This post is the 2nd in a series focused on making common administrative tasks in System Center and Azure available via the Service Manager Self-Service Portal. This solution allows for the provisioning of Azure VMs using the Service Manager Self-Service Portal. This post was authored by Brad Watts, a Premier Field Engineer out of Washington, DC.

Series

Using the Service Manager Self-Service Portal for Common Tasks in Configuration Manager, Operations Manager, and Azure

Overview

The scenario in mind when building this solution was an environment where we have system administrators that do not have access to our Azure Management Interface. We need to provide them an easy way to request new Azure Virtual machines but still allow our Infrastructure Administrators who control Azure the ability to approve or disapprove which VMs get build.

In the following example we are using Azure, System Center Service Manager, SharePoint, and System Center Orchestrator to provide a self-service portal for administrators to request a new Azure Virtual Machine. The overall process works as follows:

  1. Administrator goes to the System Center Service Manager Self-Service Portal that is hosted on SharePoint and fills out a Provision Azure VM request with the following information
    1. NetBIOS Computer Name of new Azure VM
    2. Operating System for new Azure VM
    3. Size of the Azure Image
    4. Local Admin User Name
    5. Domain Account that will be granted admin right on the new Azure VM
    6. Organization Unit the computer object will be moved to
    7. Justification for new Azure VM
  2. This will create a new Service Request in Service Manager with two steps:
    1. Approval by Infrastructure Administrator
    2. Initiation of Runbook to provision new VM

Overview of Workflow

Below we will step through the process as it would be seen by both the administrator and the infrastructure administrator.

  • Administrator uses the Self-Service Portal in SharePoint to fill out the Provision Azure VM form.

clip_image001

Here are the fields in the Provision Azure VM form

clip_image002

clip_image003

  • Once the form is submitted a new Service Manager Service Request is generated. You can see in this overall form the information that was entered in the form.

clip_image004

You can also see that there are two activities associated with the request. The first is the approval by the Infrastructure Administrator. The second is the initiation of Orchestrator Runbook to provision the new virtual machine.

clip_image005

  • Opening the Review Activity allows the Infrastructure Administrator to either approve or reject the new virtual machine. In this example we have designated the LAB.Administrator as the approver.

clip_image006

  • If the Review Activity is approved then we will initiate the “Provision New VM with VNet” runbook. We are passing in the Runbook ID from Service Manager to the Orchestrator Runbook.

clip_image007

Prerequisites

There are several things that have been configured before I created this scenario that I will not cover. If you wish to recreate this you will need to have the following in place:

  1. An Azure Lab that you can test provisioning the new virtual machine
  2. You will need to install and configure Windows Azure PowerShell on your Orchestrator Runbook Server. Here is a good document on configuring this.
  3. You will need to install Windows Active Directory PowerShell on your Orchestrator Runbook Server.
  4. You will need to install the Active Directory Integration Pack on your Orchestrator Runbook Server.

You will need an Azure Image to utilize that does not have the Windows Firewall on by default. If the firewall is on by default then you are unable to connect to the server in order to join it to the domain. You can find documentation on doing this online but here is the overall steps of what I did:

  • Create a new Azure Virtual Machine
  • Log into the virtual machine and turn off the firewall. If there are any additional default setting you would like complete them here.
  • Run SysPrep on the server and make sure it gets shutdown on completion.
  • Use the Azure Management Interface to create a new image. I named my images DemoWIndowsServer2008R2, DemoWindowsServer2012, and DemoWindowsServer2012R2. You can name them whatever you wish but make sure you use the correct names below when creating your runbook.

Also, the below scenario was built in a controlled environment for demonstration purposes. There is no error handling built into this runbook. For instance, I can enter a NetBIOS Name in the request form that already exist and there will be no warning. If the request is approved then the runbook will initiate and fail on creating the virtual machine because that Windows Azure Service already exist. Anytime you use automation in a production environment error handling and recovery from a failure should be considered.

Configuring this Scenario

We are now going to walk through the steps to build this scenario. There is no exact order to do the different steps so I did the steps in the order in which I actually did the work. We will walk through each of the following steps:

  • Create Service Request Class
  • Configuring the Runbooks in System Center Orchestrator
  • Creating the Service Offering in Service Manager

Step 1: Create Service Request Class

In the first step we will create a custom “Service Request” class in Service Manager. This is an optional step. You can use the standard “Service Request” and map the inputs from the form to already existing properties. In this example we are going to create new properties so when the user fills in the “Organizational Unit” we will be able to map it to a property that matches that name.

