π§ In Migration 2026-05-04 β vm-dc-01 zieht aktuell von RZ ESXi auf HM Proxmox um. Status: DOWN β Proxmox-Import blockiert auf ESXi-Snapshot-Reference (
-000001.vmdkparent-path). User-Action erforderlich in ESXi web UI: Power-off + Delete-All Snapshots, dann re-import. Per-VLAN DNS-Server-Matrix + pfSenseVM_DC_01Aliases auf10.100.100.10bereits umgestellt 2026-05-03 night-recovery.
| Property | Value |
|---|---|
| Site | Migrating: RZ β Home (2026-05-03 night) |
| Hypervisor host | ESXi-RZ (current, pre-migration) β VE-IO-01 (target) |
| Role | Sole AD Domain Controller for the xio.bio forest (single-domain forest, mode Windows2016Forest/Windows2016Domain). Holds all five FSMO roles β Schema Master, Domain Naming Master, PDC Emulator, RID Master, Infrastructure Master. Acts as primary DNS for the entire homelab (forwarders 1.1.1.1 / 8.8.8.8 / 8.8.4.4) and reverse-zone authority for 10.10.100.x, 10.50.100.x, 10.100.100.x. Also runs WSUS (catalog/sync server for all Windows clients) and has the ADFS, ADRMS, IIS and Print-Services roles installed but not actively used. Hypervisor: VMware ESXi at the Hetzner RZ. |
| OS | Microsoft Windows Server 2019 Essentials (build 17763) |
| Primary IP | In flight: 10.100.0.10 (RZ, current) β 10.100.100.10 (HM, target per policies/ip-allocation-hm) |
| SSH alias | vm-dc-01 |
| vCPU | 4 (Intel Core i7-8700 passthrough) |
| Memory | 12.0 GiB |
| Storage | 219.5 GB NTFS on C: (130.4 GB free, ~89 GB used) |
| Backup | PBS image-level via the ESXi-side Veeam/PBS pipeline (TBD which one β see P-10). Critical: the AD database (C:\Windows\NTDS\ntds.dit, currently 18 MB) is the keys to the kingdom β restoring needs a consistent point-in-time snapshot. Recommend adding a periodic ntdsutil snapshot for granular AD object restore on top of the image-level backup (P-09). |
Ethernet0 (VMware vmxnet3) β static 10.100.0.10/24, gateway 10.100.0.1| Property | Value |
|---|---|
| SSH user | Administrator (XIO domain admin; member of DomΓ€nen-Admins) |
| SSH key (local) | E:/Workspace/Repositories/Clean Up/.secrets/ssh/blackreset_admin_ed25519 |
| Listening ports (notable) | 53 (DNS), 88 (Kerberos), 135 (RPC), 389 (LDAP), 445 (SMB), 464 (KPasswd), 636 (LDAPS), 3268/3269 (GC), 3389 (RDP), 5985 (WinRM), 22 (SSH, added 2026-04-29), 8530/8531 (WSUS β but currently broken) |
| Notes | OpenSSH Server installed by user 2026-04-29. Pubkey in C:\ProgramData\ssh\administrators_authorized_keys (works because xio\Administrator is in DomΓ€nen-Admins which is in local Administrators). Default shell PowerShell. Inventory + cleanup are read-only β destructive ops (FSMO transfer, AD database tampering) explicitly OUT of scope. |
Get-WsusServer fails with WCF connection error. Likely IIS app pool or WSUS database. Repair or decommission depending on whether WSUS is still wanted (alternative: switch all clients to direct Microsoft Update). This was the root cause of VM-SW-03 being unable to install OpenSSH from the FoD catalog (P-04).xio.bio is NonsecureAndSecure β should be Secure only (Kerberos-authenticated dynamic update). Allows any LAN host to register/overwrite records (P-07).blackreset.com resolves only via the public forwarders (1.1.1.1 / 8.8.8.8) β internal blackreset.com records would need conditional-forwarder delegation if the homelab ever adds internal *.blackreset.com records. Also: xio.bio is the AD root but blackreset.com is the public-facing brand β the relationship between the two should be documented.Dokumente LOKAL, Interne Security, Notepad, Thunderbird, Dokumente Korff, Windows Admin Center, Biometric Login, Video Korff, VLC, 7 Zip, Biometrie, Office 365, WSUS, Musik Korff, Deaktivate Searchbar. Plus 2 GPOs linked but disabled (Logon Script Netzlaufwerk Offline, Ad Removal). Recommend export-then-delete to reduce SYSVOL noise.Drive Family vs Dokumente Korff), per-user-named GPOs (A.Korff Explizit, Musik Korff, Video Korff, Dokumente Korff) that should be Item-Level-Targeting on group membership, typo (Deaktivate Searchbar β Deactivate), and StandardUser OU has 15 linked GPOs (high cognitive load when debugging GPO precedence).VM-SL-40 pointing at 10.100.100.102 β actual SL-40 is 10.100.100.240; vm-vc-02 and VM-VC-01 and vcenter all at 10.100.100.100 are duplicates). Run a Get-DnsServerResourceRecord audit and prune.0.de.pool.ntp.org) configured via w32tm /config /manualpeerlist:... /syncfromflags:manual /reliable:yes. Otherwise the whole forest can drift.