System Center Orchestrator:System Center Orchestrator: Difference between revisions

Revision as of 01:19, 19 July 2024

History

System Center Orchestrator is a tool from Microsoft that helps automate and manage different IT tasks and workflows. Think of it like a conductor in an orchestra, making sure all the instruments (or in this case, different IT systems and software) work together smoothly in an automated manner.

This platform was setup to facilitate creating automated tickets in System Center Service Manager:System Center Service Manager and automate certain parts of the environment. Please see the main category for a comprehensive list of runbooks and other procedures.

Deployment

Begin with a clean install of Windows Server 2022 Desktop Edition. You can find specific VM requirements for this server at Servers:SAD-SCOR01.
1. A total of five virtual disks are needed for a proper installation:
  1. 128GB OS Disk - For Windows Server 2022.
  2. 256GB Program Data Disk - For Database: Microsoft SQL Server 2022 and System Center Orchestrator:System Center Orchestrator program files.
  3. 256GB Database Disk - To store database files.
  4. 256GB Logs Disk - To store SQL log files.
  5. 64GB TempDB Disk - To store SQL TempDB files.
Install Microsoft SQL Server 2022.
1. Mount the Microsoft SQL 2022 ISO and run setup.exe.
2. Click "Installation" on the sidebar then click "New SQL Server standalone installation or add features to an existing installation".
3. On the Edition screen, enter your product license key.
4. On the License Terms screen, Accept the license terms.
5. No action needed for section Global Rules.
6. Choose whether or not to use Windows Update on the Microsoft Update tab. I chose not to.
7. Click Next on the Install Rules tab.
  1. Note: I received a warning about Windows Firewall, there's no need to worry about this.
8. Perform the following actions on the Feature Selection screen:
  1. Check "Database Engine Services" and "Full-Text and Semantic Extractions for Search"
  2. Change the "Instance root directory", "Shared feature directory", and "Shared feature directory (x86)" drive letter to your Program Files disk. In my case, this is drive D. Leave the rest of the path untouched.
9. On the Instance Configuration screen, the defaults are fine. Click Next.
10. Perform the following steps on the Server Configuration page:
  1. Open Active Directory Users and Groups and create a service account for SQL to run under. I am using Users and Groups:svc_scorsql.
  2. Change the Account name for both services and input the password. Make sure this account is documented. SQL Server Browser cannot be modified.
  3. Set the Startup Type to Automatic.
  4. On the Collation Page, the default of SQL_Latin1_General_CP1_CL_AS is fine.
  5. Click Next.
11. On the Database Engine Configuration section, perform the following tasks:
  1. On the Server Configuration Tab: The default of "Windows Authentication Mode is fine. Add Domain Admins and your SQL Service account Users and Groups:svc_scorsql to the SQL Server Administrators box.
  2. On the Data Directories tab: set "Data Root Directory" to your database drive. In my case that would be E:\Database. The other data directories should change to reflect this new path. Do not change those paths! Change the "User database log directory" to your Logs drive. In my case it would be F:\Logs\SQL. The Backup Directory is fine. Mine defaulted to E:\Database\MSSQL16.MSSQLSERVER\MSSQL\Backup.
  3. On the TempDB Tab: Remove the default data directory and specify your TempDB drive. In my case, it is G:\TempDB. Change the Log Directory to your logs drive. I chose to use path F:\Logs\TempDB.
  4. On the Memory tab: Click "Recommended" then accept the recommended configuration.
  5. All other tabs can be left at default values. Click Next.
12. On the Ready to Install Screen, Click Install.
Configure SQL Post-install by launching "SQL Server Configuration Manager" from the Start Menu.
1. Expand "SQL Server Network Configuration" then click "Protocols for MSSQLSERVER" Enable "Shared Memory", "Named Pipes" and "TCP/IP".
Install Microsoft System Center Orchestrator
1. Mount the ISO and run setup.exe. Click Install.
2. On the product registration screen, enter your company name and product key, then click Next.
3. Accept the license terms, then click Next.
4. On the Diagnostic and Usage Data screen, click Next.
5. On the Select Features to Install screen, I chose to deploy all components to this server. I manage a medium sized environment professionally, so this should be fine for most people. Click Next.
6. On the Prerequisites screen, we will need to install some additional dependencies. PLEASE REBOOT AFTER INSTALLING THIS SOFTWARE! Install the following:
  1. Use this powershell command and the links below to install IIS and all necessary components:
```
Install-WindowsFeature -Name NET-Framework-Features,Web-Server,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-App-Dev,Web-Asp-Net,Web-Net-Ext45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Basic-Auth,Web-Windows-Auth,Web-Client-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,MSMQ,BITS,RSAT,WAS,Windows-Identity-Foundation,NET-Framework-45-Core,Web-Url-Auth -IncludeManagementTools -IncludeAllSubFeature
```
  2. ASP.NET Core Runtime 6.x - Windows Hosting Bundle
  3. ASP.NET Core Runtime 8.x - Windows Hosting Bundle
  4. IIS CORS Module
  5. IIS URL Rewrite Module
On the Configure The Service Account screen,enter in the username and password of the service account you will be using to login to remote systems and run runbooks. I will be using Users and Groups:svc_runbook. Please note this account will need logon as a service rights. Please see the Post-Install Configuration section of this guide. Click Next once the credential is accepted.
On the Configure The Database Server screen, click the Browse button and type in the name of your SCOR server. Test the database connection, then click Next.
On the second Configure The Database screen, we will be setting up a new environment, so creating a new database is fine. The defaults are acceptable. Click Next.
On the Configure Orchestrator Users Group Configuration page, Users and Groups:sg_orchestrator_sysadmins is used to define SCOR sysadmins. It is added as a member of Users and Groups:dp_it_systemsadministrators. Ensure the "Grant remote access to the Runbook Designer" box is checked, then click Next.
Click Next on the Configure the ports for the web API screen - there are two of them, the defaults are fine.
On the Installation Location screen, Change the installation location to the Program Data drive (D:\), leaving the rest of the path default. Click Next.
I chose not to automatically check for updates on the Microsoft Update screen. Click Next.
On the Summary screen, review your settings, then click Next.

