Orchestrator Service Accounts
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator
Service accounts are required for the services listed in the following table. You must create these accounts before installing the features that use them. Details for about each account are provided below.
|Orchestrator Management Service
Orchestrator Runbook Server Monitor service
|Orchestrator Runbook Service
Orchestrator Management Service account
The Orchestrator Management Service is installed on the management server. Its service account is specified during the installation of Orchestrator. If you installed the management server and the runbook server on the same computer at the same time, this is the same account used by the Management Server Service and Runbook Server Service on each computer to access system resources. If you installed the runbook server after you already installed the management server, or if you installed the runbook server on a different computer, you can use different accounts.
The Orchestrator Management Service is responsible for maintaining the orchestration database, communicating with the Runbook Designers, and communicating with the Deployment Manager.
The account used for the Orchestrator Management Service can be a local account on the management server if the database is installed locally or if you are using SQL Server authentication to communicate with the database (although this is not recommended). However, this configuration might not allow access to other network resources. If the database is located on another server, either the account must be joined to the Active Directory domain so it can access the database server, or you must use SQL Server authentication. Use the latter option if your database server is in a different domain than the management server.
This service account does not have to be an Administrator or a domain Administrator account. Note, however, that the Deployment Manager requires administrator privileges.
The service account for the Management Server Service must have the following permissions:
Permission to log on to the management server as a service. This permission is automatically granted during the installation process.
Member of the Microsoft.SystemCenter.Orchestrator.Admins role in the orchestration database. The account is automatically added to this role during the installation process.
Orchestrator Runbook Server Monitor service account
The Runbook Server Monitor is installed on the management server and is responsible for monitoring the health of runbook servers. It uses the same account as the Orchestrator Management Service and requires the same permissions.
Orchestrator Runbook Service account
The Runbook Server Service is installed on each runbook server. If you installed the management server and the runbook server on the same computer at the same time, this is the same account used by the Management Server Service and Runbook Server Service on each computer to access system resources. If you installed the runbook server after you already installed the management server, or if you installed the runbook server on a different computer, you can use different accounts. The service is responsible for running runbooks and for communicating with the orchestration database.
By default, all activities in a runbook run under the service account of the runbook server on which they are running. Some activities can specify different credentials to be used for individual actions as required. Because runbook activities often access resources on other computers, it is recommended that the account used for the Orchestrator Runbook Service be an Active Directory domain account so that it can be granted access to these external resources.
The account for the Orchestrator Runbook Service must have the following permissions:
Permission to log on to the runbook server as a service.
Depending on the resources that the activities in your runbooks access, the service account might require additional credentials on remote computers. Specific activities can also be configured with alternate credentials if the service account does not have access to particular resources.