Archive

Archive for the ‘Orchestrator 2012’ Category

Installing and configuring System Center Service Provider Foundation

January 31, 2014 Leave a comment

Management of cloud resources involves the deployment, configuration, monitoring, and ongoing maintenance of hardware and software components. These components compose the infrastructure management platform, virtual machine hosts and instances, and their associated storage, network and facility components that support the cloud infrastructure. The tools required to manage these components are provided by hardware manufacturers and the cloud computing platform providers.

The Microsoft Private Cloud platform is composed of Microsoft Windows Server 2012 and Microsoft System Center 2012. These products provide the tools necessary to build, monitor and maintain a cloud fabric management infrastructure and the cloud resources that compose services running on the infrastructure. While these tools are ideal for the management of a cloud infrastructure, service providers and large IT organizations require additional capabilities that allow them to integrate the management of their infrastructure with existing self-service portals, support multiple tenants and distribute workloads across management instances that may be deployed geographically in multiple datacenters.

System Center Service Provider Foundation is provided with System Center 2012 – Orchestrator that enables organizations to gain this additional management capability and extend the service provided by their cloud platform.

This blog is a complete walkthrough on installing and configuring the Service Provider Foundation.

Enabling the Cloud OS

Introduction

The Service Provider Foundation enables service providers to offer Infrastructure as a Service (IaaS). The infrastructure of System Center VMM 2012 is exposed through the Service Provider Foundation as an extensible OData web service, that supports REST-based requests. The web service handles these requests through Windows PowerShell scripts. By using this industry standard Microsoft enables Service Provider to leverage their existing investments in custom management Portals.

The Service Provider Foundation is placed on top of a System Center VMM 2012 environment. This blog will not cover the installation and configuration of System Center 2012 VMM. I can advise a great book called Microsoft Private Cloud Computing written by Aidan Finn, Hans Vredevoort, Patrick Lownds and Damian Flynn that I use as a reference frequently.

Prerequisites

The Service Provider Foundation uses SQL server for its database. Depending on the size of your environment you can either use the same SQL server as your System Center VMM 2012 SP1 environment or use a dedicated SQL server for the Service Provider Foundation. The database is supported on SQL Server 2008 R2 and SQL Server 2012.

Before we install the Service Provider Foundation some prerequisites must be installed.

 

These prerequisites can be categorized in the following parts.

  • Operating System
    • Windows Server 2012
    • PowerShell 3.0
  • System Center VMM SP1
    • System Center VMM SP1 console
  • Web Server IIS Server Role
    • IIS Management > Scripts and Tools
    • IIS Security > Basic Security
    • IIS Security > Windows Authentication
    • IIS Application Development > ASP.NET 4.5
  • Windows Features
    • .NET Framework 4.5 Features > WCF Services > HTTP Activation
    • Management OData IIS Extension
  • Downloads
    • WCF Data Services 5.0 for OData V3
    • ASP.NET MVC 4

When you have configured Windows Server 2012 with an IP address, applied Windows Updates and introduced the server as member to the same domain that your System Center VMM environment is running in, you are ready to install the prerequisites. The first requirement is the installation of the System Center VMM console. You can install the console from the System Center 2012 VMM SP1 installation media.

01 Install VMM console

Now you can install the required features and roles by opening Add Roles and Features in Server Manager. Select the Web Server IIS on the Server Role screen. Select .NET Framework 4.5 Features > WCF Services > HTTP Activation andManagement OData IIS Extension. On the Web Server IIS role services screen add the role services IIS Management Scripts and Tools, IIS Security Basic Security, IIS Security Windows Authentication, IIS Application Development ASP.NET 4.5 to the default settings.

05 Installation Check Part2

You can also install these roles and features by running the following PowerShell command.

Install-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Request-Monitor, Web-Http-Tracing, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Basic-Auth, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Scripting-Tools, NET-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, ManagementOdata, WAS, WAS-Process-Model, WAS-Config-APIs

PowerShell Install-WindowsFeature

Two requirements are not included in the Windows Server 2012 operating system. The installation of these requirements is straightforward.

The Service Provider Foundation install wizard will verify that all roles and features are installed correctly.

Required user accounts

We need to create a domain user account for the Service Provider Foundation application pools and three domain groups that will be used for the permissions on the individual virtual directories created by the installer.

In this example I have created a service account

  • domain\Svc_Spf

And the following domain groups

  • domain\Spf_Admins
  • domain\Spf_Provider
  • domain\Spf_VMM

Certificates

The Service Provider Foundation provides an extensible OData web service. Communications to this web service can and should be encrypted by SSL. SSL requires certificates. The Service Provider Foundation allows for self-singed certificates (for testing purposes) and certificates issued by a standalone Certificate Authority, an enterprise Certificate Authority or a public Certificate Authority. The Service Provider Foundation requires a default web server certificate.

