NOTE: MY POSTINGS REFLECT MY OWN VIEWS AND DO NOT NECESSARILY REPRESENT THE VIEWS OF MY EMPLOYER, ACCENTURE.
THE FOLLOWING ARTICLE IS A SUGGESTED METHOD FOR DEVELOPING AND TESTING ORCHESTRATION CODE AND NOT AN ENDORSEMENT OF ANY PARTICULAR PRODUCT MENTIONED.
WARNING: THIS IS AN ADVANCED ARTICLE as it assumes knowledge and/or familiarity of several different areas in ServiceNow and Windows.
____________________________________________________________________________
In this second article of a several part series I will be showing how to install a basic Active Directory (AD) server on the Windows 2008 VirtualBox server we created in my previous article. I will also be demonstrating the basic access, and manipulation of AD from an Orchestration Workflow you will create on your developer instance of ServiceNow.
Some time ago this was one of my "big goals" I had on my bucket-list of "tools-I-wish-I-had" to develop and learn, on my own time; with my own personal instance. To help grow my skills in ServiceNow. So I am happy to share!
Pre-requisites
1. Work through my first set of labs for installing a Windows 2008 Server, and VirtualBox:
Mini-Lab: Orchestration - Creating your own Windows 2008 Server with VirtualBox
2. Some familiarity with Active Directory.
3. Some familiarity with Windows Installations and Configurations
4. Familiarity with the ServiceNow Workflow Editor, and creating workflows
This article will not teach (you will have to dig these out on your own):
· Active Directory (or best practices)
· Active Directory Maintenance
· Microsoft Windows Configuration
Lab 1.1 - Install Active Directory Services on the Windows 2008 Server
a. Follow the steps on this site for a successful installation of Active Directory Services:
https://technet.microsoft.com/en-us/library/cc755059(v=ws.10).aspx
Stepping through the wizard:
i. Install a New Forest by Using the Graphical User Interface (GUI)
ii. I chose the following for my Forest FQDN (Fully Qualified Domain Name; you can name it whatever you wish): myForest.local
iii. For the Forest functional level: Windows Server 2008
iv. Additional Domain Controller Options: DNS Server
v. Static IP assignment choose: Yes, the computer will use a dynamically assigned IP address. Note: Actually you will be using the static IP you set up in my previous article, but this seems to have no effect and gets us to our desired goal.
vi. Another popup asking about delegation will appear. Click the Yes button to continue.
vii. Location for Database. Take the defaults and click the Next button.
viii. Administrator password. Fill it in and click the Next button.
ix. Review your selections. Click the Next button. At this point the DNS Server will be installed, then the Group Policy Management Console, then AD with your new forest. It all goes pretty quick.
x. When it is done click the Finish button. Then click the Restart Now button. Windows 2008 will reboot and apply the settings. At which point you will be logging in as the <Forest FQDN>\Administrator with the new password you gave.
NOTE: With AD Domain Services, and the DNS Server you now have all the components for Active Directory manipulation.
b. After the reboot log back into your Windows 2008 server and navigate to Start -> Administrative Tools -> Server Manager
i. Your Active Directory environment should now look something like this.
c. Now let's add a new Organization Unit to add users to via Orchestration. From your 2008 Server go to Active Directory Computers and Users
i. Open up your domain tree (myForest.local for me)
ii. Right click on the name of your domain and choose New -> Organization Unit. This will bring up a simple form for creating a new OU. This will be the AD folder where we will be putting our new user during the Orchestration test.
iii. Name: ForestAdmins. Click the OK button to save your work.
That should be it on the Active Directory side. We now need to configure our ServiceNow instance, and create an Orchestration workflow to test our server connectivity with.
Lab 1.2 — Installing RSAT on Your MID Server
Now you need to install Remote Server Administration Tools (RSAT) on your MID Server device. This is necessary as the commands run against the AD Server are all remote PowerShell executed by the MID Server itself.
a. Download and install RSAT. For me this was my Windows 10 64-bit laptop.
https://www.microsoft.com/en-us/download/details.aspx?id=45520
i. Download and install the RSAT.
ii. You will need to restart your MID Server device.
Lab 1.3 — Create Domain Admin Credential, and Test Orchestration Workflow
a. Create a new AD Admin Credential in your ServiceNow personal instance. For this lab you will be using your domain admin account.
