docs: add Variables tables and Troubleshooting sections to Part 3 On-Prem Readiness

- Phase 01 (AD): Added Variables from variables.yml tables to all 5 tasks
- Phase 01 task-01: Added Troubleshooting section (4 common issues)
- Phase 02: Added Variables tables to tasks 01-03
- Phase 02 task-01: Added Troubleshooting section (4 hardware issues)
- Phase 03: Added Variables tables to all 4 tasks
- Phase 03 task-02: Added Troubleshooting section (5 switch config issues)
- Phase 03 task-03: Added Troubleshooting section (4 firewall issues)

Part of implementation standardization - aligning all task pages to canonical format.

Author: Kristopher Turner

docs/implementation/03-onprem-readiness/phase-01-active-directory/task-01-ou-creation-pre-creation-artifacts.mdx

@@ -54,6 +54,21 @@ AD structure should be defined during the [planning phase](../../../planning/).
 
 ---
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|--------------|------|-------------|
+| `identity.active_directory.ad_clusters_ou_path` | string | OU path for Azure Local cluster computer objects |
+| `identity.active_directory.ad_domain_fqdn` | string | Active Directory domain FQDN |
+| `identity.accounts.account_lcm_username` | string | Lifecycle Manager deployment account username |
+| `identity.accounts.account_lcm_password` | string | LCM account password (keyvault:// URI) |
+| `platform.kv_platform_name` | string | Key Vault name for secret retrieval |
+| `azure_vms.dc01.resource_group` | string | Resource group of the domain controller VM |
+| `azure_vms.dc01.name` | string | Domain controller VM name (for AzVM execution) |
+| `azure_vms.dc01.hostname` | string | Domain controller hostname (for Arc execution) |
+
+---
+
 ## Execution
 
 <Tabs groupId="deployment-method">
@@ -649,6 +664,17 @@ if (-not $SkipCleanup) {
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| `New-ADOrganizationalUnit` fails with access denied | Insufficient permissions to create OUs | Run as Domain Admin or delegate OU creation rights on the parent container |
+| KDS Root Key not effective immediately | Key needs 10-hour replication delay | Use `-EffectiveImmediately` in lab or wait 10 hours in production |
+| AsHciADArtifactsPreCreationTool module not found | Module not installed or wrong PS version | Install via `Install-Module AsHciADArtifactsPreCreationTool` on PowerShell 5.1+ |
+| LCM user creation fails with duplicate | Account already exists from prior attempt | Verify existing account properties match requirements or remove and recreate |
+
+---
+
 ## Next Steps
 
 Proceed to [Task 2 - Security Groups](./task-02-security-groups.mdx) to create optional security groups.

docs/implementation/03-onprem-readiness/phase-01-active-directory/task-02-security-groups.mdx

@@ -54,6 +54,18 @@ The active directory information in these documents should have been decided in
 - Domain admin access for group creation
 - Understanding of group scope and security requirements
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|--------------|------|-------------|
+| `identity.active_directory.ad_security_groups_ou_path` | string | OU path for security group creation |
+| `identity.active_directory.security_groups.org_prefix` | string | Organization prefix for group naming |
+| `identity.active_directory.security_groups.cluster_id` | string | Cluster identifier for group naming |
+| `identity.active_directory.security_groups.<key>.name` | string | Full security group name per role |
+| `identity.active_directory.security_groups.<key>.description` | string | Security group description |
+
+---
+
 ## Security Group Model
 
 Group names follow the convention `SG-{org_prefix}-{cluster_id}-AZL-{role}`, built dynamically from two fields in `active_directory.security_groups` in `variables.yml`. The `cluster_id` suffix makes groups unique per cluster in the same domain.

docs/implementation/03-onprem-readiness/phase-01-active-directory/task-03-dns-node-a-records.mdx

@@ -54,6 +54,16 @@ The active directory information in these documents should have been decided in
 - Node hostnames and management IP addresses
 - Authoritative DNS server permissions
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|--------------|------|-------------|
+| `identity.active_directory.domain.fqdn` | string | DNS zone name (AD domain FQDN) |
+| `cluster_arm_deployment.arc_node_resource_ids` | list | Node resource IDs (hostnames extracted) |
+| `cluster_arm_deployment.starting_ip` | string | Starting management IP for node A records |
+
+---
+
 ## DNS Record Creation
 
