Devin on Earth

Normally, when I write a blog post, I’m trying to help other people out. I forget that it can work both ways. So, today’s post is a plea for help: if you know a lot about PowerShell, I could use an answer to the following three questions. If you’ve got any insights, please drop me an email using the Contact link.

I’ve got a script that manipulates a user’s delivcontlength property in Exchange 2003. This helps me manage the situation where I’ve got a few users who need to be able to receive 20MB messages while most everyone else only needs 10MB. My script grabs all of the user objects in the directory, iterates through the collection, checks to see if the user is one of the special users, and if not it sets the per-user limit to be 10MB.

$ds=New-Object DirectoryServices.DirectorySearcher
$ds.Filter="(&(objectcategory=person)(objectclass=user))"
$AllUsers=$ds.FindAll()
Foreach ($User in $AllUsers) {
  $oUser=$User.GetDirectoryEntry()
  if ($oUser.sAMAccountName -ne "deving") {
    $oUser.Put("delivcontlength", "10240")
    $oUser.SetInfo()
    $oUser.psbase.RefreshCache()
  }
  $oUser | select displayname,delivcontlength
}

This script does what I want to do, but what I don’t know how to do is reset the delivcontlength attribute. If there’s no per-user limit set, this attribute doesn’t exist on the user object — so how do I remove an attribute through PowerShell? Setting it to 0 doesn’t work.

Edit: The correct answer is to use the PutEx method, which allows you to handle a collection of attributes, as well as delete existing attributes. I’ll post an updated snippet of code next week that shows how to use PutEx in live code. Thanks to Andy Webb for the answer.

Continuing with the delivcontlength attribute, when I go to check its value on a single user:

$oUser.Get(“delivcontlength”)

This throws an exception if the attribute isn’t set. How do I trap that exception inside of a script so I know that the property doesn’t exist, and can do something else based on that information?

Edit: The answer, again from Andy Web, is to use the GetEx method and specify the delivcontlength as one of the attributes in the collection. Then, check to see if a value is returned in the array.

Given a variable with a DN, what is the easiest way to open the corresponding object using ADSI? I’ve tried the following with no success:

$DN = "LDAP://red-dc01:389/CN=Devin Ganger,OU=Users,OU=3Sharp Accounts,DC=redmond,DC=3sharp,DC=com"
$oUser = [ADSI]$DN

The point, of course, is to be able to retrieve the DNs from some other list such as a CSV and perform some operation on the listed objects by iterating through with a loop.

Edit: I’m told that this should in fact work. When I go paste it into a clean instance, it does, in fact work. Weird!

Today commemorates the burning at the stake of Thomas Cranmer, archbishop of Canterbury under Henry VIII and Edward VI, at the hands of the court of Mary I. Cranmer was influential in guiding the reformation of the churches in England as they broke (over several issues, not just divorce) with Rome and became the Church of England. He was opposed to the practice of clerical celibacy and penned the first two revisions of the Book of Common Prayer, the key liturgies of the CoE.

Cranmer was convicted of treason for his support of the Lady Jane Grey, and spent two years in prison until Mary completed negotiations with the Roman Catholic Church and was able to appoint a new archbishop in Canterbury. During this time, Cranmer had signed several recantations that, according to laws Mary had enacted, should have spared his life. Instead, she charged him with heresy in February of 1556 and burned him at the stake on March 21 of the same year.

No matter how you look at him, Cranmer was a man of rare talent, and he faithfully executed what he saw as his duties to the Church (even when they brought him in conflict with his patrons). He is still remembered and honored for the strong imprint he placed on the CoE and, by extension, the churches of the Anglican Communion.

Thanks to TNH for the reminder.

While Steph and I were getting our Battlestar Galactica[1] fix last night, I did something I haven’t done since mid-December 1992: have a shoe-shine party. I’ve got four pairs of nice black shoes that were in various states of repair, but before we figured out which ones were worth keeping and which ones need a new home, they all needed polishing. I used to be pretty good at shining shoes. I still am, once I got back into it. The only problem is that my right shoulder and arm have been aching all day today because of the non-typical exercise. That wouldn’t be so bad, but work recently got a foosball table and the shoulder screwed up my game today. Not like my game needs the help; I pretty much suck.

