Remediating SCOM Alerts Using Orchestrator


One of the most effective Orchestrator runbooks is the ability to remediate SCOM alerts, If you receive a certain SCOM alert and you used to solve it following manual tasks everytime, you can create a runbook which can automate it all..

It is assumed that there is a SCOM server up and running monitoring an IIS8 website and integrated with SCO.

without further ado let’s jump in :-

This is the final runbook we are going to create and I will walk you through some activities :-


As you see we are going to create a runbook that will investigate the stoppage and the unavailability of an IIS 8 website, without Orchestrator you used to ping the related server, check IIS services and make sure they are all up and running, we can make all that in one runbook to ping the related server and to check for any stopped services and then start them.

First of all we are going to monitor the alert we wish to handle , from the activity area, from the Operations Manager integration pack drag the “Monitor Alert” activity, inside the activity we will specify our SCOM server as our connection (configured when registering the SCOM integration pack), we then will filter the alert by saying that we just want the alerts that contain “IIS8 website is unavailable” in their title.


From the “Monitoring” activities area, drag the “Get computer/IP status”, rename it to Ping Loop, we will ping the server alerts generated from which was specified in the “Monitor Alert” activity.

02-a 02-b 02-c

Once again we will right click on the “Ping loop” activity and specify our parameters, we want the ping to be successful for 36 times for the activity to exit and continue to the next one and we will specify the time between each attempt.
If the ping is not successful the activity will not exit and we should see ping failure through the runbook logs.
in this case we will assume that ping was successful.

02-d 02-e 02-f 02-g

We will drag the same activity of “Get computer/IP status” to hold the NetBIOSName of the server again and will link it and the “Ping Loop” activity to the “Junction” activity, The “Junction” activity is dragged from the “runbook control” area and plays a role of a multiplexer .. The Junction activity allows you to wait for multiple branches in a runbook to complete before continuing past the junction.


04 10


From the “Monitoring” area we will drag the “Monitor Service” and from “System” area we will drag the “Start/Stop Service” activity .. please check the below snapshots to see the configuration in each activity, the idea will be the same in the below activities , the first activity “Monitor Service” will get the name of one of the services IIS depends on (rename the activities as you like as you see below), the second activity “Start/Stop Service” will start the service .. notice that we can stop the service, restart it and pause it as well ..

11 12 13 14

we will use the same concept with the other activities, I did not test this runbook but If you want to do so you can install IIS 8 on one of the servers, deploy SCOM agent to it, deploy IIS MP in SCOM, attempt to stop one of the IIS services and see If this will trigger our runbook, consider it your homework ..

Thanks for reading ..

Reference  : PACKT Microsoft  System Center Orchestrator Cookbook


One thought on “Remediating SCOM Alerts Using Orchestrator

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s