 Pre-create forward lookup A records for each Azure Local node hostname. Do NOT create cluster name (CNO) or virtual client access name (VCO) records now—those are generated later by the failover cluster process.

docs/implementation/03-onprem-readiness/phase-01-active-directory/task-04-service-admin-accounts.mdx

@@ -56,6 +56,17 @@ The active directory information in these documents should have been decided in
 - Domain admin access for account creation
 - Secure password storage solution (vault)
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|--------------|------|-------------|
+| `identity.active_directory.ad_service_accounts_ou_path` | string | OU path for service account creation |
+| `identity.active_directory.ad_security_groups_ou_path` | string | OU path for gMSA readers group |
+| `identity.accounts.account_lcm_username` | string | LCM account name (cluster ID extracted) |
+| `platform.kv_platform_name` | string | Key Vault name for break-glass password storage |
+
+---
+
 ## Account Creation
 
 Lifecycle Manager (LCM) user created in Step 1. Add break‑glass admin and optional gMSA scaffold.

docs/implementation/03-onprem-readiness/phase-01-active-directory/task-05-group-assignments.mdx

@@ -52,6 +52,17 @@ The active directory information in these documents should have been decided in
 - Service and admin accounts created (Step 4)
 - Domain admin access for group management
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|--------------|------|-------------|
+| `identity.accounts.account_lcm_username` | string | LCM account name (cluster ID extracted for group lookup) |
+| `identity.active_directory.security_groups` | object | Full security groups configuration object |
+| `identity.active_directory.security_groups.<key>.name` | string | Security group name per role |
+| `identity.active_directory.security_groups.<key>.members` | string | Members to assign to each group |
+
+---
+
 ## Procedures
 
 <Tabs groupId="deployment-method">

docs/implementation/03-onprem-readiness/phase-02-enterprise-readiness/task-01-hardware-inspection.mdx

@@ -40,6 +40,19 @@ Perform visual inspection of all physical infrastructure to verify installation
 
 ---
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|---|---|---|
+| `compute.nodes[]` | Array | Node hostnames, management IPs, iDRAC IPs, MAC addresses |
+| `compute.nodes[].hostname` | String | Server hostname for label verification |
+| `compute.nodes[].idrac_ip` | String | iDRAC IP address for remote management |
+| `networking.network_devices.opengear` | Object | OpenGear console server hostname, IP, model, port mappings |
+| `networking.network_devices.switch_primary` | Object | Primary ToR switch hostname, IP, model |
+| `networking.network_devices.switch_secondary` | Object | Secondary ToR switch hostname, IP, model |
+
+---
+
 ## Execution Options
 
 
@@ -250,6 +263,17 @@ Document any discrepancies found during inspection:
 
 ---
 
+## Troubleshooting
+
+| Issue | Possible Cause | Resolution |
+|---|---|---|
+| Server not powering on | PDU circuit breaker tripped or power cable loose | Verify PDU status lights, reseat power cables, check circuit allocation |
+| iDRAC not accessible | Incorrect IP assignment or VLAN tagging | Verify iDRAC IP matches LLD, confirm OOB VLAN is trunked to management switch |
+| Missing serial port labels | Cable labels not applied during rack installation | Cross-reference OpenGear port mapping document and re-label |
+| Network link LED not lit | SFP+ module not seated or wrong cable type | Reseat SFP+, verify DAC cable type matches switch port requirements |
+
+---
+
 ## Validation
 
 **All checks passed?**

docs/implementation/03-onprem-readiness/phase-02-enterprise-readiness/task-02-network-service-verification.mdx

@@ -56,6 +56,18 @@ Azure and Dell endpoint connectivity testing occurs in **Phase 03 Step 4** after
 
 ---
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|---|---|---|
+| `cluster_arm_deployment.dns_servers` | Array | DNS server IP addresses for resolution tests |
+| `cluster_arm_deployment.domain_fqdn` | String | Active Directory domain FQDN |
+| `compute.nodes[]` | Array | Node details for connectivity testing |
+| `networking.network_devices.opengear` | Object | OpenGear console server IP for OOB verification |
+| `networking.onprem.vlans.management.gateway` | String | Management VLAN gateway IP for routing tests |
+
+---
+
 ## DNS Resolution Tests
 