The key to putting a good shine on a shoe? Don’t stint on the polish, use your fingers to apply it (wrap a cloth around them first, of course), and don’t use plain water when you go to buff the excess polish off. We always used Listerine. You can use other things, but the point is to use something that evaporates fairly quickly (which is what leaves a good shine) without evaporating so quickly that the polish develops cracks. Listerine is a good balance. I’ve still got the glass bottle I bought after getting out of boot camp; apparently, they don’t sell Listerine in glass bottles anymore.

The combined smell of shoe polish and Listerine really did a head trip on me. My dreams last night were far more nostalgic than I’m used to. I remembered a lot of stuff I thought I’d forgotten, or at least had forgotten to think about. As crummy as my life was back in those days, it wasn’t all bad; there were some good times, too. It’s nice to remember that every now and then. Life was not all bad before I got married.

[1] Insert obligatory “BSG is the best show on television!” plug here. I keep lending out my DVD boxed sets.

This isn’t aimed at anyone in particular whose blog I read, or who I know reads this blog, but more of a general comment prompted by the reaction of a friend who just received a huge Battlestar Galactica season 3 (the current season) spoiler on Digg:

If you’re talking about the current season of a TV show, or a recent book or movie, do NOT reveal plot points without providing adequate warning. Doing so can result in innocent readers having their enjoyment of said plot point diminished thanks to your moment of thoughtlessness.

I myself can be very easygoing about receiving spoilers — for most shows, movies, and books I just don’t care. (Harry Potter, for example, although I definitely in the minority on that one.) BSG, however, I care about. If I were my friend, I’d be livid right now.

If God is just, there is a special eternity of torment reserved for habitual spoilers.


 

If you install Exchange 2007 into a legacy Exchange organization (by legacy, I mean Exchange 2000/2003), the first time you install the Hub Transport (HT) role into the organization you are asked to designate one of the legacy Exchange servers as a LegacyRoutingServer. You may already know that Exchange uses this server, along with your new HT role, as the bridgeheads for a new bi-directional Routing Group Connector(RGC). This RGC connects the Exchange 2007 routing group with routing group your LegacyRoutingServer is in, thus giving your legacy Exchange server a valid route to the new Exchange 2007 servers.

However, once you go poking around inside the new Exchange Management Console, you’ll quickly find that this RGC doesn’t show up. It does show up if you fire up the legacy Exchange System Manager — actually, you see the expected pair of connector objects, one in each routing group — but if you go to look at their properties, ESM will politely tell you that the RGC objects were created in a newer version of Exchange, so keep your mitts off already. For small organizations, having a single legacy Exchange server connecting the legacy portion of the org to Exchange 2007 probably isn’t that horrible, but in a larger org you may need to specify additional bridghead servers. The answer is found, of course, in the Exchange Management Shell.

As an example, let’s say we have an Exchange 2003 organization with a single routing group. We set up our first Exchange 2007 HT role on machine EX27-HT01 and specified EX23-BH01 as the LegacyRoutingServer. Now, we need to rehome the legacy interoperability RGC to our permanent Exchange 2007 HT, EX27-HT02. I can use the Set-RoutingGroupConnector to modify the existing RGC (which, BTW, is named “Interop RGC”). Here’s how I’d do it:

Set-RoutingGroupConnector `
  -Identity "Exchange Routing Group (DWBGZMFD01QNBJR)\Interop RGC" `
  -SourceTransportServers "EX27-HT02"
Set-RoutingGroupConnector `
  -Identity "First Routing Group\Interop RGC" `
  -TargetTransportServers "EX27-HT02"

Conversely, if we’re retiring EX23-BH01 and moving the RGC to a second Exchange 2003 server, EX23-BH02, we’d do it like this:

Set-RoutingGroupConnector `
  -Identity "Exchange Routing Group (DWBGZMFD01QNBJR)\Interop RGC" `
  -TargetTransportServers "EX23-BH02"
Set-RoutingGroupConnector `
  -Identity "First Routing Group\Interop RGC" `
  -SourceTransportServers "EX23-BH02"

Note that I’ve enclosed the server names in quotes. You don’t have to do this, but I’ve gotten into the habit of quoting server names for a reason: it allows me to specify multiple servers easily if I need to, without any chance of confusing PowerShell. Here’s what it would look like if I wanted to designate all four of our servers in this example as bridgheads:

