Transcript System Center 2012 Orchestrator

2
Cargill is an international producer and
marketer of food, agricultural, financial
and industrial products and services.
Founded in 1865, our privately held
company employs 142,000 people in 65
countries.
1000+ locations globally
Orchestrator 2012 was brought into Cargill as part of
our migration from Altiris to System Center.
3
•
•
•
•
•
•
•
•
•
4
Operations Manager
Configuration Manager
Altiris
Active Directory
BMC Remedy
SQL
Oracle
SharePoint
Exchange
Central Team
• COE
• Best Practices
• Manage Environment
Distributed development environments
• Key success factors
• Individuals dedicated 25%+
• PowerShell
5
Production
Promotion to Q&A
Change Control
Runbook best practice review
Export / Import Runbook
Promotion to Production
Q&A
Export / Import Runbook
Source Control (TFS)
Development
6
• Runbook Validation
• Change Control
• Email Notification
7
Network Load Balancer
Management Server
Web Service
Runbook Server
Web Service
Runbook Server
Runbook Requests
8
Virtual Servers
8GB RAM/Quad Core
Separate physical hosts
Orchestrator DB
Database where configuration information,
runbooks, and logs are stored.
Shared DB
Database for multiple purposes to store
information consumed by Runbooks.
9
Runbook Designer – dcomcnfg.exe
• Remote Launch permission on My Computer
• Launch and Access permission on omanagement
Runbooks and Global Settings folders are all security by AD group membership.
No granular security for Global Configurations and log purge settings. Results in
multiple development environments.
10
Metrics!!
12
• Promote secondary server within Runbook Designer
• Disable IIS page to trigger F5 failover
• Use Orchestrator Health Checker to stop and restart monitor jobs to get
them running on the new primary server
• Wait for existing running jobs to complete and/or terminate jobs as needed
• Perform maintenance on server (install patches, updated IPs, etc)
13
Folder Structure
15
Parent Runbooks – 1-4 word description
Monitor Runbooks – Start with the word ‘Monitor’
Child Runbooks
Rename default activity names to make them descriptive
16
Link names should only be modified from the default of “Link” if there
the link is used in a logic selection or a parallel execution.
Black = Standard / Success – includes parallel processing
Red = Failure
Turquois = Selection
Orange = Expected to fire multiple times
17
30 activities or less
Always start with Initialize Data and end with Return Data
•
•
•
•
•
18
Design runbooks so that they are generic, modular and reusable.
Consider that child runbooks may be launched by a different runbook server.
Avoid assigning runbooks to execution on specific runbook servers
Use built in actions rather than scripting if possible
Avoid long running runbooks
19
Counters
• Fear them!!
• Shared between all runbooks
• Not thread safe
Variables
• Use them!!
• Runbook Sanitizer
Schedules
• Use Global Settings
• Avoid embedded schedules
Computer Groups
• Rarely used
20
Max 20 per runbook
Warning: Accessing text and spreadsheet files
21
Append Line – Not thread safe
Delete File/Folder – Fails if the item is read-only
Disconnect Network Path – Do not use with runbooks using job
concurrency greater than 1
Invoke Runbook – Launches a new instance of policymodule.exe 3-5
second penalty. Avoid using invoke by path.
Query XML - XPath
22
Invoke Web Service - Use [email protected] for the
username within the Security tab when cross domain
authentication is needed. Disabled = anonymous authentication.
23
Junction - If the object specified within the “Return data from” is executed
multiple times then the Junction action will fire multiple times.
<None> = no data from previous activities will be available on the databus.
Map Network Path - Fails if the path is already connected
by another user.
Connect directly to IPC$ rather than C$ to allow for multiple
connections.
24
Query Database – Protect against SQL injections by using
DECLARE and SET commands in your queries.
DECLARE @ComputerName nvarchar(MAX)
SET @ComputerName = ‘{Computer Name from “Intialize Data”}’
Select Top 1 i.guid, i2.name
Where i.name = @ComputerName
Replace delimiter values
SELECT REPLACE([Test],';','_')
FROM [OrchestratorCGLAdmin_prod].[dbo].[Test_Table]
25
Run .Net Script
• Use PowerShell
• Exit = No published data
• “Error initializing extension” - Field data manipulation function
with invalid variable reference.
• Unstructured text
$Variable = @’
I wish this line didn’t contains any “double” quotes.
‘@
• PowerShell Injection ';stop-computer -computerName "server1“’
• "Cannot invoke this function because the current host does not
implement it." - Powershell Function is wanting to interact with
the user. Classic example is CLS command.
