Orchestrator 2012: Runbook server in an untrusted AD Domain

Dear All,

In this post, I’ll explain you how to install an Orchestrator 2012 runbook server in an untrusted Active Directory domain.
Installing a runbook server in an untrusted AD domain is required when your integration pack or workflow activities are not able to manage several Active Directory domain/credentials and are using only the Orchestrator Service Account to run.

With this new runbook server installed, you will be able to start runbooks from your Runbook management server located in your primary domain and execute it directly on the runbook server hosted in the untrusted domain. You just need to ensure that the service account which is used by the runbook server in the untrusted domain has the necessary rights to execute the required actions in that untrusted active directory domain.

Let’s go for this implement J

Prerequisites:

Definition

I will define two “key words” that I’ll use for the rest of this post:

  • Primary domain: Active Directory domain where you have your Orchestrator 2012 infrastructure installed.
  • Untrusted domain: Active Directory domain that doesn’t have any AD trust with your Primary domain.

Infrastructure

  • An Orchestrator 2012 infrastructure installed in your primary domain.
  • A fresh new installed server in the untrusted domain on which we will install the runbook server role.

Service Accounts

  • In your primary domain, on your SQL server, Orchestrator 2012 SQL Instance, you have to create a SQL User Account that is DB_Owner of the Orchestrator database.
  • Ensure the SQL is in mixed mode and allows connection from AD and SQL accounts.
  • In the untrusted domain, you have to create a service account that is identical (Same SamAccoutName and Password) to the Orchestrator service account that is currently used by the Orchestrator 2012 infrastructure in you primary domain. If the service account used in your primary domain is SA_Orchestrator with the password: P@$$w0rd you have to create the service account SA_Orchestrator with the same password in the untrusted domain. This account must be local admin of the server on which you will install the Orchestrator Runbook server role.

     

Installation:

Logon the fresh new installed server in the untrusted domain and start the Orchestrator installer.

In the Standalone installation part, click on Runbook server.

Accept the licence terms and click on Next >.

Prerequisites check in progress

Specify the service account that you previously created in the non-trusted domain which is identical to the account used in the primary domain.

Click on Test.

Click on Next >.

Specify the SQL Instance (by using the IP address or the FQN if you have a DNS resolution between your AD domain) of the Orchestrator DB which is located in the primary domain.

Specify the SQL user account that you created in the prerequisite part.

Click on Test Database Connection.

Click on Next >.

Select the existing Orchestrator Database and click on Next >.

Specify the installation folder and click on Next >.

Select No, I am not willing to participate and click on Next >.

Review the information and click on Install.

Installation in process.

Installation completed

Click on Close.

You could confirmation that the installation succeeded by starting the System Center 2012 Orchestrator Deployment Manager in your primary domain.

In the Runbook Servers part, you will see the runbook server that you just installed in the untrusted domain.

   

Integration pack installation

 
   

Integration pack installation on a runbook server which is in an untrusted domain must be done domain manually.

For that, go to your Orchestrator Manager Server which is installed in your primary domain, copy the IPs that you want to install on your new runbook server in the untrusted domain.

The integration packs are location in the following folder:

C:Program Files (x86)Common FilesMicrosoft System Center 2012OrchestratorManagement ServerComponentsObjects

One the IPs copied on the new runbook server, just double click on the file to install.

Ip Installation in progress.

Check in the Add/Remove programs if the IP is well installed.

 

You have new an Ochestrator Runbook server that is installed in another active directory domain that your Orchestrator Management server.
I hope that this post is helpful for your and fell free to post your comments 😉

 

Christopher

 

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Email this to someoneShare on TumblrPin on PinterestDigg thisShare on RedditFlattr the authorBuffer this pageShare on StumbleUpon

About Christopher Keyaert

Christopher Keyaert is a Consultant, focused on helping partners to leverage the System Center and Microsoft Azure cloud platform. He is also a Microsoft Most Valuable Professional (MVP) for Cloud and Data Center Management and a Microsoft Certified Trainer (MCT).
This entry was posted in Orchestrator. Bookmark the permalink.

4 Responses to Orchestrator 2012: Runbook server in an untrusted AD Domain

  1. Raghul says:

    Dear Christopher,

    Do we need to open ports between the servers in trusted and untrusted domain? If so what ports need to be opened ?

    Regards
    Raghul

  2. Pingback: Links zu Hyper-V & System Center 2012 SP1/R2 › Daniel's Tech Blog

Leave a Reply

Your email address will not be published. Required fields are marked *