Cargill is an international producer and marketer of food, agricultural, financial and industrial products and services. Founded in 1865, our privately held company employs.
Download ReportTranscript Cargill is an international producer and marketer of food, agricultural, financial and industrial products and services. Founded in 1865, our privately held company employs.
2 Cargill is an international producer and marketer of food, agricultural, financial and industrial products and services. Founded in 1865, our privately held company employs 142,000 people in 65 countries. 1000+ locations globally Orchestrator 2012 was brought into Cargill as part of our migration from Altiris to System Center. 3 • • • • • • • • • 4 Operations Manager Configuration Manager Altiris Active Directory BMC Remedy SQL Oracle SharePoint Exchange Central Team • COE • Best Practices • Manage Environment Distributed development environments • Key success factors • Individuals dedicated 25%+ • PowerShell 5 Production Promotion to Q&A Change Control Runbook best practice review Export / Import Runbook Promotion to Production Q&A Export / Import Runbook Source Control (TFS) Development 6 • Runbook Validation • Change Control • Email Notification 7 Network Load Balancer Management Server Web Service Runbook Server Web Service Runbook Server Runbook Requests 8 Virtual Servers 8GB RAM/Quad Core Separate physical hosts Orchestrator DB Database where configuration information, runbooks, and logs are stored. Shared DB Database for multiple purposes to store information consumed by Runbooks. 9 Runbook Designer – dcomcnfg.exe • Remote Launch permission on My Computer • Launch and Access permission on omanagement Runbooks and Global Settings folders are all security by AD group membership. No granular security for Global Configurations and log purge settings. Results in multiple development environments. 10 Metrics!! 12 • Promote secondary server within Runbook Designer • Disable IIS page to trigger F5 failover • Use Orchestrator Health Checker to stop and restart monitor jobs to get them running on the new primary server • Wait for existing running jobs to complete and/or terminate jobs as needed • Perform maintenance on server (install patches, updated IPs, etc) 13 Folder Structure 15 Parent Runbooks – 1-4 word description Monitor Runbooks – Start with the word ‘Monitor’ Child Runbooks Rename default activity names to make them descriptive 16 Link names should only be modified from the default of “Link” if there the link is used in a logic selection or a parallel execution. Black = Standard / Success – includes parallel processing Red = Failure Turquois = Selection Orange = Expected to fire multiple times 17 30 activities or less Always start with Initialize Data and end with Return Data • • • • • 18 Design runbooks so that they are generic, modular and reusable. Consider that child runbooks may be launched by a different runbook server. Avoid assigning runbooks to execution on specific runbook servers Use built in actions rather than scripting if possible Avoid long running runbooks 19 Counters • Fear them!! • Shared between all runbooks • Not thread safe Variables • Use them!! • Runbook Sanitizer Schedules • Use Global Settings • Avoid embedded schedules Computer Groups • Rarely used 20 Max 20 per runbook Warning: Accessing text and spreadsheet files 21 Append Line – Not thread safe Delete File/Folder – Fails if the item is read-only Disconnect Network Path – Do not use with runbooks using job concurrency greater than 1 Invoke Runbook – Launches a new instance of policymodule.exe 3-5 second penalty. Avoid using invoke by path. Query XML - XPath 22 Invoke Web Service - Use [email protected] for the username within the Security tab when cross domain authentication is needed. Disabled = anonymous authentication. 23 Junction - If the object specified within the “Return data from” is executed multiple times then the Junction action will fire multiple times. <None> = no data from previous activities will be available on the databus. Map Network Path - Fails if the path is already connected by another user. Connect directly to IPC$ rather than C$ to allow for multiple connections. 24 Query Database – Protect against SQL injections by using DECLARE and SET commands in your queries. DECLARE @ComputerName nvarchar(MAX) SET @ComputerName = ‘{Computer Name from “Intialize Data”}’ Select Top 1 i.guid, i2.name Where i.name = @ComputerName Replace delimiter values SELECT REPLACE([Test],';','_') FROM [OrchestratorCGLAdmin_prod].[dbo].