Users getting kick off 2008 x64 TS server - event ID 4005 - source: Winlogon
- Hi Everyone,
I have a new Win 2008 x64 TS server install with all win updates installed on it. Periodically individual users are getting disconnected, but is seems not all users. When a user get knock off in the application event log (on the server) I get a Error event ID 4005 advising 'The Windows logon process has unexpectedly terminated'. (nothing shows in the PC event logs)
The user can reconnect and all the programs are still open and running. It is happening approximately 2-4 times a day for about 1/2 of my users. It does not seem to matter if they are working in their sessions or it is locked or it is idle.
here is what I have tried:
1) Switched ports in the switch for both client and server
2) Installed 6.0 of MSRDP client on all stations
3) Installed SP3 on all system (all are XP Pro)
4) Ran all updates on TS server
5) Updated Broadcom quad nic card drivers to latest version on Dell site
6) Ensure broadcom firmware is up to date for the nic cards
7) Setup triple team (load balancing) of nic cards onto same switch all running gigabit - issue was happening before teaming
All clients are running 1x 100btx and server is running 3x 1000bt. I have a couple of systems that have never been booted out but the majority have. The systems that have never been booted out had SP3 and MSRDP 6.0 client so that is why I updated all the other systems but problem persists.
I am replacing a win 2k3 R2 TS server and this issue did not exist on their old server.
I search all the forums and Google for this error but all seem to pertain to Vista BSOD issues - not what I am having.
Your thought and suggestions would be appreciated,
thanks,
TheSonic1
All Replies
- Hi,
I wish most of the posters here would describe the problem as professional as you do.
First of all I would suggest you to upgrade to 6.1 Client. However your issues im sure lies in the networking.
And to be more specific I would suggest it is your either Switch or the same(?) NIC driver you have on your clients.
Try to downgrade one of the troubles clients NIC driver and see if it helps. If it doesn't then its the switch.
Citrix Technology Professional, PubForum.net Founder, LinkedIn, TS Training in Europe! Love Microsoft &its people to bits!- Proposed As Answer byAlex a.k.a Dr.Conti [MVP]MVP, ModeratorSunday, August 30, 2009 5:42 PM
Hi,
If the winlogon.exe running inside of a user's session crashes their session will be disconnected. For this reason I believe that it is likely the real cause is winlogon crashing whereas the disconnects are a secondary symptom.
1. Have you read and considered the points raised in this document:
Event ID 4005 — Windows Logon Availability
http://technet.microsoft.com/en-us/library/cc734097(WS.10).aspx
2. What software do you have running on this server that is *not* a Role and/or Feature of Windows Server 2008?
More specifically do you have any of the following:
- Security/malware/antivirus/antispyware/third-party firewall/etc.
- Software that hooks into winlogon like Smart Card, custom authentication, etc.
- Backup agent software, replication, sector-based imaging/mirroring
- User monitoring software
- Third-party printer drivers3. Have you tried renaming one of the problem user's profiles and allowing it to be recreated?
4. Have you downloaded and run the latest Dell System Update Utility for your server? It will automatically scan your system and install the latest drivers, BIOS, hard drive firmware, raid controller firmware, scsi firmware, tape drive firmware, etc.?
5. Have you run a Consistency Check on your Virtual Disk(s) using Dell OpenManage Server Administrator?
6. Have you run RootkitRevealer as well as antivirus scan on your server?
7. Have you configured your server to create Application Crash Dumps? This will help you to troubleshoot why winlogon is crashing, and will help MS Support if you choose to involve them later.
Thanks.
-TP
- I too, am having this issue. My Server 2008 x64 TS Server is a virtual machine. Users get kicked off within minutes. Winlogon always quits. I do have SEP 11 installed, and CA ArcServe backup agent installed. Several other applications too. I will try some of the things suggested here and let you know what I find.
- OK, just created a new fresh Server 2008 R2 VM. Same RDC issues. Nothing is on it. I am not getting the winlogon.exe failure like I do on the TS server. I am getting this tho, on both VM's:
"The Terminal Server security layer detected an error in the protocol stream and disconnected the client. Client IP: <ip address>"
Event id 56. Source TermDD.
Perhaps this is the reason for the disconnects I am getting on both servers. Ideas?
- Karl,
Please start a new question with a full description of your environment, problem, symptoms, error(s) messages, things you have tried, etc. Your environment is somewhat different than the TheSonic1, and now the error you are receiving is different as well.
Have you tried disabling the advanced features on your real NICs as well as your Hyper-V NIC? For example, Large Send Offload?
Thanks.
-TP - I apologize, I didn't mean to be unclear. I am getting the winlogon error on one of my VM's, but not the other.
I did disable 'Large Send Offland2' on my HV NIC's, but I did not disable Large Send Offload on my real NIC's. Should I? What else should I disable?
As far as my environment, what exactly do you need to know? - OK, I hope I am not jumping the gun, but it appears that disabling Large Send Offload on ALL nics, except for my management NIC has resolved the issue of speed and disconnects.