If Windows Azure for Windows Server is located in the same domain as the Service Provider Foundation you are not required to request a public certificate. If you want to enable connectivity to the Service Provider Foundation from System Center App Controller in untrusted domains a public certificate might become a better alternative.

In the following blogs I will describe connecting Windows Azure for Windows Server to the Service Provider Foundation and connecting System Center App Controller to the Service Provider Foundation. In these blogs we will have a closer look at the possible web server certificates and the corresponding pros and cons.

For the installation in this blog we will use a self-signed certificate. In the following blogs this certificate will be replaced.

Open IIS Manager, select the server in the left console and select Server Certificates in main menu.

Create SelfSigned Cert P1

When you open the Server Certificates feature the right menu allows for certificate creation.

Create SelfSigned Cert P2

Select Create Self-Signed Certificate and specify the common name. The common name must match the URL that is used when connecting to the Service Provider Foundation.

Create SelfSigned Cert P3

Please keep in mind that the self-signed certificate will not be trusted by another operating system that initiates a request to the web service. For testing purposes you can add the self-signed certificate to the trusted root certificate certificates in the computer store of the requesting operating system.

Installation

The Service Provider Foundation setup is added to the System Center Orchestrator SP1 media. The System Center Orchestrator 2012 SP1 installer also allows you to install the Service Provider Foundation.

02 Setup screen orchestrator

The installer will first verify that all prerequisites are met. If you have followed the steps described in this blog you will see all green checks here.

07 Prerequisites check

In the next step you need to specify the SQL Server where the Service Provider Foundation database is created. Please verify that the firewall of the SQL Server allows traffic on port 1433. The installer will verify connectivity before you can continue to the next step.

Select the certificate you created for the web service. In this example we select the self-signed certificate that we created earlier.

09 Certificate

In the following three screen the virtual directories, corresponding permissions and App Pool Identities are specified. Please note that these permissions and App Pool Identities are essential for a properly functioning environment when you connect different solutions to Service Provider Foundation. In these screen we will specify the domain service account and the domain groups we created earlier.

In the Configure the Admin Web Service specify the domain\Spf_Admin group in the virtual directory permissions. Specify the domain\Svc_Spf service account in the Application pool credentials.

10 AppPool Admin

In the Configure the Provider Web Service specify the domain\Spf_Provider group in the virtual directory permissions. Specify the domain\Svc_Spf service account in the Application pool credentials.

11 AppPool Provider

In the Configure the VMM Web Service specify the domain\Spf_VMM group in the virtual directory permissions. Specify the domain\Svc_Spf service account in the Application pool credentials.

12 AppPool VMM

Post installation

In the following blog I will explain how to setup Windows Azure for Windows Server. For correct functionality additional permissions must be configured for the service account (domain\Svc_Spf).

The SPF service account that is configured as Application Pool Identity of the Service Provider Foundation virtual directories needs to be added as a member of the following local groups on the server where the Service Provider Foundation is installed.

  • SPF_Admin
  • SPF_Provider
  • SPF_VMM

15 Set permissions for Spf Service Account on SPF server

The SPF service account (domain\Svc_Spf) also needs to be added to the administrator user role in the System Center VMM 2012 SP1 environment in the same domain. Open System Center VMM 2012 SP1, select settings in the left bottom menu and select user roles in the main window.

13 Set permissions for Spf Service Account in VMM P1

Open the Administrator User Role and add the service account (domain\Svc_Spf).

14 Set permissions for Spf Service Account in VMM P2

The service account also needs permissions in SQL Server running the Service Provider Foundation database. Open the SQL Server Management Studio > Security and select the domain service account.

17 Set permissions for Spf Service Account in SQL

The service account will need the Sysadmin role in SQL Server. Open the properties of the service account (domain\Svc_Spf), select the Server Roles tab and enable the sysadmin role.

18 Set permissions for Spf Service Account in SQL

Update Rollup 1 changes App Pool Identity

When you install System Center Orchestrator 2012 SP1 Update Rollup 1 on the Service Provider Foundation server the VMM App Pool Identity is changed from the domain service account (domain\Svc_Spf) to Network Service.

05-IIS-after-update

You need to change the App Pool Identity back to the service account (domain\Svc_Spf). You can find a complete walkthrough on this System Center 2012 SP1 Update Rollup 1 breaks Service Provider Foundation connectivity in Windows Azure for Windows Server.

