• SharePoint Online architectures: hub sites, site collections, libraries, and permissions that map to how teams actually work.
• SPMT-driven migrations of file servers (300 GB+ shares) with PowerShell-based source-vs-destination verification until 100% match.
• Rebuilt least-privilege permission models — Payroll-style sensitive groups separated cleanly from the broader Accounting access.
• Power Automate flows for approvals, document routing, retention, and notifications across departments.
• Hybrid bridges (Azure VMs, file gateways, AD Connect) so legacy workloads keep running while content migrates.
• Documentation and runbooks the in-house team can keep using long after the engagement ends.

M365 & Cloud

• Established a TP-Link CPE710 wireless point-to-point bridge between the main office and the new site to bootstrap connectivity.
• Replaced the legacy firewall with pfSense, restored secure perimeter rules, and stood up VPN access for admins on day one.
• Brought file servers, the primary Windows server, and the foundational backup paths online before close of business.
• Reverse-engineered the inherited environment: network topology, domain trusts, security dependencies, and parts of the email flow.
• Used local AI in the terminal workflow as a force multiplier — privacy-safe, offline, and integrated into the troubleshooting loop.
• Delivered a documented, supportable environment instead of a surviving-by-luck one.

Field Ops & Networking

• WireGuard hub-and-spoke VPNs for remote staff, branch offices, and admin access — public services off the open internet.
• SSH and SMB tunneled over VPN instead of left exposed; dedicated bastion-style access for admin work.
• Hardware firewall designs (WatchGuard, SonicWall, pfSense) with packet filtering, ACLs, geo / category blocks, and IDS/IPS where appropriate.
• Mandatory MFA — Microsoft Authenticator, Duo, hardware tokens — across VPN, RDP, admin tools, and cloud sign-ins.
• Centralized identity through AD DS / Entra ID with conditional access and Tier-0 separation for admin accounts.
• Logging from firewall, AD, VPN, and SaaS into a single dashboard so anomalies surface fast.

Network & Security

• Deployed on a repurposed workstation running Ubuntu Server with Apache, MySQL/MariaDB, and PHP.
• osTicket as the core ticketing platform — tuned for a small office under 40 users, not bloated with enterprise features.
• OAuth / SSO into the org's AD DS environment so users sign in with existing credentials and admins manage one identity surface.
• Email piping, auto-responses, priorities, and SLAs aligned to internal workflows and KPIs.
• A prominent self-help knowledge base with curated categories, canned responses, and "how-to" content to deflect repeat tickets.
• Backups to the existing backup server, plus customization room as the team grows — fully CAPEX, no SaaS lock-in.

ITSM & CAPEX-First

• Spec'd and built a dedicated GPU server (consumer or workstation-class) sized to the model and concurrency the team actually needed.
• Ran open-weight models via Ollama / llama.cpp / vLLM behind a hardened reverse proxy with auth tied into the existing identity provider.
• Retrieval-augmented assistants pointed at SharePoint libraries, file shares, ticket history, and internal docs — answers grounded in real company data.
• Cost flip: a one-time CAPEX server beat ongoing per-seat SaaS AI spend within months for a 30+ user org — and kept all prompts on-prem.
• Agentic workflows — Claude Code, MCP servers, custom orchestrators — wired into ops, code, and back-office tasks.
• Audit logging, rate limits, and policy controls so AI use is observable and aligned with the rest of the security stack.

AI & Data Sovereignty

• Custom web apps and internal tools built on PHP / LAMP, Python, and Node — chosen for fit, sized for actual user counts.
• SaaS-style products with auth, per-tenant data isolation, billing hooks, and admin surfaces, hosted on-prem or in cloud.
• ERP and CRM integration: Dynamics, Salesforce, SharePoint, Power Platform, plus self-hosted suites — wired together via APIs and queues.
• Database design and operations across MySQL/MariaDB, PostgreSQL, and MSSQL with backups, point-in-time recovery, and migration discipline.
• Custom dashboards, internal tools, and approval workflows that replace spreadsheet-based processes for finance, ops, and HR teams.
• Reverse-proxy designs (nginx, Cloudflare) plus hardened TLS, CSP, and audit logging by default.

