[스크랩] 56번 관련 링크들

 

http://deusexmachina.org.uk/evdoco/event.php?event=454

 

 

TermDD - 56

• Source » TermDD
• Event ID » 56
• Type » Error
• Category » None
• User » N/A
• Computer » LOCALCOMPUTERNAME
• Log » System
• Opcode »
• Keywords »
• InstanceID » 0

Description »

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.

Data formatted as » WORDS

0000: 00040000 00000001 00000000 C00A0038 
0008: 00000000 C00A0038 00000000 00000000 
0010: 00000000 00000000 D00A0032

---

On Windows 2008 R2, this event is helpful enough to tell you what the IP of the client was, eg:

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 192.168.11.152.

This event tells you that somebody's remote desktop session got disconnected. The last ntstatus value in the data will give you more information about why this happened. The ntstatus value in the data (formatted as words) will actually appear with a D instead of a C at the beginning. This is, according to the Performance Team blog, the result of converting an HRESULT to an ntstatus value. In the example above, the ntstatus value is C00A0032, which is "STATUS_RDP_PROTOCOL_ERROR" - which is rather uninformative. Really? An error in the protocol because of an error in the protocol? You don't say!

You may find that other ntstatus values are of more use, such as C00A0006 - STATUS_CTX_CLOSE_PENDING or C00000B5 - STATUS_IO_TIMEOUT.

You might find these events if there's an interruption to your network connection, such a teamed interface failing over, or a NIC renogtiating its speed/duplex settings.

Check your NICs are not set to auto/auto, but are hard-set to whatever your network infrastructure can provide. If you are using NICs with a Broadcom chipset, disable "Scalabale Networking" (eg TCP Chimney, Receive-Side Scaling).

Also, check out the article The Curious Case of Event ID: 56 with Source TermDD at the Performance Team blog, which details more ntstatus/hresults which may appear in the data section, and suggests using WMI event tracing to troubleshoot event ID 56.

You may also find values which do not originate from the ntstatus.h header file. For example, the last DWORD may be 80090304, which is an HRESULT, defined in winerror.h and means SEC_E_INTERNAL_ERROR - or "The Local Security Authority cannot be contacted".

 

 

----------------------------------------------------------------------------------------------------------

 

http://serverfault.com/questions/622252/remote-desktop-hangs-disconnects

 

My remote desktop session to one of our domain controllers drops and freezes while trying to interact with the server. The symptoms of this issue do not closely match the other related questions here on serverfault. The server is on the same LAN subnet as my PC (it is one room over from me) I can transfer a 100 MB file from my PC to the server in ~10 sec My ping latency is <1ms, TTL = 128 The server is not resource constrained ~9gb of unused RAM at all times The CPU has 4 cores and none have spiked above 30% demand The hard disk demand appears to be low The server functions only as a domain controller The session typically hangs when trying to interact with the system (pulling up task manager, opening event logs etc). Strangely, performance monitor will display gaps in the line chart when the system hangs. Microsoft's KB on performance monitor troubleshooting suggests that this only happens when a system is overloaded. Could the remote desktop session be single handedly overloading the capabilities of this server? Would system logs indicate that the system was becoming overburdened? Could a setting or behavior in the NIC induce these symptoms? Server specs: Dell PowerEdge R310 Intel Xeon x3430 @ 2.4GHZ Broadcom BCM5716C NetXtremeII GigaBit Server 2008 R2 64 Bit The server behaves normally when I log into it from the KVM switch on the rack. Any suggestions about where to look or other common causes would be appreciated! windows-server-2008-r2 remote-desktop freezing dropped share|improve this question edited Aug 18 at 18:53 asked Aug 18 at 18:18 Shrout1 15311

3rd party software installed on the DC or pretty bare? I've had RDP sessions hang or prevent logging on even when I've had various 3rd party software running as a service. – TheCleaner Aug 18 at 18:21 We do have some third party tools - security software mostly. All the other servers in our domain have the same security suite and none have the issue. Also no indication in the logs that they are having problems. – Shrout1 Aug 18 at 18:48 Another possibility could be the nic flapping if you only experience it over RDP but you'd at least see the taskbar icon notifying you during a KVM session. I would try stopping any 3rd party software one at a time and testing. Or considering the possibility that the issue on your client and test with another PC. – TheCleaner Aug 18 at 18:58 Ok checked the NIC; switched to a different NIC on the server and no difference. No reliability issues going from my PC to a different server, so I don't think it's my PC. I will try to disable the security software as soon as I get back into the office tomorrow. – Shrout1 Aug 18 at 20:23 add a comment |

1 Answer 1

active oldest votes

up vote 0 down vote accepted

Ok! This was terrifyingly easy to solve once I was able to invoke an error. I just had to change the NIC from auto-negotiate to 1gb full duplex (we have a 1gb switch connected to the servers). The error message I received was TermDD Event ID 56: The terminal server security layer detected an error in the protocol stream and has disconnected the client The translated binary error code was C00A0006 which resolves to STATUS_CTX_CLOSE_PENDING (see this Technet blog about translating the binary error codes) I believe that when the NIC was trying to negotiate the speed of its connection it would momentarily lose the connection. This post on deusexmachina.org.uk helped me pinpoint the NIC as being the potential issue.

 

 

 

 

 

-----------------------------------------------------------------------------------------------------

https://social.technet.microsoft.com/Forums/en-US/9f57fe3c-497f-48e8-8b56-a7da52060a6a/event-id-56-termdd

 

 

Event ID: 56 TermDD

Windows Server

>

Windows Server 2012 General

Question

• 

  

  0

  Sign in to vote

  We have a thin client environment where users connect to our Windows Server 2003 SP2 Terminal Servers via RDP session which then connects to the Database Server wich is Windows 2008 R2. The last two weeks we've been getting a ton of calls regarding users "hanging" in our system or being disconnected outright. I look at the event log on our Database server and found this error

  Log Name: System
  Source: TermDD
  Date: 3/18/2013 11:39:33 AM
  Event ID: 56
  Task Category: None
  Level: Error
  Keywords: Classic
  User: N/A
  Computer: ComputerName

  Description:
  The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: X.X.X.X

  Event Xml:
  < Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="TermDD" />
  <EventID Qualifiers="49162">56</EventID>
  <Level>2</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2013-03-18T15:39:33.498923600Z" />
  <EventRecordID>439179</EventRecordID>
  <Channel>System</Channel>
  <Computer>Computername</Computer>
  <Security />
  </System>
  <EventData>
  <Data>\Device\Termdd</Data>
  <Data>X.X.X.X</Data>
  <Binary>0000040002002C000000000038000AC00000000038000AC00000000000000000000000000000000032000AD0</Binary>
  </EventData>
  < /Event>

   

  How do I fix this?

  Monday, March 18, 2013 6:52 PM

  Reply

  |

  Quote

  

  wjreinhard

  25 Points Top 30.00

  wjreinhard
  	Joined Oct 2009
  3	wjreinhard's threads Show activity

  25 Points

Answers

• 

  

  0

  Sign in to vote

  Hi,

  A technet blog helps you troubleshooting Event 56 with source TermDD:
  http://blogs.technet.com/b/askperf/archive/2010/03/25/the-curious-case-of-event-id-56-with-source-termdd.aspx

  And please go through the below previous discussion, which encountered the similar error and presented possible solutions:

  Event ID 56 TermDD
  http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/981a30b8-0e46-49f9-a13f-095b124328fd

  Hope it helps.

  Regards,
  Cicely

  • Marked as answer byCicely FengMicrosoft community contributor, ModeratorTuesday, March 26, 2013 1:07 AM