Set-RoutingGroupConnector `
  -Identity "Exchange Routing Group (DWBGZMFD01QNBJR)\Interop RGC" `
  -SourceTransportServers "EX27-HT01","EX27-HT02"
  -TargetTransportServers "EX23-BH01","EX23-BH02"
Set-RoutingGroupConnector `
  -Identity "First Routing Group\Interop RGC" `
  -SourceTransportServers "EX23-BH01","EX23-BH02"
  -TargetTransportServers "EX27-HT01","EX27-HT02"

For those of you running bigger organizations, you may need to have multiple legacy RGCs. There are several things to consider before you do this, and as usual, the Exchange team blog tells you all you need to know. Before you go run off and read that link, though, here’s a summary of the highlights:

• All Exchange 2007 servers in the forest are members of the same routing group, regardless of which AD domain and site they’re in. As a result, Exchange 2007 message routing only takes routing groups into consideration when routing into legacy servers.
• Exchange 2007 will always route messages through Exchange 2007 servers as long as possible, even if the legacy routing topology would be shorter. It will never try to use a shortcut through legacy RGCs to transfer a message from one Exchange 2007 server to another. Likewise, legacy Exchange servers try to route through their legacy topology as long as possible, even if the AD site topology is shorter.
• Having multiple RGCs from the Exchange 2007 routing group to the legacy routing groups requires you to change the way linkstate updates work in Exchange 2000/2003. This prevents the possibility of message loops that would otherwise be caused by a mix of linkstate-aware routing combined with Exchange 2007’s complete lack of linkstate. However, this also has implications on your legacy mailflow and is intended as a transition state only.
• It’s easier to create additional legacy interop RGCs using the New-RoutingGroupConnector cmdlet in EMS. While you can use the legacy ESM to create additional legacy interop RGCs, you’ll have to make sure to do three things:
  1. Home the new RGC in the legacy routing group.
  2. Create both directions of the RGC at the same time.
  3. Add the legacy bridgehead servers to the “ExchangeLegacyInterop” group so they have the proper permissions to authenticate to the Exchange 2007 HT servers.
• As long as you have servers in legacy routing groups, you should always have a legacy routing patch for all routing groups and RGCs to talk to each other. If you force them to communicate solely through the Exchange 2007 routing group, you will break the flow of linkstate information, and your legacy routing groups will become islands.

9/6/2007: Edited to fix the typo in LegacyRoutingServer. Thanks to fellow Exchange MVP William Lefkovics for the catch.

Steph and I finally watched the last of Alias – The Complete Fifth Season this week, thanks to Netflix. We really enjoyed the first two seasons, but season three felt like it started to go a bit downhill, and season four was a definite disappointment. After watching the season finale/cliffhanger for season four, I was loudly inclined to not bother watching any more. I only relented when I found out season five was the last season.

No spoilers, but I’ll say that season five turned out to be a redemption of the previous seasons. They brought in some neat new characters, as well as old home week for a bunch of cool characters that we hadn’t seen for a while. Without giving any spoilers away, the finale was pretty good. People tended to get what they deserved, in the end, and the people who met their downfall did so largely as a consequence of their own philosophies and actions. The fights were good, the tech was crazy, and they struck the right balance with the Rambaldi material (unlike earlier seasons when they’re practically chasing a new Rambaldi McGuffin every week, making it really hard to keep up.)

Character development was satisfying. Several key players finally come to terms with their flaws and nature, accepting the mistakes they’ve made and dropping pretenses of being anything different. The new agents Rachel (Rachel Nichols) and Tom (Balthazar Getty) inject a note of freshness, even while bringing the storyline full circle as Sydney moves into a less active role and more of a mentorship.

All in all, a very good show; it was worth the wait. 

I refer you all now to the truth about switching, a nice little blog post that is refreshingly clear of hype and hyperbole. Now that we’re all on the same page, on to my additional commentary.

1.  Too true. It’s a lot more friendly, though, than it used to be. I credit the steady barrage of laptops with the ubiquitous Apple logo on TV and silver screen for the last few years. If Sydney Bristow and James Bond are cool enough to use Macs — and I can hack into alien motherships and save the whole Earth with one — then maybe they’re good enough for us “normal” people to use.


2. Oddly enough, I get this the most when I’m in the parking lot. Apple products come with a couple of discreet all-white Apple stickers, and I put one on my car. It never fails to get a conversation going, especially in combination with the Utilikilts sticker and the “Practice safe government; use kingdoms” sticker.


