Loading...
The environment is functional but fragile. While core services are currently operational, several critical gaps in backup immutability, identity synchronization, and lifecycle management represent significant risks to business continuity.
Critical Risks
Drift Status
MODERATERecovery Readiness
LOWVMs / Workloads
48
Hypervisor
3 ESXi 6.7/7.0 hosts
Cloud
1 Azure subscription (East US 2)
Backup
Veeam Backup & Replication v12
Identity
Active Directory (2 DCs, single forest)
Storage
Dell PowerStore 500T (iSCSI)
Tier assignments are based on business-impact analysis conducted during intake. A dependency diagram is included in the full client report.
| Area | Tier | Finding | Risk | Recommendation | Evidence |
|---|---|---|---|---|---|
| Backup & Recovery | Tier-1 | Backup immutability is not enforced on primary repository. | Critical | Enable S3 Object Lock or hardened Linux repository for immutable storage. | Veeam B&R Console → Backup Infrastructure → Repositories (screenshot 2025-01-12) |
| Identity | Tier-1 | Domain Controller time drift exceeding 5 minutes (NTP skew). | Critical | Re-sync PDC Emulator to reliable external stratum-1 source. | w32tm /monitor output on DC01 (log capture 2025-01-11) |
| Virtualization | Tier-1 | vSphere 6.7 hosts remaining in production (End of General Support). | High | Accelerate hardware refresh or migrate to vSphere 8.0. | vCenter Inventory → Hosts & Clusters view (screenshot 2025-01-10) |
| Azure Foundation | Tier-2 | Missing Resource Locks on 'Production-Core' networking resources. | Medium | Apply 'CanNotDelete' locks to critical VNets and Gateways. | Azure Portal → Resource Group → Locks blade (screenshot 2025-01-12) |
| Storage | Tier-2 | SAN firmware is 3 versions behind manufacturer baseline. | Medium | Schedule rolling controller updates during next maintenance window. | Dell PowerStore Manager → System → Software (screenshot 2025-01-09) |
| Documentation | Tier-3 | Site Recovery Plan (SRP) has not been tested in >12 months. | Medium | Execute a non-disruptive DR drill for Tier-1 applications. | SRP document revision history — last update 2023-11-14 (PDF metadata) |
| System | Tier | Last Restore Test | Result | Runbook Current | Notes |
|---|---|---|---|---|---|
| AD Domain Controllers | Tier-1 | 2024-09-15 | Bare-metal restore to isolated VLAN verified. | ||
| SQL Production Cluster | Tier-1 | 2024-06-22 | Database integrity check passed. Runbook references deprecated SAN. | ||
| File Server (DFS) | Tier-2 | Never | — | No documented restore procedure exists. | |
| Azure App Services | Tier-2 | 2025-01-05 | Deployment slot swap verified; geo-failover untested. | ||
| Legacy ERP (VM) | Tier-1 | 2023-11-02 | Restore boot failed — missing SCSI driver in backup image. |
Recovery evidence is verified against actual restore job logs and operator confirmation. Systems marked “untested” have no documented restore attempt on record.
Immediate
Fix NTP skew and verify identity synchronization.
Non-destructive; previous NTP source can be restored.
Q1
Implement immutable backup tier for ransomware protection.
Additive change; existing repositories remain untouched.
Q1
Decommission or upgrade vSphere 6.7 legacy hosts.
Requires maintenance window. VMs can be migrated back if needed.
Q2
Execute full DR test and update recovery runbooks.
Non-disruptive drill in isolated network; production unaffected.
Stop guessing about drift and recovery. Get a fixed-scope Health Check that provides evidence, not just opinions.
Primary Operator
[Redacted] — sole administrator for vSphere and Veeam. On-call rotation is informal.
Escalation Path
No documented escalation matrix. Hardware issues go directly to Dell ProSupport; Azure issues default to Microsoft Premier.
Tribal Knowledge Risk
Firewall rules on the Fortigate were last modified by a former contractor. No change log exists. Current operator inherited the configuration.
Credential Management
Service accounts use shared credentials stored in a local KeePass file on the admin workstation. No PAM or vault solution in place.
Full handoff documentation includes credential inventory, vendor contact list, and infrastructure decision log. Provided to client in the finalized report package.