 <Tabs groupId="deployment-method">

docs/implementation/03-onprem-readiness/phase-02-enterprise-readiness/task-03-opengear-verification.mdx

@@ -52,6 +52,18 @@ This verification requires access to the Lighthouse portal. Ensure you have the
 
 ---
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|---|---|---|
+| `networking.network_devices.opengear` | Object | OpenGear hostname, IP, model, Lighthouse enrollment token |
+| `networking.network_devices.opengear.ports[]` | Array | Serial port-to-node mappings (port number, connected device, baud rate) |
+| `compute.nodes[]` | Array | Node hostnames for console port label verification |
+| `networking.onprem.vlans.oob` | Object | OOB VLAN ID, CIDR, gateway for network connectivity tests |
+| `virtual_machines.lighthouse` | Object | Lighthouse portal VM details |
+
+---
+
 ## Lighthouse Portal Verification
 
 <Tabs groupId="deployment-method">

docs/implementation/03-onprem-readiness/phase-03-network-infrastructure/task-01-opengear-console-server.mdx

@@ -61,6 +61,17 @@ When iDRAC interfaces are connected to the out-of-band management network, they
 
 ---
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|---|---|---|
+| `networking.network_devices.opengear` | Object | OpenGear hostname, IP, model, Lighthouse enrollment token |
+| `networking.network_devices.opengear.ports[]` | Array | Serial port-to-node mappings (port number, connected device) |
+| `networking.onprem.vlans.oob` | Object | OOB VLAN ID, CIDR, gateway for management network |
+| `compute.nodes[].hostname` | String | Node hostnames for serial port labelling |
+
+---
+
 ## Required Firewall Ports for Lighthouse Connectivity
 
 **CRITICAL**: These ports must be allowed outbound from OpenGear NET1 interface to the Internet:

docs/implementation/03-onprem-readiness/phase-03-network-infrastructure/task-02-dell-powerswitch-configuration.mdx

@@ -49,6 +49,18 @@ Configure Dell PowerSwitch TOR switches with Data Center Bridging (DCB) for RDMA
 
 ---
 
+## Variables from variables.yml
+
+| Variable Path | Type | Description |
+|---|---|---|
+| `networking.network_devices.switch_primary` | Object | Primary ToR switch hostname, management IP, model |
+| `networking.network_devices.switch_secondary` | Object | Secondary ToR switch hostname, management IP, model |
+| `networking.onprem.vlans.management` | Object | Management VLAN ID, CIDR, gateway |
+| `networking.onprem.storage.vlans` | Object | Storage VLAN IDs (711-714) for trunk port configuration |
+| `compute.nodes[].hostname` | String | Node hostnames for port description labels |
+
+---
+
 ## Configuration Areas Overview
 
 | Configuration Area | Purpose | Key Settings |
@@ -451,6 +463,18 @@ show interface status
 
 ---
 
+## Troubleshooting
+
+| Issue | Possible Cause | Resolution |
+|---|---|---|
+| VLT peer link down | Incorrect port-channel member assignment or cable fault | Verify VLT configuration, check cables between switches, confirm port-channel membership |
+| PFC not negotiating | DCBX mode mismatch between switch and NIC | Set DCBX to IEEE on both ends, verify NIC firmware supports RoCEv2 |
+| Storage VLAN unreachable | VLAN not added to trunk port or VLAN not created | Verify VLAN exists (`show vlan`), confirm trunk port has VLAN tagged |
+| Jumbo frames not working | MTU mismatch along path | Confirm MTU 9216 on all switch ports, VLANs, and host NICs in the storage path |
+| SSH access denied | SSH service not enabled or management ACL blocking | Run `show ip ssh`, verify SSH enabled, check management ACL entries |
+
+---
+
 ## Next Steps
 
 Proceed to [Task 3 - Verify Firewall Endpoints](./task-03-firewall-endpoint-verification.mdx) to verify firewall rules for required Azure and Dell endpoints.