Apps & Integrations

“SPMT is the duct tape — useful, but not the whole dam.”

I recently migrated on-premises Windows Server file shares to SharePoint Online using the SharePoint Migration Tool (SPMT). Great tool, but it’s not the whole job.

What it really took

• Backups first. Redundant copies (server, cloud, offline) so rollback was always an option.
• Trust, then verify. Large shares (300 GB+) sometimes reported “Success” while skipping files. I wrote PowerShell checks to compare source vs. destination, re-upload misses, and re-check until 100% matched.
• Least-privilege by design. Department groups, granular permissions, and GPO alignment. Example: Payroll → all Accounting; Accounting ≠ Payroll.
• Real information architecture. Hub: company portal, internal tools, or both? Sites vs. pages: split by ownership / security; pages for content. Findability: clear navigation, naming, and streamlined libraries.
• Automation that sticks. Power Automate for approvals, notifications, and lifecycle tasks; scripts for repeatable checks and post-migration cleanups.

Takeaway: Migration isn’t “run a tool.” It’s planning, scripting, auditing, and permission modeling — so content ends up complete, secure, and usable.

SharePoint • PowerShell • Power Automate

The goal was a simple, reliable, cost-effective ticketing system for a small organization — track tickets, store everything cleanly, and push users toward self-help via a dedicated knowledge base.

Why self-hosted

• CAPEX over OPEX. One-time capital expense, no ongoing SaaS subscription. Full ownership of the infrastructure.
• Simplicity. Fewer than 40 office users — Jira Service Management would have been overkill. They needed something fast, intuitive, and not bloated.

The setup

• Repurposed workstation running Ubuntu Server.
• LAMP stack (Apache, MySQL/MariaDB, PHP).
• osTicket as the core open-source ticketing platform.
• OAuth authentication tied into the org’s AD DS environment.
• Automated email notifications and ticket priorities aligned to internal workflows.
• Regular backups to the existing backup server.
• UI customization that makes the knowledge base prominent and the interface friendlier for non-technical staff.

Result

• Fully self-hosted and extremely cost-efficient.
• Straightforward for employees to use.
• Reliable for tracking and storing ticket history.
• Structured around a strong self-help knowledge base.
• Flexible enough to grow or be customized over time.
• Free from SaaS lock-in or recurring charges.

Reliable, predictable, easy to maintain — exactly what a small environment actually needs.

LAMP • osTicket • AD DS / OAuth

Following a recent acquisition, I was given short notice to relocate and bring online the core infrastructure of the acquired business. There was little usable documentation of the existing environment, and the destination site had no internet connectivity.

Day one

• Established a point-to-point wireless bridge using two TP-Link CPE710 units to extend connectivity from the main office to the new site — giving me the network path I needed before anything else.
• Brought the file server online.
• Made the primary Windows server operational.
• Replaced the legacy firewall with pfSense.
• Laid the foundation for backup, VPN, and remote access.
• In parallel, reverse-engineered the inherited environment — network structure, security dependencies, and parts of the email flow.

Local AI as a force multiplier

One of the most effective tools on this project was local AI running entirely on internal machines. In a time-sensitive and privacy-sensitive environment, locally hosted models integrated into my terminal workflow helped me validate configurations, reason through dependencies, refine command execution, and reduce context switching during troubleshooting. They didn’t replace engineering judgement; they accelerated it.

Why it mattered

Projects like this are a reminder that systems administration is not just about maintaining stable environments — it’s also about solving problems under pressure, working through incomplete information, and delivering reliable outcomes quickly. Local AI is becoming a practical addition to the infrastructure toolkit, especially where privacy, speed, and operational control matter.

pfSense • Wireless bridge • Local AI