claudetools/wiki/clients/kittle.md

type, name, display_name, last_compiled, compiled_by, sources

type	name	display_name	last_compiled	compiled_by	sources
client	kittle	Kittle (client)	2026-05-24	DESKTOP-0O8A1RL/claude-main	clients/kittle/docs/overview.md clients/kittle/docs/servers/server.md clients/kittle/docs/network/topology.md clients/kittle/docs/network/firewall.md clients/kittle/docs/network/dns.md clients/kittle/docs/network/dhcp.md clients/kittle/docs/network/vlans.md clients/kittle/docs/cloud/m365.md clients/kittle/docs/cloud/azure.md clients/kittle/docs/rmm/rmm.md clients/kittle/docs/security/antivirus.md clients/kittle/docs/security/backup.md clients/kittle/docs/issues/log.md clients/kittle/docs/email/dkim-dmarc-setup.md clients/kittle/PROJECT_STATE.md clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md

Kittle Design & Construction LLC

Overview

• Business type: General contractor (construction)
• Address: 2539 N Balboa Ave #125, Tucson, AZ 85705
• Phone: 520.299.0404 | Fax: 520.299.0477
• Website: kittlearizona.com
• Syncro customer ID: 32460233
• Status: Active — onboarding in progress (as of 2026-05-08)
• Billing model: [unverified] — no contract or rate documented in source files
• Hours remaining: [unverified] — not documented

---

Contacts

Name	Title	Email	Notes
Ken Schagel	Owner / Primary Contact	ken@kittlearizona.com
Kimberly Ross	Admin	admin@kittlearizona.com	Primary M365 contact per session log
Darline Cabrera	Bookkeeper	accounting@kittlearizona.com	Role account: accountant on AD
Joshua Sutherland	Employee (new 2026-05-08)	joshua@kittlearizona.com	Took over Wrex's workstation
Howard Enos	MSP Tech (ACG)	—	AD account: sysadmin (Domain Admin)

Known M365 users (licensed):

• Office 365 E3 (no Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson
• Business Standard: Accounting, Admin (Kimberly Ross), Brandon Blazer, Hayden Schagel, Jason Stubblefield, Johnny Calhoun, Joshua Sutherland, Lori Schagel, Marco Fragoso, Michael Sanchez, Neal Crusius, Scott Zehner

---

Infrastructure

Servers

Hostname	IP	OS	Role	Hardware	Notes
SERVER	10.0.0.5	Windows Server 2025 Standard EVALUATION	Primary DC, DNS, DHCP (unused), File Server, Print Server	HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM	[WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Syncro asset: SERVER2021 (id 10584015)

SERVER storage:

Drive	Label	Size	Notes
C:	OS	~11 TB	Primary volume (NTFS)
Secondary	Server2 2022_03_31	~2 TB	Purpose unknown — possibly old server backup/migration data

[WARNING] Unknown service listening on TCP port 8019 on SERVER. Not a standard Windows/AD port. Likely QuickBooks or ScreenConnect — needs identification (netstat -ano | findstr 8019).

Workstations

AD Name	OS	Last Logon	Notes
FRONTDESK	Windows 11 Pro	2026-03-09	Front Desk user; Syncro asset id 11122225
ACCOUNTING	Windows 11 Pro for Workstations	2026-03-09	accountant role account
CHRISTINE-WIN10	Windows 11 Pro	2026-03-09	Legacy name; actually Win11
DESKTOP-2560Q7R	Windows 11 Pro	2026-03-06	Wrex — now used by Joshua Sutherland; needs rename
WINDOWS-QV1B0EL	Windows 11 Pro	2026-03-06	User unknown; needs rename
DESKTOP-R0KA2UG	Windows 11 Pro	2026-03-11	User unknown; needs rename
DESKTOP-9B2SMD9	Windows 11 Pro	2026-03-06	User unknown; needs rename

Known machine-to-user mapping: FRONTDESK = Front Desk, ACCOUNTING = accountant (Darline?), CHRISTINE-WIN10 = Christine, DESKTOP-2560Q7R = Wrex/Joshua. Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) unidentified — require onsite correlation.

