1

Orchestrator Use Cases

Appalachian StateIllinois

Andrew SandersErik Coleman

Information Technology Services2

AppState Environment

Single server:• SQL instance• Runbook server• Web console• Runbook Designer

Runbook Designer also on clients

Information Technology Services3

Current Uses

Four Runbooks:• SCCM application requests• Endpoint Protection Remediation• Endpoint Protection Remediation clean-up• Help-desk software process

Information Technology Services4

Endpoint Protection Remediation

Using Orchestrator at Illinois

Erik Coleman, Senior Manager, Enterprise Systemsecc@Illinois.edu

Current Environment

• Single Orchestrator Server: – SQL instance with custom DB– Runbook server – Web console – Runbook Designer – In process of moving SQL DB's to separate server

• Custom ASP.NET Web Front End

Current Uses

• Lync Account Provisioning– Person Accounts– Role-based (non-person) Accounts– Common Area Phones– Add/Delete/Change

Lync Account Provisioning Workflow

• Need for phone endpoint• Telecom Unit Coordinator (TUC) submits service

request• Phone Number Assigned• Submit Ticket to Lync Team• Manual Actions by Lync Team (LCP or

PowerShell)• Respond/Close Ticket

Use Orchestrator

LyncProcessingMain Runbook

LyncScripts Child Runbook

Anatomy of our Scripts

• “Run .NET Script” Activity:– Grab data from SQL table– Initialize Lync and Exchange Remote PS Sessions– Invoke Script as 64-bit– Call local Lync-PowerShell Scripts

Typical PowerShell “Wrapper” Code

# Function to initialize Lync and Exchange connectionsFunction ConnectSessions{$pass = ConvertTo-SecureString ”{LyncServiceCredential} -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential ("{LyncServiceAccount}",$pass)Import-Module ActiveDirectory$LyncSession = New-PSSession -Name LyncSCORCH –ConnectionURI {LyncConnectionURI} -Credential $credImport-PSSession $LyncSession$ExchangeSession = New-PSSession -Name ExchangeSCORCH –ConfigurationName Microsoft.Exchange -ConnectionUri {ExchangeConnectionURI} -Authentication Kerberos -Credential $credImport-PSSession $ExchangeSession}

Typical PowerShell “Wrapper” Code

# Initialize Remote PowerShell SessionsInvoke-Command –ScriptBlock ${function:ConnectSessions}

# Actual script execution: Grab appropriate script from variables and pass args.$scriptPath = {LyncScriptPath}{LyncAddPersonScript}$argumentList = @()$argumentList += ("-Username",$netid)

$output = Invoke-Expression "& `"$scriptPath`" $argumentList 2>&1" -ErrorAction Continue

Remove-PSSession -Name LyncSCORCHRemove-PSSession -Name ExchangeSCORCH

Is Orchestrator Worth the Time?

• Activating a Lync Account• O = 3180 minutes (53 man-hours)• T = 8 minutes• Nt = 200/month

• T x Nt = 1980 minutes/month saved• Using Orchestrator was “worth it” after 2

months in production

Tips and Tricks

• Avoid Counters• Some Activities not thread-safe, like Append

Line• Junctions are not what they seem• Logging is not centralized (DB, text, and

EventLogs)• Edit PowerShell in PowerGUI (or equiv.)• Native PowerShell 2.0 engine is 32-bit only

Future Orchestrator Uses

• Some things already done with PowerShell• Identity Changes• VM Provisioning

Questions?