Post-Installation Configuration

Service Account Configuration

Open Group Policy Management Editor.
In the GPMC, right-click the organizational unit (OU) where your servers are located (or the domain root if you want to apply the policy domain-wide). Select "Create a GPO in this domain, and Link it here...". Name the GPO (e.g., "Orchestrator Runbook Permissions") and click OK.
Right-click the newly created GPO and select Edit. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Find and double-click "Log on as a service". In the dialog box, click Add User or Group....Enter the name of the Orchestrator Runbook account ( Users and Groups:svc_runbook ) and click OK. Click Apply and OK to save the changes.
In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups. Right-click Restricted Groups and select Add Group....In the dialog box, click Browse..., type Administrators, and click Check Names. Then, click OK. In the Properties dialog, click Add... under Members of this group. Enter the name of the Orchestrator Runbook account and click OK. Click Apply and OK to save the changes.

Firewall Configuration

If you would like to utilize the console or web portal on a different computer, you must open some ports in Windows Firewall to allow this. Run the following script:

# Define the ports and rules
$ports = @(
    @{ Name="RPC Endpoint Mapper"; Port=135; Protocol="TCP" },
    @{ Name="RPC Dynamic Ports"; Port="1024-65535"; Protocol="TCP" },
    @{ Name="SQL Server Default Instance"; Port=1433; Protocol="TCP" },
    @{ Name="SQL Server Named Instances"; Port=1434; Protocol="TCP" },
    @{ Name="Orchestrator Web Service HTTP"; Port=81; Protocol="TCP" },
    @{ Name="Orchestrator Web Service HTTPS"; Port=443; Protocol="TCP" }
)

# Function to add firewall rules
function Add-FirewallRule {
    param (
        [string]$Name,
        [string]$Port,
        [string]$Protocol
    )
    New-NetFirewallRule -DisplayName $Name -Direction Inbound -Protocol $Protocol -LocalPort $Port -Action Allow
}

# Loop through the ports and add firewall rules
foreach ($port in $ports) {
    Add-FirewallRule -Name $port.Name -Port $port.Port -Protocol $port.Protocol
}

Write-Host "Firewall rules for System Center Orchestrator have been added successfully."

Updates

Update to U2

The update to Orchestrator U2 was performed immediately after the installation. Operation before this patch was applied is unknown. Unless you have a good reason not to, I recommend doing the same.

The update procedure is fairly straight forward. I recommend glancing over Microsoft's System Center - Orchestrator build versions documentation. You can find change logs, version history, and direct download links to U2 and other previous updates.

Here is the procedure I used:

Navigate to the provided Orchestrater documentation link above.
Select the update you would like to install and read over the article you are redirected to. There should be a direct link to Microsoft Update Catalog. You will need to download ALL of the updates because they update different Orchestrator components.
Open the CAB file and extract it. Run the EXE for each update. I do not believe there is a best practice or mandatory order you must follow to install the updates.
1. NOTE: I ran into an issue with one update that refused to install because a file was deadlocked. I attempted to stop the Orchestrator services to try again, but had to force close them with the powershell command Stop-Process -Id <PID#> -Force. After all services were stopped, the update went off without a hitch.
Reboot the server and check the version in the Runbook Designer console. it should read "10.22.9.2"

Status

This setup guide has successfully been deployed to sysadminafterdark production.

Revision as of 01:18, 19 July 2024 (view source) Sysadminafterdark (talk \| contribs) No edit summary ← Older edit		Revision as of 01:19, 19 July 2024 (view source) Sysadminafterdark (talk \| contribs) No edit summary Newer edit →
Line 132:		Line 132:
	==Status==		==Status==

	This setup guide has successfully been ~~deploy~~ to sysadminafterdark production.		This setup guide has successfully been deployed to sysadminafterdark production.