• Orchestrator has its own internal Powershell 2.0 x86 engine.
• PowerShell 3.0 – Use “PowerShell { <script goes here> }”
26
• Enable looping for automatic retries.
• Do Not Exit > Exit conditions = infinite loops
27
Orchestrator needs a user friendly front-end web site!
• System Center Service Manager
• SharePoint
• 3rd party (e.g. http://eupsco.com/)
• Internally developed web site
28
Must have tools for runbook development
• PowerGUI
Used to create and debug PowerShell scripts
• Expresso
Used to create and debug regular expressions to search text
for patterns
• Remote Server Administration Tools (Active Directory)
Used to query active directory
• SQL Management Studio
Used to query and update SQL server databases
• Oracle SQL Developer
Used to query and update Oracle databases
29
Use the Orchestrator Visio and Word Generator utility to
automatically document your runbooks.
30
Community IPs
SCOJobRunner.exe – command line runbook execution
Powershell examples - manage runbooks remotely.
Orchestrator Health Checker – runbook management
31
Orchestrator Forums
Twin Cities Orchestrator User Group
Email: [email protected]
Best Practices Document
32
© Copyright Cargill, Incorporated 2012. All rights reserved.
System Center Orchestrator - Training
© Copyright Cargill, Incorporated 2012. All rights reserved.
System Center Orchestrator - Training
It is responsible for maintaining the orchestration
database, communicating with the Runbook Designers,
It enables the Orchestrator Deployment Manager
and communicating with the Deployment Manager.
to deploy Runbook Designer, Runbook Server, or
integration
packsfor running a program or
It
is responsible
command defined in a runbook.
It is responsible for monitoring the health of
runbook servers.
It is responsible for running runbooks and for
communicating with the orchestration database.
References
Management Server
Runbook Server
Run Program
• Leverages the Orchestrator Remoting Services service on the
Runbook Server
• Calls opexecsvc.exe = modified psexec.exe to remotely
execute the command.
• Interactive mode not supported on Win 7/2008+
• The Security Credentials tab is used to define the credentials
used by the opexesvc.exe to connect to the remote computers
\admin$ share.
• The Run As credentials within the Advanced tab are used to
configure the user account that the opexecsvc.exe should run
the specified command as.
38
1. Avoid them
2. Use Encrypted Variables
2. Create an Integration Package using the CommandLine Activity Wizard
3
Restart System
• Minimum 30 second delay
• Runbook does not wait
• Message displayed to logged on users who can close the
window but it does not stop the reboot.
4
Provide a place for runbook developers to share
sample code, runbooks, etc.
_Templates
folder
4
Integration
Toolkit
Command
Line
Activity
Wizard
Full
Integration
Pack
• Robocopy.exe /MT switch will allow multi-threaded
file copies which greatly improved performance
however each file that is copied is loaded into
memory so be aware of how many instances of
robocopy.exe will be allowed to run and the size of
files that will be copied.
• The recommendation is to use /MT:8 by default.
• Behavior – Unable to RDP into server, new runbook
executions stop, robocopy log files not updated.
4
Runbook
Designer
Operator Console
11
Runbook Server
GUI
(Design, manage, report)
4
Data Store
(Store process logic)
(Run processes)
Folder Path
File Name
Description
\ProgramData\Microsoft System
Center
RunbookService.exe.*.log
2012\Orchestrator\RunbookService.e
Exceptions generated by
xe\Logs\
the Runbook Server
service (connection errors,
\ProgramData\Microsoft System
etc) are logged here
Center
PolicyModule.*.log
2012\Orchestrator\PolicyModule.exe\
Logs\
\ProgramData\Microsoft System
Contains exceptions
Center
ManagementService.exe.*.log
generated by the
2012\Orchestrator\ManagementServi
Runbook Server. This log
ce.exe\Logs\
is useful for finding
\ProgramData\Microsoft System
environmental problems
Center
RunbookServerMonitorService.exe.*.log (e.g. database connect
2012\Orchestrator\RunbookServerMo
failures)
nitorService.exe\Logs\
4
• Integrate – don’t duplicate
• Avoid creating runbooks that duplicate existing tools.
• Example: System Center Operations Manager,
Configuration Manager, etc.
4
Use the runbook sanitizer to clean runbooks that are
moved between environments.
The export file was shrunken from 676KB to 25KB so there was
about 650 KB worth of useless configuration information in the file
(and that was an export from a very clean environment).
4