NOTE: This not usually a good practice, but for the purposes of this lab we will go with it. If you are interested in this topic you can google Active Directory security (https://technet.microsoft.com/en-us/library/cc700835.aspx)
i. New Windows Credential
ii. Name: AD Server — myForest
iii. User name: MYFOREST.local\Administrator
iv. Password: ********
b. Navigate and open the Workflow Editor and create a new workflow
i. Name: AD Server Tester
ii. Table: Global
c. From the Workflow Editor navigate to Custom -> Custom Activities -> Active Directory
i. Drag out a Query AD activity and place it between Begin and End
ii. Name: Check Local AD Server
iii. Domain Controller: <host IP address> (I used mine: 10.10.10.6)
iv. Properties: leave blank
v. Search filter: (OU=ForestAdmins)
vi. Click the Submit button to save your work.
d. Your workflow should now look like this:
e. Click the run button to test your workflow. Then click start to run the workflow.
f. The workflow context will appear, and you should get a clean run. Close the context window when you are done.
g. Now from your ServiceNow instance navigate to ECC -> Queue, and search for topic: Powershell. Order by Created descending. You should see something like the following. Click on the input record.
h. You should see all sorts of nice data coming back from your new AD Server concerning the OU you created earlier.
So that demonstrated a simple test. Now let's do some radical surgery to our original Orchestration workflow to create a new user and insert them into our ForestAdmins OU!
Lab 1.4 — Expanded Orchestration AD Workflow
We need to check for whether the group exists. If it does then we will add the user to it. We are using the Custom controls so that the Data Elements from the controls are available down-stream. I found that in some cases the Packs Activities don't do this (AD Query for example may not...I had it happen when I was putting this article together).
a. In the Workflow Editor navigate to Core -> Core Activities -> Utilities and drag out a Run Script activity and place it between the Begin and Query AD activities.
i. Name: Initialize
ii. Script:
workflow.scratchpad.host = '10.10.10.6'; // This is my server's IP you will need to use your own here
workflow.scratchpad.ou = 'ForestAdmins';
workflow.scratchpad.firstname = 'George';
workflow.scratchpad.lastname = 'Jetson';
workflow.scratchpad.username = workflow.scratchpad.firstname.toLowerCase() + '.' + workflow.scratchpad.lastname.toLowerCase();
workflow.scratchpad.title = 'Manager';
workflow.scratchpad.email = workflow.scratchpad.username + '@myforest.local';
var displayName = workflow.scratchpad.firstname + ' ' + workflow.scratchpad.lastname;
workflow.scratchpad.query = "{";
workflow.scratchpad.query += '"givenName":"' + workflow.scratchpad.firstname + '",';
workflow.scratchpad.query += '"SN":"' + workflow.scratchpad.lastname + '",';
workflow.scratchpad.query += '"title":"' + workflow.scratchpad.title + '",';
workflow.scratchpad.query += '"displayName":"' + displayName + '",';
workflow.scratchpad.query += '"mail":"' + workflow.scratchpad.email + '",';
workflow.scratchpad.query += '"userPrincipalName":"' + workflow.scratchpad.email + '"';
workflow.scratchpad.query += "}";
b. Navigate to Data -> Data Elements -> Activity Outputs
i. Note the Number in parenthesis next to the Check For Forest OU. Write it down here: ____
This is the number we will use to retrieve the data returned from the Query AD Activity
c. Navigate to Core -> Core Activities -> Conditions and drag out an If activity. Place it between the Query AD Success condition and the End activity.
i. Name: Does Group Exist
ii. Advanced: Checked
iii. Script:
var queryResults = new JSON().decode(data.get(9).output); // number is from Data Elements
answer = (queryResults.length > 0 ? 'yes' : 'no');
d. In the Workflow Editor navigate to Custom -> Custom Activities -> Active Directory and drag out a Create AD Object activity onto the editor.
i. Name: Create User and Add to OU
ii. Domain Controller: ${workflow.scratchpad.host}
iii. Type: User
iv. Ou: ou=${workflow.scratchpad.ou}
v. Object name: ${workflow.scratchpad.username}
vi. Object data: ${workflow.scratchpad.query}
e. Wire it all up to look like this:
f. Run the workflow.
g. The workflow context, when finished should look like this:
h. Jump back over to your Windows 2008 server, and open up Active Directory Users and Computers again. Click on the ForestAdmins OU. You will see that george.jetson has been added.
i. Double-click on George to open the record. This will open the properties window for George. Note that several of the fields are filled in. Make sure these match the values you put into the Run Script activity in your workflow.
That's it! You now have your own Active Directory Server to try out the various Orchestration commands with.
Obviously, with the example you built here, you would want to expand the workflow to check to see if the user already exists, and to handle things accordingly. I had to leave you something to do, right?
In my next article I will show how to set up an LDAP listener to update the ServiceNow User table with the new users you are adding to AD.
Steven Bell
For a list of all of my articles: Community Code Snippets: Articles List to Date
Please Share, Like, Bookmark, Mark Helpful, or Comment this blog if you've found it helpful or insightful.
Also, if you are not already, I would like to encourage you to become a member of our blog!
Click for More Expert Blogs and also Find Expert Events!
5 Comments