[Test_Table] 25 Run .Net Script • Use PowerShell • Exit = No published data • “Error initializing extension” - Field data manipulation function with invalid variable reference. • Unstructured text $Variable = @’ I wish this line didn’t contains any “double” quotes. ‘@ • PowerShell Injection ';stop-computer -computerName "server1“’ • "Cannot invoke this function because the current host does not implement it." - Powershell Function is wanting to interact with the user. Classic example is CLS command. • Orchestrator has its own internal Powershell 2.0 x86 engine. • PowerShell 3.0 – Use “PowerShell { <script goes here> }” 26 • Enable looping for automatic retries. • Do Not Exit > Exit conditions = infinite loops 27 Orchestrator needs a user friendly front-end web site! • System Center Service Manager • SharePoint • 3rd party (e.g. http://eupsco.com/) • Internally developed web site 28 Must have tools for runbook development • PowerGUI Used to create and debug PowerShell scripts • Expresso Used to create and debug regular expressions to search text for patterns • Remote Server Administration Tools (Active Directory) Used to query active directory • SQL Management Studio Used to query and update SQL server databases • Oracle SQL Developer Used to query and update Oracle databases 29 Use the Orchestrator Visio and Word Generator utility to automatically document your runbooks. 30 Community IPs SCOJobRunner.exe – command line runbook execution Powershell examples - manage runbooks remotely. Orchestrator Health Checker – runbook management 31 Orchestrator Forums Twin Cities Orchestrator User Group Email: [email protected] Best Practices Document 32 © Copyright Cargill, Incorporated 2012. All rights reserved. System Center Orchestrator - Training © Copyright Cargill, Incorporated 2012. All rights reserved. System Center Orchestrator - Training It is responsible for maintaining the orchestration database, communicating with the Runbook Designers, It enables the Orchestrator Deployment Manager and communicating with the Deployment Manager. to deploy Runbook Designer, Runbook Server, or integration packsfor running a program or It is responsible command defined in a runbook. It is responsible for monitoring the health of runbook servers. It is responsible for running runbooks and for communicating with the orchestration database. References Management Server Runbook Server Run Program • Leverages the Orchestrator Remoting Services service on the Runbook Server • Calls opexecsvc.exe = modified psexec.exe to remotely execute the command. • Interactive mode not supported on Win 7/2008+ • The Security Credentials tab is used to define the credentials used by the opexesvc.exe to connect to the remote computers \admin$ share. • The Run As credentials within the Advanced tab are used to configure the user account that the opexecsvc.exe should run the specified command as. 38 1. Avoid them 2. Use Encrypted Variables 2. Create an Integration Package using the CommandLine Activity Wizard 3 Restart System • Minimum 30 second delay • Runbook does not wait • Message displayed to logged on users who can close the window but it does not stop the reboot. 4 Provide a place for runbook developers to share sample code, runbooks, etc. _Templates folder 4 Integration Toolkit Command Line Activity Wizard Full Integration Pack • Robocopy.exe /MT switch will allow multi-threaded file copies which greatly improved performance however each file that is copied is loaded into memory so be aware of how many instances of robocopy.exe will be allowed to run and the size of files that will be copied. • The recommendation is to use /MT:8 by default. • Behavior – Unable to RDP into server, new runbook executions stop, robocopy log files not updated. 4 Runbook Designer Operator Console 11 Runbook Server GUI (Design, manage, report) 4 Data Store (Store process logic) (Run processes) Folder Path File Name Description \ProgramData\Microsoft System Center RunbookService.exe.*.log 2012\Orchestrator\RunbookService.e Exceptions generated by xe\Logs\ the Runbook Server service (connection errors, \ProgramData\Microsoft System etc) are logged here Center PolicyModule.*.log 2012\Orchestrator\PolicyModule.exe\ Logs\ \ProgramData\Microsoft System Contains exceptions Center ManagementService.exe.*.log generated by the 2012\Orchestrator\ManagementServi Runbook Server. This log ce.exe\Logs\ is useful for finding \ProgramData\Microsoft System environmental problems Center RunbookServerMonitorService.exe.*.log (e.g. database connect 2012\Orchestrator\RunbookServerMo failures) nitorService.exe\Logs\ 4 • Integrate – don’t duplicate • Avoid creating runbooks that duplicate existing tools. • Example: System Center Operations Manager, Configuration Manager, etc. 4 Use the runbook sanitizer to clean runbooks that are moved between environments. The export file was shrunken from 676KB to 25KB so there was about 650 KB worth of useless configuration information in the file (and that was an export from a very clean environment). 4