  1. Open the Service Manager Authoring Tool
  2. Go to File | New
  3. Give your Management Pack a name that will easily define what is in it. Below I named it Custom.Azure.Service.Request

clip_image008

  • Right click on “Classes” and choose to “Create other class”

clip_image009

  • Choose “Service Request” as your base class

clip_image010

  • Give the new class an internal name that will be both descriptive and also unique in your environment. Below I chose to name it “Custom.Azure.Service.Request.AzureVMProvision”

clip_image011

  • I typically change the “Name” property to be something more user friendly. This is the string that will show up in the console when you select the new class.

clip_image012

  • Under “Class properties and relationships” choose to “Create property”

clip_image013

  • Give it the internal name of “VMSize”

clip_image014

  1. Repeat this process for the following properties
    1. VMImage
    2. DomainUser
    3. NetBiosName
    4. LocalAdmin
    5. OrganizationalUnit
  2. Click on “File | Save All”
  3. Import the newly created Management Pack into Service Manager.

We now have a new class in Service Manager with the properties we are going to use for our Request Offering. All other configuration for this Service Request will be done within the Service Manager Console and after we have created the System Center Orchestrator Runbooks.

Step 2: Configuring the Runbooks in System Center Orchestrator

Now that we have the new class in Service Manager we are able to create and configure the runbooks that will provision our new Azure Virtual Machine. The following runbooks will be used in this scenario:

  1. Provision New VM with VNet: This is the parent runbooks. From this runbook we get all of the information that is filled out in our service request. Using this information we call our Sub-Runbooks that do the following:
    1. Provision a new Azure VM in a specific virtual network
    2. Join the newly created VM to our Domain
    3. Add the domain account from the form to the local admin group
    4. Move the VM to the specified OU
  2. Provision VM with VNET: This used a PowerShell Script with the Azure Modules imported to provision the new virtual machine. In this scenario I couldn’t use the Azure Integration Pack to create the virtual machine because this doesn’t allow you to create it in a specific virtual network.
  3. Add Computer to Domain: Uses a PowerShell script with the Active Directory Module to add the new virtual machine to the domain.
  4. Add User to Local Admin: Uses a PowerShell script to add the domain account specified in the service request to the local admin group.
  5. Move Computer to OU: Uses the Active Directory Integration pack to move the new virtual machine to the specified OU

We will walk through each of the Sub-Runbooks before we go through the parent Runbook.

Move Computer to OU

The following activities are in this runbook

  1. Initialize Data
    1. Activity Type: Runbook Control | Initialize Data
    2. Action: This requires the NetBIOS Name and the Organization Unit to move the server to
  2. Get Computer
    1. Activity Type: Active Directory | Get Computer
    2. Action: Uses the NetBIOS Name to get the Active Directory Object
  3. Move Computer
    1. Activity Type: Active Directory | Move Computer
    2. Action: Uses the Distinguished Name from the Get Computer Activity and the Organization Unit from the Initialize Data activity to move the computer

clip_image015

Initialize Data Activity

clip_image016

Get Computer Activity

clip_image017

Move Computer Activity

clip_image018

Add User to Local Admin

The following activities are in this runbook

  1. Initialize Data
    1. Activity Type: Runbook Control | Initialize Data
    2. Action: This requires the following
      1. ServerName
      2. UserName
  2. Add Domain Account to Local Admin
    1. Activity Type: System | Run .Net Script
    2. Action: Runs a PowerShell script that will add the specified AD User to the local admin group

clip_image019

Initialize Data Activity

clip_image020

Add Domain Account to Local Admin

clip_image021

PowerShell Script

$computerName = '<NetBios Name>' $userName = '<UserName>' [string]$domainName = ([ADSI]'').name ([ADSI]"WinNT://$computerName/Administrators,group").Add("WinNT://$domainName/$userName")

Add Computer to Domain

In order to add the computer to the domain we will need a local username/pwd that has admin rights currently on the non-joined server and also a domain username/pwd that has rights to join the server to the domain. We will also use the IP Address to connect to the server being it doesn’t currently have a record in DNS.