3. I haven’t seen this nearly as much, or rather, most computer users tend to be helpful. It’s just that many Windows users’ idea of helpful is “Install Norton” and “WebShots rules!”, whereas Mac users actually have a lot of the useful stuff built in, so the help they give enables you to make more use of what you’ve already got. And when they do tell you to buy a program, it’s usually pretty darn worth it.


4. I don’t see this one, but then again, I am pretty careful in my online hygiene habits.


5. Again, I don’t tend to see viruses even on my Windows machines. However, my Mac-using friends certainly don’t get as frothed about the latest virus/worm threat. Even my UNIX/Linux friends tend to spend a little bit more time worrying, just because those systems pack in so MUCH software that it sometimes seems like there’s always a new vulnerability in core libraries — and the patches cause their own share of problems, usually in forcing some library to get upgraded and breaking a host of other applications that they hadn’t wanted to upgrade yet.


6. Here, I disagree. I wouldn’t even claim 99%. There are definite issues even in some of the basic functionality between Windows and Mac versions of the Office suite. However, I tend to use each system for different types of things, so I minimize the pain that way.


7. I still see a lot of sites that don’t work well with Safari. Part of this is the HTML out there; part of it is Safari. I see it a LOT more on my 10.3 Mac mini than I do on my 10.4 MacBook Pro. And Firefox for the Mac just seems to be a bit slower and a bit less stable than it is on Windows.


8. Yes, yes, oh God yes. I get compliments on the MacBook Pro, and I love just how comfortable the laptop and keyboard are to type on. The touchpad won me over. The trayless media drive is just sexy. The magnetic power cable is invaluable in a house with four klutzes. Sometimes, I just want to roll naked in bed with this laptop, it’s that genius.


9. Figuring out how to deal with expired shared credentials for Windows file shares about drove me nuts, until I discovered how to manage keychains. I still don’t like the split between “Applications” and “Utilities,” especially for system programs — it seems to be very arbitrary.


10. I shared my “ah-ha!” moment already (see the last link about the touchpad), but there are other things. The whole way I can mount disk images easily and quickly, grab files out of them, then unmount them. Boom. I wish Windows did that — it’s just so nice.


11. This is probably my biggest gripe, but it’s been less of one since I’ve been spending more time on the MacBook Pro and have an actual Apple keyboard. I’ve adjusted fairly well to switching between Ctrl and Command keys.


12. No buyer’s remorse for me. I’m a lot less likely to spend money up-front these days, so I don’t suffer buyer’s remorse. (That, and I didn’t buy my Macs — but in both cases, I’d been wanting to.)


13. Another huge agreement from me. I spend a lot of time getting my profile adjusted to my preferred working style on each Windows box I spend more than 10 minutes on. I have a lot less fiddling to do on the Mac. I just go do the fun/hard/cool stuff.


14. Not only do I have to plan my reboots, I plan when I shut down apps. Firefox has been nagging me about an update for three days now. I don’t shut down my apps all that often even on Windows, but I’ll usually clear stuff out at the end of the day when I shut the laptop down. On my MacBook Pro, I just shut the lid and let it all sleep.


15. I’m not really into buying aftermarket add-ons and such; I’m saving my pennies for bigger purchases, like A/V converters. That and Parallels, for when I need to run Office without compatibility issues. (And then I can run Solaris 10 in a VM. Yum!)


16. Sadly true. I really need to dish out the money for a Tiger upgrade for my mini, but I’ve got sticker shock still (and I’m still grumpy about Apple’s “two weeks” policy for reduced-price upgrades, because I missed it on the mini by only a few days). I know what Windows retails for, but you can usually find a reseller who is letting go for a nice discount, and you don’t have to buy an upgrade every year. Windows Service Packs usually add enough new functionality to give you the “new OS” experience.


17. I hope so. Then again, I’ve got plenty of life left in the mini.


18. I’ve had this happen a couple of times — usually at Microsoft-themed conventions. The last couple of months have been fun — the big bad Microsoft Exchange MVP, busily working away on a MacBook Pro. It’ll be better when I have Parallels installed.


19. I don’t know if I am more productive, but I certainly FEEL more productive. I’m less inclined to download timewaster software to my MacBook. It’s so sleek and sexy! I don’t want to crap it up.


