254 | AD metadata zone | ✅ Added |
CS-SERVER DNS Client Fix (Phase 1.4) — DONE 2026-03-06
CS-SERVER used pfSense (192.168.0.1) + 8.8.8.8 as DNS. Fixed: now uses 127.0.0.1, 192.168.0.1. Verified — both cs-server.cascades.local and google.com resolve correctly through localhost.
CS-SERVER Forwarder Fix (Phase 1.4)
Set Windows DNS forwarder to 192.168.0.1 (pfSense) for external resolution. TODO: Verify this is set.
Stale Record Cleanup (Phase 2.1) — DONE 2026-03-06
All stale records removed and correct records added:
cascades.local @ → 192.168.0.5, 192.168.2.59Removed. Added correct: @ → 192.168.2.254CRYSTAL-PC → 192.168.5.115Removed (will re-register correct IP via DHCP)CS-QB → 192.168.5.29Removed (will re-register correct IP via DHCP)DESKTOP-1ISF081 → 192.168.5.30RemovedDomainDnsZones → 192.168.0.5, 192.168.2.59Removed. Added correct: → 192.168.2.254ForestDnsZones → 192.168.0.5, 192.168.2.59Removed. Added correct: → 192.168.2.254
Enable Scavenging (Phase 2.1) — DONE 2026-03-06
- Server-level scavenging: enabled, 7-day interval ✅
- Zone aging on cascades.local: enabled ✅
- First scavenge available: 3/13/2026 (14-day aging window from enable date)
Create Reverse Lookup Zones (Phase 2.1) — DONE 2026-03-06
All 5 reverse zones created (AD-integrated, Domain replication scope):
- 0.168.192.in-addr.arpa ✅
- 1.168.192.in-addr.arpa ✅
- 2.168.192.in-addr.arpa ✅
- 3.168.192.in-addr.arpa ✅
- 20.0.10.in-addr.arpa ✅
External DNS
- Not documented yet (registrar, hosted DNS, etc.)
Notes
- pfSense Unbound serves as the DNS resolver for all VLANs
- Room VLANs use their gateway (pfSense interface IP) as DNS server
- INTERNAL VLAN uses 192.168.0.1 explicitly as DNS
- 999GuruTestNet uses 10.0.99.1 as DNS