The following activities are in this runbook

  1. Initialize Data
    1. Activity Type: Runbook Control | Initialize Data
    2. Action: This requires the following
      1. Domain Pwd
      2. LocalUserPass
      3. DomainUserName
      4. IPAddress
      5. LocalUser
  2. Add Computer to Domain
    1. Activity Type: System | Run .Net Script
    2. Action: Runs a PowerShell script that utilizes the Active Directory Module to add the server to the domain

clip_image022

Initialize Data Activity

clip_image023

Add Computer to Domain

clip_image024

PowerShell Script

$pshell = powershell{ $localcred = New-Object System.Management.Automation.PScredential("<LocalUser>",("<LocalPass>" | ConvertTo-SecureString -AsPlainText -Force)) $domaincred = New-Object System.Management.Automation.PScredential("<DomainUser>",("<DomainPass>" | ConvertTo-SecureString -AsPlainText -Force)) $computerName="<IPAddress>" import-module activedirectory $results = Add-Computer -computerName $computerName -LocalCredential $localcred -DomainName "Litware.com" -Credential $domaincred -Restart -Force }

Provision VM with VNET

The following activities are in this runbook

  1. Initialize Data
    1. Activity Type: Runbook Control | Initialize Data
    2. Actions: This requires the following
      1. Image
      2. Size
      3. Servername
      4. Admin (local admin account to be created)
      5. Pwd (Password for the local admin account)
  2. Provision New Azure VM
    1. Activity Type: System | Run .Net Script
    2. Action: Runs a PowerShell script that utilizes the Windows Azure Module to provision a new Azure Virtual Machine to a specific virtual network

clip_image025

Initialize Data

clip_image026

Provision New Azure VM

clip_image027

PowerShell Script

$pshell = powershell{ [string]$serviceName="<NetBios Name>" [string]$vmSize="<VMSize>" [string]$adminUserName="<AdminUserName>" [string]$adminPassword="<AdminPwd>" [string]$imageName="<ImageName>" import-module azure Import-AzurePublishSettingsFile -PublishSettingsFile C:\Azure\azurepfe-bwatts-1-24-2014-credentials.publishsettings get-azuresubscription | set-azuresubscription -currentstorageaccountname ras $newvm = New-AzureQuickVM -Windows -ServiceName $serviceName -Name $serviceName - ImageName $imageName -AdminUserName $adminusername -Password $adminPassword -instancesize $vmsize -vnetname 'Litware.com' -AffinityGroup Litware –WaitForBoot start-sleep -Seconds 120 }

Provision New VM with VNet

This is the core runbook for our automation. While the sub-runbooks do most of the work this runbook does all of the orchestration for the Provisioning of a new VM.

The following activities are included in this runbook:

  1. Get Runbook GUID
    • Activity Type: Runbook Control | Initialize Data
    • Action: This runbook is initialized from Service Manager. To initialize the runbook the Runbook ID from Service Manager is passed in.
  2. Get Runbook Object
    • Activity Type: SC 2012 Service Manager | Get Object
    • Action: This uses the Runbook ID to pull the “Runbook Automated” activity class
  3. Get SR GUID
    • Activity Type: SC 2012 Service Manager | Get Relationship
    • Action: Because the “Runbook Automation” class is related to the “Azure VM Provision” class we created earlier we are able to map them together here using the “SC Object GUID” from the “Get Runbook Object” activity
  4. Get Service Request
    • Activity Type: SC 2012 Service Manager | Get Object
    • Action: Using the “Azure VM Provision” class we got from the “Get SR GUID” activity we are able to now pull the Service Request using “SC Object GUID” equals “Related Object GUID” from the “Get SR GUID Activity”. The Service Request has all of the information that was filled out using the Self-Service Portal.
  5. Map Publish Data
    • Activity Type: Utilities | Map Publish Data
    • Action: Not all of the data entered from the form is in the exact format we need to provision our virtual machine. We use this activity to map the following variables:
      • Map VMSize from the service request to a new Size variable
        • Extra Small (Shared core, 768 MB Memory) = extrasmall
        • Small (1 core, 1.75 GB memory) = small
        • Medium (2 core, 3.5 GB memory) = medium
        • Large (4 core, 7 GB memory) = large
        • Extra Large (8 core, 14 GB memory) = extralarge
      • Map VMImage from service request to a new image variable
        • Windows Server 2008 R2 = DemoWindowsServer2008R2
        • Windows Server 2012 = DemoWindowsServer2012
        • Windows Server 2012 R2 = DemoWindowsServer2012R2
      • OrganizationUnit from service request to a new newOU variable
        • Region 1 = OU=Region1,DC=litware,DC=com
        • Region 2 = OU=Region2,DC=litware,DC=com
  6. Generate Local Password
    • Activity Type: Utilities | Generate Random Text
    • Action: The user is providing a Domain Account that will be granted local admin rights. Because of this he doesn’t need to know the local admin password so we just generate a random password for the local admin.
  7. Send Event Log Message
    • Activity Type: Notification | Sent Event Log Message
    • Action: I put this in to help me troubleshoot issues when I was running the runbook from Service Manager. This logs the following variables into the event log on the Orchestrator Runbook Server
      • NetBIOS Name
      • Image Name
      • Size
      • Local Admin Username
      • Local Admin Password
      • newOU
  8. Provision New Azure VM
    • Activity Type: Runbook Control | Invoke Runbook
    • Action: Runs the “Provision VM with VNET” runbook. Note that after the VM is provisioned I placed a 2 minute wait at the end of the script. This is to ensure the VM is up on the network before we proceed.
  9. Wait for VM and get IP
    • Activity Type: System | Run .Net Script
    • Actions: In order to join the virtual machine to the domain we need to get the servers IP address. This runs a PowerShell script that gets the IP address of the server. Note that I also put a 5 minute wait at the end of this script. The wait is just to ensure we are able to connect to the server and join it to the domain.
  10. Add to Domain
    • Activity Type: Runbook Controls | Invoke Runbook
    • Action: Runs the “Add Computer to Domain” runbook. Note that this will reboot the computer. To account for this I put a delay on the link between this activity and the next of 3 minutes
  11. Add Domain User to Local Admin
    • Activity Type: Runbook Controls | Invoke Runbook
    • Action: Runs the “Add User to Local Admin” runbook

