Explanation: Connecting to Machines Using IP Address vs Fully Qualified Domain Name (FQDN)

For networks that use either NTLM or a basic Kerberos configuration as the authentication protocol, specifying IP address as the connection method will typically work just fine. This means that the Security Controls console will connect to clients using the IP address of the machines. This is the default setting.

Some networks, however, operate in stricter environments. They may restrict NTLM, or they may employ the use of additional Kerberos security measures that are implemented using Group Policy. In particular, if the client machines in your environment establish a connection with servers using the Server Message Block (SMB) protocol, a certain level of validation may be required to be performed on the client's Service Principal Name (SPN). If this is the case, you must choose Fully Qualified Domain Name (FQDN) as your connection method. Doing so will satisfy the additional validation requirements. Connecting using the IP address will not satisfy the SPN validation requirements, and the console will not be able make a connection with your client machines.

There is one caveat. If you are operating in an NTLM- or SPN-restricted environment and you specify FQDN as your connection method, progress messages will not be displayed when deploying patches to offline hosted virtual machines.

Newer versions of Windows are the most likely to employ the stricter security measures. Older versions of Windows machines that do not use the restrictions will be able to operate using the FQDN connection method. So if you have a mix of machines, choose Fully Qualified Domain Name (FQDN).

For more details, see this article from Microsoft.

When in doubt, choose IP address and then perform some test scans on your client machines to verify that connections are being made. If the scans fail due to connection errors, choose Fully Qualified Domain Name (FQDN) and see if that resolves the problem.

Related Topics