2 Cargill is an international producer and marketer

2

Cargill is an international producer and marketer of food, agricultural, financial and industrial products and services. Founded in 1865, our privately held company employs 142, 000 people in 65 countries. 1000+ locations globally Orchestrator 2012 was brought into Cargill as part of our migration from Altiris to System Center. 3

• • • 4 Operations Manager Configuration Manager Altiris Active Directory BMC Remedy SQL Oracle Share. Point Exchange

Central Team • COE • Best Practices • Manage Environment Distributed development environments • Key success factors • Individuals dedicated 25%+ • Power. Shell 5 COE Dev Dev

Production Promotion to Q&A Change Control Runbook best practice review Export / Import Runbook Promotion to Production Q&A Export / Import Runbook Source Control (TFS) Development 6

• Runbook Validation • Change Control • Email Notification 7

Network Load Balancer Management Server Web Service Runbook Server Runbook Requests 8 Virtual Servers 8 GB RAM/Quad Core Separate physical hosts

Orchestrator DB Database where configuration information, runbooks, and logs are stored. Shared DB Database for multiple purposes to store information consumed by Runbooks. 9

Runbook Designer – dcomcnfg. exe • Remote Launch permission on My Computer • Launch and Access permission on omanagement Runbooks and Global Settings folders are all security by AD group membership. No granular security for Global Configurations and log purge settings. Results in multiple development environments. 10

Metrics!! 12

• Promote secondary server within Runbook Designer • Disable IIS page to trigger F 5 failover • Use Orchestrator Health Checker to stop and restart monitor jobs to get them running on the new primary server • Wait for existing running jobs to complete and/or terminate jobs as needed • Perform maintenance on server (install patches, updated IPs, etc) 13

Folder Structure 15

Parent Runbooks – 1 -4 word description Monitor Runbooks – Start with the word ‘Monitor’ Child Runbooks Rename default activity names to make them descriptive 16

Link names should only be modified from the default of “Link” if there the link is used in a logic selection or a parallel execution. Black = Standard / Success – includes parallel processing Red = Failure Turquois = Selection Orange = Expected to fire multiple times 17

30 activities or less Always start with Initialize Data and end with Return Data • • • 18 Design runbooks so that they are generic, modular and reusable. Consider that child runbooks may be launched by a different runbook server. Avoid assigning runbooks to execution on specific runbook servers Use built in actions rather than scripting if possible Avoid long running runbooks

19

Counters • Fear them!! • Shared between all runbooks • Not thread safe Variables • Use them!! • Runbook Sanitizer Schedules • Use Global Settings • Avoid embedded schedules Computer Groups • Rarely used 20

Max 20 per runbook Warning: Accessing text and spreadsheet files 21

Append Line – Not thread safe Delete File/Folder – Fails if the item is read-only Disconnect Network Path – Do not use with runbooks using job concurrency greater than 1 Invoke Runbook – Launches a new instance of policymodule. exe 3 -5 second penalty. Avoid using invoke by path. Query XML - XPath 22

Invoke Web Service - Use username@domain. com for the username within the Security tab when cross domain authentication is needed. Disabled = anonymous authentication. 23

Junction - If the object specified within the “Return data from” is executed multiple times then the Junction action will fire multiple times. <None> = no data from previous activities will be available on the databus. Map Network Path - Fails if the path is already connected by another user. Connect directly to IPC$ rather than C$ to allow for multiple connections. 24

Query Database – Protect against SQL injections by using DECLARE and SET commands in your queries. DECLARE @Computer. Name nvarchar(MAX) SET @Computer. Name = ‘{Computer Name from “Intialize Data”}’ Select Top 1 i. guid, i 2. name Where i. name = @Computer. Name Replace delimiter values SELECT REPLACE([Test], '; ', '_') FROM [Orchestrator. CGLAdmin_prod]. [dbo]. [Test_Table] 25

Run. Net Script • Use Power. Shell • Exit = No published data • “Error initializing extension” - Field data manipulation function with invalid variable reference. • Unstructured text $Variable = @’ I wish this line didn’t contains any “double” quotes. ‘@ • Power. Shell Injection '; stop-computer. Name "server 1“’ • "Cannot invoke this function because the current host does not implement it. " - Powershell Function is wanting to interact with the user. Classic example is CLS command. • Orchestrator has its own internal Powershell 2. 0 x 86 engine. • Power. Shell 3. 0 – Use “Power. Shell { <script goes here> }” 26