clip_image028

Get Runbook GUID

clip_image029

Get Runbook Object

clip_image030

Get SR GUID

clip_image031

Get Service Request

clip_image032

Map Published Data

clip_image033

Generate Local PWD

clip_image034

Provision New Azure VM

clip_image035

Wait for VM and Get IP

clip_image036

PowerShell Script

$vmipaddress=Powershell{ import-module azure Import-AzurePublishSettingsFile -PublishSettingsFile C:\Azure\azurepfe-bwatts-1-24-2014-credentials.publishsettings get-azuresubscription | set-azuresubscription -currentstorageaccountname ras $vmipaddress = (get-azurevm '<NetBiosName>').ipaddress while ($vmipaddress -eq $null) { start-sleep -Seconds 30 $vmipaddress = (get-azurevm '<NetBiosName>').ipaddress } start-sleep -Seconds 500 return $vmipaddress }

Add to Domain

clip_image037

Add User to Local Admin

clip_image038

Move OU

clip_image039

Step 3: Creating the Service Offering in Service Manager

To create a Service Offering in Service Manager you have to create several different items. The first item is the Service Template. This will decide how gets assigned the service request, any fields that are auto completed, and what activities are a part of this Service Offering.

In this case our Service Template contains two activities. One is a review activity and the other is a runbook automation. So in this case we will create the following three items:

  1. Runbook Automation Task
  2. Review Activity Task
  3. Provision VM Template

Once you have the Service Template created you need to create the form that will be hosted on the Self Service Portal. This will be a new Request Offering called “Provision new VM”. If you want this to fall under a category such as “Azure Management” you need to either create a new Service Offering or add it to an existing one. In the following section we will walk through this process.

Creating the Service Template

When creating the Service Template you want to create the activities that will be a part of this template first and then create the Service Template.

Step 1: Create the Runbook Automation Task

  • In the Service Manager Console go to Library | Templates
  • Right click and select “Create Template”

clip_image040

  • Enter the following:
    • Name: Azure VM Provisioning Runbook
    • Class: Runbook Automation Activity
    • Management Pack: <MP Created in Service Manager Authoring Tool>

clip_image041

  • Click OK
  • In the General Tab fill in the following
    • Title: Provision Azure VM Runbook
    • Check “Is Ready for Automation”
    • Area: Operations
    • Stage: Approve

clip_image042

  • In the Runbook Tab fill in the following
    • Name: Choose the “Provision New VM with VNet” (If this doesn’t show up you need to sync your runbooks with Service Manager)
    • RunbookID: click Edit Mapping and choose “Object | Id”

clip_image043

  • Click OK to save the Template

Step 2: Create the Review Activity

  • In the Service Manager Console go to Library | Templates
  • Right click and select “Create Template”

clip_image040[1]

