Event ID 4005 from Winlogon every 30 seconds on load balanced server

Problem

Event 4005 from source Winlogon is logged in the System log every 30 seconds on the second:

SNAGHTML48f6ab89

Event details:

SNAGHTML48f508e5

Other than this, no error is logged and no complaints from users, everything seems to be working as expected.

 

Environment

  • Barracuda Load Balancer 440 HA cluster (Active/passive)
  • Windows 2008R2 Server running Exchange 2010 Multi-Role
  • HP Proliant BL460c G7 server (2*6 core 2.9GHz, 96GiB RAM)
  • HP Flex10 Virtual Connect chassis switch

Analysis

After a cold boot and Windows update didn’t resolve the problem, I suddenly remembered that 30 seconds is the default service uptime check on the Barracuda Hardware Load Balancer in front of the server experiencing the problem. The HLB is deployed in two-armed route-path mode. I had already checked other servers behind the HLB, none of which had the same error, but I decided to check the configuration on the HLB anyway. An inspection of the service configurations revealed that one of the services pointing to the real server with the problem was set up for RDP Service monitoring. The service in question is used for remote administration of this specific server, thus the service only has one real server. I have one of these services for each real server behind the HLB, but the other services used the default TCP Port Check monitor.

image

I tried changing back to the default monitor, and after a couple of minutes the server had not logged any new errors. I confirmed it by turning it back on and running manual tests from the HLB, thus triggering errors every time I clicked the Test button. It seems that Windows interprets the monitor tests performed by the HLB as an error. I haven’t done a netmon trace to confirm, but I suppose the HLB opens a connection and then disconnects as soon as the server responds without closing the session properly.

Workaround

Use another Server Monitor on the Barracuda HLB, for instance the default TCP Port check. This only tests if the port is open though, but for my application this is sufficient as this service is only used for remote control of the real server.

image

Last edit: Saturday, June 4, 2011

Author: DizzyBadger

SQL Server DBA, Cluster expert, Principal Analyst

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.