More information

Enabling Hosted IaaS Clouds for Service Providers Using Microsoft System Center 2012 SP1 with Windows Server 2012

Service Provider Foundation on TechNet

Cloud Resource Management with System Center 2012 Service Pack 1 (SP1) – Orchestrator and Service Provider Foundation

Advertisements

Service Manager & Orchestrator – Management Pack Transfer Tool

November 8, 2013 Leave a comment

Have you ever tried to transfer some Request Offerings that contains runbooks from one environment to the other?
You will notice that is it not possible by default.

Problem is that the links to the runbooks do not work anymore since all the runbooks has been re-imported and have been assigned new IDs.

importtool

by using this easy 4 step procedure you can accomplish a successful transfer!

Download Here

 

Patching Orchestrator Runbook Servers while Maintaining High-Availability

May 14, 2013 Leave a comment

Balancing server patching with maintaining the availability of the services that run on these servers can be a difficult task for an IT Pro, with lots of repetitive, time-consuming, and error-prone steps. Luckily, Orchestrator has emerged as an effective automation tool to help IT Pros manage the patching process. But what about when the Orchestrator service itself needs to be patched? How can an IT Pro ensure their enterprise automation continues to function despite the patching of the servers running Orchestrator components?

Joe Levy has published an interesting post to expose all steps to follow to be able to maintain high availability when patching Runbook Servers. Read the original post here

System Center 2012 Orchestrator–RunBook Basics

May 10, 2013 Leave a comment

System Center Orchestrator 2012 which is a new member of System Center 2012 family and next version of Opalis, takes place at the center of Private Cloud scenarios. During automation of your dynamic datacenters, Orchestrator can move your operations one more step forward and can integrate with Microsoft and non-Microsoft solutions with just a few clicks.

Let me give you a few examples;

  • You can trigger Orchestrator workflows through an incident management system such as Service Manager 2012.
  • Periodic installation processes can be automated. For example during installation you can take actions on active directory, stop load balancer pools, check service status etc.
  • Active directory operational tasks such as user create, user delete, group create, change memberships etc. can be moved to the orchestrator RunBooks.
  • You can monitor SCOM alerts and trigger custom RunBooks. For example when a virtual machine run out of disk, SCOM generates an alert and orchestrator can assign additional disk through triggered RunBook.

In this blog post series we’ll cover of how to design RunBooks from basic to complex. And at end of the series you will understand what Orchestrator 2012 can do and how can you integrate it into your current environment.

For the first part “RunBook Basics” I’ll mention basic RunBooks concept and activities that resides within RunBooks.

A RunBook consists of automated tasks and process steps. Also each automated step within RunBooks is called activities.

Here is the very basic RunBook design;

clip_image001[4]

That RunBook reads a static text file and maps each line to the server names then restarts a service for each remote server automatically.

Before going into the RunBook creation details, let’s look at the RunBook properties.

clip_image002[4]

Right click a previously created RunBook and click Properties.

GENERAL:

clip_image003[4]

On the General tab, you can customize name and description fields. Name is an important field because if you decide to import your RunBooks into the Service Manager as activities, you will recognize each RunBook with its name. (Yes you can import your RunBooks into the Service Manager!)

Also on general tab, you can set a schedule to allow RunBook runs only on dates and times you specify.

RUNBOOK SERVERS:

clip_image004[4]

Each RunBook needs a RunBook server to run. In case of requirement High Availability , you must add additional RunBook Servers. For each RunBook, primary and standby RunBook Servers can be set.

Failure of primary RunBook server will trigger standby RunBook server to act as primary.

clip_image005[4]

To set Primary and Standby RunBook Server for RunBooks, click Add and specify your RunBook servers.

LOGGING:

In this section you can choose more logging options to store in Orchestrator Database and show up within Orchestrator Console.

I’ll talk about in more details in future posts.

clip_image006[4]

EVENT NOTIFICATION

clip_image007[4]

On event notification tab, additional log file can be generated when a RunBook fails to run or run for more than specified seconds. Related log files can be viewed with Designer Console or Web Console.

JOB CONCURRENCY

clip_image008[5]

One of the most critical option is Job Concurrency. Even you configure this setting for one single RunBook, in fact it has impact on overall Orchestrator RunBook Servers. Main purpose is specifying concurrent jobs for this RunBook. A RunBook server can have maximum 50 concurrent jobs. So that if you need more than this limit you must deploy additional RunBook servers.

RETURNED DATA

clip_image009[4]

If you finalize your activities with “Return Data” activity, this RunBook can carry out defined data to the other RunBooks.

clip_image010[4]

In this blog post we cover basic RunBook concept. For the next parts we’ll drive in more detail about designing and deploying RunBooks over multiple RunBook servers.