  • Enter the following:
    • Name: Azure VM Approval
    • Class: Review Activity
    • Management Pack: <MP Created in Service Manager Authoring Tool>

clip_image044

  • Click Ok
  • In the General Tab fill in the following
    • Title: Approve Azure VM
    • Stage: Initiate
    • Area: Operations
    • Reviewers: <Individuals who need to review activity>

clip_image045

  • Click Ok to save the activity

Step 3: Create the Provisioning Azure VM Template

  • In the Service Manager Console go to Library | Templates
  • Right click and select “Create Template”

clip_image040[2]

  • Enter the following:
    • Name: Azure VM Approval
    • Class: <Class Created in Service Manager Authoring Tool>
    • Management Pack: <MP Created in Service Manager Authoring Tool>

clip_image046

  • Click Ok
  • In the General Tab fill in the following
    • Title: Provision Azure VM Service Request
    • Urgency: Medium
    • Priority: Medium
    • Source: Portal
    • Area: Operations

clip_image047

  • In the Activity Tab click the green + to add an activity
  • Choose Azure VM Approval and click ok when that template opens up
  • In the Activities Tab click the green + to add an activity
  • Choose Azure VM Provisioning Runbook and click ok when that template opens up

clip_image048

Configuring the Self-Service Portal Request

Now that we have the Service Request Template configured we need to configure the Self-Service Portal. This will involve creating a request form through a Request Offering and also creating a container to hold this form using a Service Offering.

Step 1: Creating the Request Offering

  • In Service Manager go to Library | Service Catalog | Request Offering
  • Right click and choose “Create Request Offering”

clip_image049

  • Under the General Tab fill in the following:
    • Title: Provision Azure VM
    • Template Name: Provision Azure VM Template
    • Management Pack: <MP Created in Service Manager Authoring Tool>

clip_image050

  • Under User Prompts fill in the following (these are the prompts the end user will get):
    • NetBios Name: Text
    • Operating System: Simple List
    • Size: Simple List
    • Local Admin Username: Text
    • Domain Account to be granted local admin (enter username w/o domain): Text
    • Organizational Unit: Simple List
    • Justification: Text

clip_image051

  • Under the Configure Prompt do the following
    • Click on Operating System and add the following to the list
      • Windows Server 2008 R2
      • Windows Server 2012
      • Windows Server 2012 R2
    • Click on Size and add the following to the list
      • Extra Small (Shared core, 768 MB Memory)
      • Small (1 core, 1.75 GB memory)
      • Medium (2 core, 3.5 GB memory)
      • Large (4 core, 7 GB memory)
      • Extra Large (8 core, 14 GB memory)
    • Click on Organization Unit and add whichever OUs you wish them to be able to select. For instance:
      • Region 1
      • Region 2

clip_image052

  • Under Map Prompts do the following
    • Click Provision Azure VM
      • VMSize –> Size
      • VMImage –> Operating System
      • DomainUser –> Domain Account to be granted local admin (enter username w/o domain)
      • NetBiosName –> NetBios Name
      • LocalAdmin –> Local Admin Username
      • OrganizationalUnit –> Organizational Unit
      • Description –> Justification

clip_image053

  • Under the Publish tab change the “Offering Status” to “Published”

clip_image054

  • Click Next and Complete

Step 2: Creating Container for Request Offering

  • In Service Manager go to Library | Service Catalog | Service Offerings
  • Right click and choose “Create Service Offering”

clip_image055

  • In the General Tab enter the following
    • Title: Azure Management
    • Management Pack: <MP Created in Service Manager Authoring Tool>

clip_image056

  • In the Request Offering Tab add the Provision Azure VM Request offering you just created

clip_image057

  • In the Publish Tab change the “Offering Status” to published

clip_image058

  • Click Next and Complete

Review

In this scenario we’ve used System Center Service Manager, System Center Orchestrator, and SharePoint to create a solution that is very simple to use but provides all of the functionality that was required. The long term goal would be to have a centralized place for your administrators to go to make all of their request. This would be whether they want a new virtual machine, a particular agent pushed out to their server, or a server needs to be decommissioned. At this point you should have a working solution to provision a new Azure VM. All that is left to do is to test the solution by filling out the form on your Self-Service Portal and approving the Service Request in Service Manager.

 

Continue to the 3rd post in this series: Sync Configuration Manager Collections in Service Manager