Active Directory

• Domain: kittle.lan (NetBIOS: KITTLE)
• Domain Admins: Administrator, sysadmin (Computer Guru)
• Total domain users: 12 (8 regular + sysadmin + QBDataServiceUser34 + joshua.sutherland added 2026-05-08 + Administrator)
• Total workstations: 7

AD Users:

SamAccountName	Display Name	Enabled	Notes
Administrator	Administrator	Yes	Domain Admin
alexis	Alexis	Yes
Marco	Marco	Yes
accountant	accountant	Yes	[WARNING] Role-based — should be individual account
ken	Ken	Yes	Owner
frontdesk	Front Desk	Yes	[WARNING] Role-based — should be individual account
lori	Lori	Yes
wrex	Wrex	Yes	[WARNING] Wrex's PC now used by Joshua
sysadmin	Computer Guru	Yes	MSP Domain Admin
QBDataServiceUser34	QuickBooks service	Yes	Service account
joshua.sutherland	Joshua Sutherland	Yes	Created 2026-05-08; UPN joshua.sutherland@kittle.lan, email joshua@kittlearizona.com

File Shares

Share	Path	Notes
Home	C:\Shares\Home	User home folders; mapped via HomeFolder GPO
QBooks	C:\Shares\Home\QBooks	QuickBooks data files
NETLOGON	(default)	AD logon scripts
SYSVOL	(default)	Group Policy

Installed Software (SERVER)

Software	Notes
QuickBooks Pro 2024 (v34)	[WARNING] Should NOT be on a DC — migrate to workstation
ScreenConnect	Remote access agent

Backup

[WARNING] NO BACKUP EXISTS. No Windows Server Backup, no third-party agent, no cloud backup. If SERVER fails, AD, DNS, file shares, and QuickBooks data are permanently lost. SERVER is the only domain controller.

Antivirus / EDR

(not documented) — no AV/EDR product deployed or documented.

---

Network

Topology

• Subnet: Single flat 10.0.0.0/24 — no VLANs, no segmentation
• Gateway: 10.0.0.1 (ISP router — consumer-grade, acts as gateway + DHCP + only "firewall")
• Switch: UniFi USW-Lite-16-PoE at 10.0.0.122 (MAC: 0C:EA:14:8A:8D:7F); managed by ACG's self-hosted UniFi controller
• ~31 devices observed on network via ARP — most unidentified (phones, printers, APs, workstations)

Key device IPs:

Device	IP	Notes
ISP Router	10.0.0.1	Gateway, DHCP, only perimeter device
SERVER (DC)	10.0.0.5	Static
UniFi Switch	10.0.0.122	Should have DHCP reservation

Firewall

[WARNING] NO dedicated firewall. ISP router at 10.0.0.1 (MAC: 42:0f:c1:f0:e6:43 — randomized/consumer MAC) is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. The firewall.md template is empty — no firewall config has been documented because none exists.

Recommendation: Deploy pfSense (free) or commercial UTM (FortiGate, SonicWall) between ISP router and LAN switch.

VLANs

No VLANs configured. All devices on the same broadcast domain. The vlans.md template exists but is empty — no VLAN segmentation is deployed.

DNS

Internal DNS: Windows DNS on SERVER (10.0.0.5), AD-integrated.

• Zones: kittle.lan, _msdcs.kittle.lan
• Forwarder: 10.0.0.1 (ISP router) — single forwarder, no redundancy
• No reverse lookup zone for 10.0.0.0/24 (PTR lookups fail)

External DNS (kittlearizona.com): Hybrid NSOne + Squarespace nameservers

Nameservers
dns1.p02.nsone.net, dns2.p02.nsone.net, dns3.p02.nsone.net, dns4.p02.nsone.net
ns01.squarespacedns.com, ns02.squarespacedns.com, ns03.squarespacedns.com, ns04.squarespacedns.com

Email DNS records (as of 2026-04-23):

Record	Status	Value
MX	[OK]	kittlearizona-com.mail.protection.outlook.com
SPF	[OK]	v=spf1 include:spf.protection.outlook.com -all
DKIM	[WARNING] MISSING	Not configured — HIGH PRIORITY
DMARC	[WARNING] MISSING	Not configured — HIGH PRIORITY

DKIM/DMARC setup guide: clients/kittle/docs/email/dkim-dmarc-setup.md

DNS registrar: Unknown — needs identification.