20. I haven’t run into this yet, but I’m not looking forward to it when I do.


21. Market share, shmarket share. Apple’s producing decent laptops (that can run Windows if they have to) at a good price point. They look nice, they work as well as other mid-to-high-end Wintel machines, and everyone is starting to get used to seeing the Apple brand around thanks to the iPod.


22. Yup, especially on 10.4. Connect, get what I need, disconnect. Share stuff out, stop sharing. It just works.

In my last post I briefly mentioned MD5 hash checksums. If you don’t know what this is, the short version is that people who offer files for download also post the MD5 hash checksums of those files. This way, people who download the files can compute the checksums separately and see if they match. If so, the downloaders can be pretty positive the files weren’t tampered with (or that if they were tampered with, the person who did not only took the time to recalculate the checksums, but posted the tampered results).

It’s a great idea — and while it may not keep your files safe if you keep your checksums in the same place you keep your files (so the attacker can easily post both the bogus checksums and the bogus files), it at least lets your downloaders know they’ve correctly downloaded the entire file. This is really nice when you’re downloading large ISO images — you can verify the file, at least, is good before you start making coasters.

Unfortunately, Windows doesn’t offer built-in support for calculating or verifying checksums. However, there are a variety of little third-party apps that do. The one I’ve been using is Colony West Software’s DigestIT 2004. This little puppy is very useful, because it installs as a Windows Explorer shell extension. Simply right-click on a file and you get checkcum calculation and verification options at your fingertips. Best of all, it supports not only MD5 hashes but SHA-1, and it can work with multiple files at once. Very cool!

For a recent project, I needed to obtain copies of the current release of Red Hat Enterprise Linux. For the most part I had a very easy time with this, but there were a couple of aspects of the experience that proved to be extremely frustrating that I wanted to share.

Getting RHEL4 was simple: head over to Red Hat’s website, add the proper package to my cart, and check out. Once the purchase had been verified, I headed over to the download section of Red Hat Network to grab the ISO images. So far, so good; the Red Hat website could use a slight navigation refresh to make it a touch easier to use, and I suffered a delay in getting my purchase to go through thanks to a self-inflicted credit card handling incident, but all-in-all, it was straightforward and exactly what you’d expect to see in a modern e-commerce site.

My problems started when I created my RHN account and logged in to get my downloads. Like many online vendors, Red Hat gives you access to most (if not all) of their commercial offerings for download; when you make a purchase and get a subscription to a product, you get a subscription activation that entitles you to register that system and get updates for it. Here’s where I ran into problems, and my suggestions to Red Hat for fixing them:

• Highlight the products I’ve purchased. After I’ve purchased a product, the system should know what product entitlements I have. While giving me a list of all products is nice (see Figure 1), having some way to highlight the ones I’ve purchases (and would therefore be most likely to want to download) would be really useful. This is a minor gripe, granted, but given the multiple products and bundles Red Hat offers, it would make selecting the right downloads easier.
  
  Figure 1: RHEL4 product channels
• Generate links that don’t die immediately. When you click on one of the products in Figure 1, you’re taken to a page that generates custom download links for you, along with the MD5 hash verification checksums (see Figure 2). On this page, Red Hat helpfully suggests that you use a download manager or use the command-line tools wget or curl (available from Linux, but versions are also available from Windows). Again, this is really useful advice — ISO images take time even when you’re sitting on top of a T-1. However — and this part proved to be a huge pain — the links you’re given are only good for a short amount of time before they expire and must be regenerated by relogging in to Red Hat Network and following the navigation links back to your product. I didn’t test it extensively, but it felt like they were good for around four hours. While four hours is adequate to download a single image, it’s not adquate to download the five installation images, the four source images, and the documentation DVD image, even if you’re on one of the better-than-a-T-1 cablemodem/DSL connections available today. So even if you follow their advice and use the automated tools, you’re still not going to get everything in one go. Worse, I found that they removed a file while it was being actively downloaded. Happily, I was using wget so I was able to resume the download (once I got the new URL). 4 hours? C’mon, give us at least 24. Better yet, don’t be stingy and give us 72 or 96 hours to complete our downloads — at least for files that haven’t been accessed yet.
• 
  Figure 2: RHEL4 download links
• I’m not even going to gripe about hiding the downloads in a registration-required section; I can perfectly understand why a company might want to do that, especially when their free product is available for anyone to anonymously download. But if you’re going to make it inconvenient to download files directly, at least make it so I can follow your directions and get my files downloaded without having to keep going through the inconvenient process to begin with.