1. Port 40403 has to be opened between the Configuration Diagnostic Server and Member Diagnostic Server. A telnet test can be done to validate this from Configuration Server to Member Server and vis versa.
- telnet <Diagnostic Server Host> 40403
2. A secure channel has to be established between the computer and the domain controller, or else the computer will no longer able to authenticate to the domain. The Test-ComputerSecureChannel can validate if the channel between the local computer and its domain is working correctly by checking the status of its trust relationships. If the channel is working correctly, it returns $True and $False if it is not. Open a PowerShell CMD line and run "Test-ComputerSecureChannel" at the prompt.
3. Make sure the service accounts (or account if both Diagnostic Servers use the same) associated with the Diagnostic Servers are member of the Local Admin Group and at least one of the Spotlight Groups - i.e. Spotlight Diagnostic Administrators, Spotlight Diagnostic Users, or Spotlight Diagnostic Read-Only Users group.
4. In proxy environment make sure, that there are added exceptions in the Internet Explorer proxy settings for the federated servers. Login to the Diagnostic Server host with Diagnostic Server owner account and perform the following steps;
- Open Internet Options, Connections, LAN Setting
- Click Advanced
- Add DS host name in Exceptions
5. From Diagnostic Server host IE browser, enter the host name of the second Diagnostic Server and ensure the message "Continue to this website" message is displayed:
6. If any changes are made, reboot host of both Diagnostic Servers
7. If issue still persists, then do a force un-federation by copying the FederationService.xml from {Diagnostic Server dir}\agent\conf\ServiceDefaults to {Diagnostic Server dir}\agent\conf\Service and restart both Diagnostic Servers.