DHCP

[WARNING] DHCP runs on the ISP router (10.0.0.1), not on SERVER. The Windows DHCP role is installed on SERVER but has zero scopes configured. Unknown what DNS server is handed out via DHCP — if DHCP hands out ISP DNS instead of 10.0.0.5, AD name resolution may break for domain clients. DHCP range, lease time, and reservations not documented (need ISP router admin access to check).

---

Cloud / M365

Tenant

Field	Value
Tenant name	kittlearizona.com
Tenant ID	3d073ebe-806a-4a5e-9035-3c7c4a264fc0
Primary domain	kittlearizona.com
Admin portal	https://admin.microsoft.com

Licensing (as of 2026-04-28)

License	Qty	Assigned	Available
Microsoft 365 Business Standard (SKU: O365_BUSINESS_PREMIUM, skuId: f245ecc8-75af-4f8e-b61f-27d8114de5f3)	12	12	0
Office 365 E3 No Teams (skuId: 46c3a859-c90d-40b3-9551-6178a48d5c18)	4	4	0

ACG sysadmin account is unlicensed.

Exchange Online / Email

• Mail provider: Microsoft 365 (kittlearizona.com)
• MX: kittlearizona-com.mail.protection.outlook.com
• Shared mailboxes, distribution groups, mail flow rules: (not documented)
• Known Outlook accounts in Syncro notes (plaintext — flagged for vault migration): kittletucson@outlook.com, kittletucson2@outlook.com

Azure

(not documented) — Azure subscription template is empty; no Azure VMs or cloud resources documented.

Entra ID / Hybrid Join

• Hybrid joined: [unverified] — not documented
• No Azure AD Connect server documented
• MFA enforcement status: [unverified]

SharePoint / OneDrive / Teams

(not documented)

---

GuruRMM

Field	Value
Client name	Kittle Design & Construction LLC
Client ID	d8b08837-78e0-441e-b824-e0abbf0254ed
Client code	KITTLE
Site name	Main Office
Site ID	851376d1-33be-46ee-9e48-be44767e4a0a
Site code	SILVER-HAWK-7639
Site address	2539 N Balboa Ave #125, Tucson AZ 85705
API key (enrollment)	Vault: clients/kittle/gururmm-site-main.sops.yaml (vault commit 6eb3414)
Dashboard	https://rmm.azcomputerguru.com
API	https://rmm-api.azcomputerguru.com

GuruRMM client and site created 2026-05-08 by Howard during Joshua onboarding onsite. Agent deployment was in progress at time of log:

• SERVER (SERVER2021) — agent install pending/in-progress during onsite
• Wrex's workstation (DESKTOP-2560Q7R) — agent install pending/in-progress during onsite
• Enrolled agent IDs and hostnames: (not yet documented — confirm after onsite)

Agent deployment command (ScreenConnect, requires #!ps prefix):

#!ps
$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key '<key-from-vault>'

---

Active Projects / Open Items

CRITICAL — Must Resolve

• Activate Windows Server 2025 full license on SERVER — evaluation expires after 180 days; server shuts down hourly after expiry. Check remaining time: slmgr /dlv
• Implement backup for SERVER — No backup exists. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi)
• Migrate credentials from Syncro plaintext to SOPS vault:
  • SERVER admin (administrator / AXman2Z) → clients/kittle/server2021.sops.yaml
  • Outlook accounts (kittletucson@outlook.com, kittletucson2@outlook.com) → vault
  • Strip plaintext from Syncro customer notes after vaulting

HIGH Priority

• Configure DKIM for kittlearizona.com — Add CNAME selectors in NSOne/Squarespace; enable signing in M365 Defender Portal. Guide: clients/kittle/docs/email/dkim-dmarc-setup.md
• Add DMARC policy for kittlearizona.com — Start with p=none (monitor), escalate to p=quarantine after 1 week clean
• Migrate QuickBooks off the domain controller — QB should run on ACCOUNTING workstation; data stays on \SERVER\QBooks
• Deploy dedicated firewall — ISP router only; no stateful inspection or content filtering
• Confirm Joshua Sutherland's onsite setup complete — local admin on Wrex's PC, password changed, GuruRMM agent installed
• GuruRMM agent enrollment — Confirm agents running on SERVER and Wrex's PC; roll out to FRONTDESK and other endpoints