• Enable looping for automatic retries. • Do Not Exit > Exit conditions = infinite loops 27

Orchestrator needs a user friendly front-end web site! • System Center Service Manager • Share. Point • 3 rd party (e. g. http: //eupsco. com/) • Internally developed web site 28

Must have tools for runbook development • Power. GUI Used to create and debug Power. Shell scripts • Expresso Used to create and debug regular expressions to search text for patterns • Remote Server Administration Tools (Active Directory) Used to query active directory • SQL Management Studio Used to query and update SQL server databases • Oracle SQL Developer Used to query and update Oracle databases 29

Use the Orchestrator Visio and Word Generator utility to automatically document your runbooks. 30

Community IPs SCOJob. Runner. exe – command line runbook execution Powershell examples - manage runbooks remotely. Orchestrator Health Checker – runbook management 31

Orchestrator Forums Twin Cities Orchestrator User Group Email: vaughn_nerdahl@cargill. com Best Practices Document 32

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a Comm. Net kiosk or log on at www. 2013 mms. com. Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website. © Copyright Cargill, Incorporated 2012. All rights reserved. System Center Orchestrator - Training

© Copyright Cargill, Incorporated 2012. All rights reserved. System Center Orchestrator - Training

It is responsible for maintaining the orchestration database, communicating with the Runbook Designers, It enables the Orchestrator Deployment Manager and communicating with the Deployment Manager. to deploy Runbook Designer, Runbook Server, or integration packsfor running a program or It is responsible command defined in a runbook. It is responsible for monitoring the health of runbook servers. It is responsible for running runbooks and for communicating with the orchestration database. References Management Server Runbook Server

Run Program • Leverages the Orchestrator Remoting Services service on the Runbook Server • Calls opexecsvc. exe = modified psexec. exe to remotely execute the command. • Interactive mode not supported on Win 7/2008+ • The Security Credentials tab is used to define the credentials used by the opexesvc. exe to connect to the remote computers admin$ share. • The Run As credentials within the Advanced tab are used to configure the user account that the opexecsvc. exe should run the specified command as. 38

1. Avoid them 2. Use Encrypted Variables 2. Create an Integration Package using the Command. Line Activity Wizard 3

Restart System • Minimum 30 second delay • Runbook does not wait • Message displayed to logged on users who can close the window but it does not stop the reboot. 4

Provide a place for runbook developers to share sample code, runbooks, etc. _Templates folder 4 Integration Toolkit Command Line Activity Wizard Full Integration Pack

• Robocopy. exe /MT switch will allow multi-threaded file copies which greatly improved performance however each file that is copied is loaded into memory so be aware of how many instances of robocopy. exe will be allowed to run and the size of files that will be copied. • The recommendation is to use /MT: 8 by default. • Behavior – Unable to RDP into server, new runbook executions stop, robocopy log files not updated. 4

Runbook Designer Operator Console 11 Runbook Server GUI (Design, manage, report) 4 Data Store (Store process logic) (Run processes)

Folder Path File Name Program. DataMicrosoft System Center Runbook. Service. exe. *. log 2012OrchestratorRunbook. Service. ex eLogs Program. DataMicrosoft System Center Policy. Module. *. log 2012OrchestratorPolicy. Module. exe Logs Program. DataMicrosoft System Center Management. Service. exe. *. log 2012OrchestratorManagement. Servi ce. exeLogs Program. DataMicrosoft System Center Runbook. Server. Monitor. Service. exe. *. log 2012OrchestratorRunbook. Server. Mo nitor. Service. exeLogs 4 Description Exceptions generated by the Runbook Server service (connection errors, etc) are logged here Contains exceptions generated by the Runbook Server. This log is useful for finding environmental problems (e. g. database connect failures)

• Integrate – don’t duplicate • Avoid creating runbooks that duplicate existing tools. • Example: System Center Operations Manager, Configuration Manager, etc. 4

Use the runbook sanitizer to clean runbooks that are moved between environments. The export file was shrunken from 676 KB to 25 KB so there was about 650 KB worth of useless configuration information in the file (and that was an export from a very clean environment). 4