MEDIUM Priority

• Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5
• Replace role-based AD accounts (accountant, frontdesk) with individual named accounts
• Rename 4 workstations with generic DESKTOP-xxx / WINDOWS-xxx names
• Investigate and identify port 8019 on SERVER
• Identify unknown DNS registrar for kittlearizona.com
• Verify what DNS server ISP router hands out via DHCP (critical for AD)
• Investigate email issue: emails moved to folders reappearing in inbox (suspected Outlook cached mode / OST corruption)
• Identify M365 mailbox need for Joshua Sutherland (AD creation is separate from M365 licensing)

LOW Priority

• Create reverse DNS zone for 10.0.0.0/24 (0.0.10.in-addr.arpa)
• Identify purpose of secondary SERVER volume "Server2 2022_03_31" (~2 TB)
• Identify 3 unknown workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) — requires onsite correlation
• Add secondary DNS forwarder on SERVER (8.8.8.8 or 1.1.1.1) for ISP router failure redundancy
• Enable DNS scavenging to prevent stale records
• Identify remaining ~20 unknown ARP entries on the network
• Identify DHCP reservations on ISP router; create proper reservations for SERVER, switch, printers

---

Key Events / History

Date	Event
2026-04-16	Standard client directory structure applied by Howard; onboarding started
2026-04-23	Email DNS audit: SPF confirmed OK, DKIM/DMARC confirmed missing
2026-04-28	M365 licensing documented: 16 total seats (12 Business Standard + 4 E3), all assigned
2026-03-12	Server audit: discovered evaluation license, no backup, QB on DC, no firewall, role-based accounts, DHCP on ISP router
2026-03-12	Fixed HomeFolder GPO drive map action from Replace → Update to stop File Explorer closing on GP refresh
2026-03-20	Deployed "Intranet Zone - File Server" GPO — adds \SERVER and \10.0.0.5 to Local Intranet zone; fixes PDF preview on shares (Oct 2025 security update regression)
2026-03-25	FRONTDESK: folder view sort order fix — cleared Bags/BagMRU registry, disabled auto folder-type detection, forced Details view via AllFolders shell key
2026-05-08	Howard onsite: AD user joshua.sutherland created; GuruRMM client + Main Office site created; GuruRMM enrollment key vaulted; agents being deployed to SERVER and Wrex's PC

---

Anti-Patterns / Warnings

• [WARNING] ScreenConnect command runner defaults to cmd context — PowerShell scripts MUST be prefixed with #!ps or they will fail silently. Invoke-WebRequest, ConvertTo-SecureString, etc. all require PowerShell.
• [WARNING] Do NOT run Add-LocalGroupMember on the DC to add a user to local Administrators — DCs have no local SAM; the command will fail with "Group Administrators was not found." Run this on the target workstation instead.
• [WARNING] SERVER is the sole domain controller — Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No backup. No failover.
• [WARNING] QuickBooks Pro 2024 is on the DC — Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at C:\Shares\Home\QBooks.
• [WARNING] DHCP DNS server unknown — ISP router may be handing out ISP DNS instead of 10.0.0.5. Do not assume domain resolution works correctly for all clients. Test before deploying domain-joined systems.
• [WARNING] Two Outlook account credentials (kittletucson@outlook.com / kittletucson2@outlook.com) and the SERVER admin password (administrator / AXman2Z) are in Syncro customer notes as plaintext. Migrate to vault and strip from Syncro before any additional access sharing.
• [WARNING] Wrex's AD account (wrex) is still active but his workstation is now used by Joshua Sutherland. Wrex's account should be reviewed — disable or confirm Wrex is still an employee.
• [WARNING] Password set during Joshua onboarding (Kota2020!) was set with force-change-at-logon. Confirm Joshua completed the password change; if not, the temp password is known to Howard.
• [WARNING] DKIM and DMARC are not configured. Domain kittlearizona.com can be trivially spoofed. Emails to strict recipients (Gmail, Google Workspace) may land in spam.
• [WARNING] GPO drive map action (HomeFolder GPO) — Must stay as Update, not Replace. Changing back to Replace will cause File Explorer to close during GP refresh for users browsing mapped drives.
• [WARNING] Always use Update (not Replace) for GPO drive maps — Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows.

---

Backlinks

• wiki/projects/gururmm — GuruRMM agent enrollment; Kittle is an active RMM client as of 2026-05-08
• wiki/clients/internal-infrastructure — ACG UniFi controller manages Kittle's UniFi switch