Where does the time go? If you've ever had to ask this question, NTP can give you the answer time and again.
Do you have problems keeping time synchronized on your network? Do your systems tend to drift? You can resolve the time drift problem by using the Network Time Protocol (NTP) to keep all your system’s time in sync with each other. What’s that? You’ve tried using NTP to find that some of your systems still set themselves apart from the pack. You can go one step further and create your own NTP server for your network.
If you’ve ever experienced catastrophic failures in applications, with network storage or with file timestamps, it can drive you crazy. And, for you typical overworked and under-appreciated system administrators, that’s a short drive.
Setting up your own NTP server is the answer. You learned from the first NTP-related article, “NTP: Timing is Everything,” how to setup your Linux systems to use NTP. This week, you learn how to setup a network NTP server.
Let’s face it gang, unless you have the privilege of working for Amazon.com or Google, chances are that you live and work in a mixed operating system environment. You have to deal with Windows, Linux, commercial Unix and possibly Mac systems. It isn’t pretty but it’s a fact. You have to deal with those Windows servers and keep their users happy too. Windows systems have a tendency to drift even when connected to a domain.
You might ask, “Why is Windows time so unreliable?” Part of the problem is the time algorithm that’s used for Windows time. Windows time clients attempt to synchronize time three times every 45 minutes. If those attempts successfully synchronize with a time server, updates then drop to every eight hours. And, the other part of the problem is that just about any other program running on a system can cause a clock delay. You can edit almost every time-related parameter by tweaking the Windows registry settings located at: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time.
The problem, however, is not unique to Windows operating systems. All operating systems experience drift (some more than others) and having a local NTP server brings everyone back into sync.
Why is a local NTP server better than setting all your systems to sync with an Internet time server? Having a local time server ensures that all systems on your LAN will sync to the same clock and give you time consistency within your network. Synchronized time is handy for comparing events and logs on your network.
If you followed the instructions written in NTP: Timing is Everything, you have everything you need to proceed with setting up an NTP server on your LAN.
The main differences in setting up your system as an NTP server versus setting it up as a client are in the configuration file, /etc/ntp.conf.
The first order of business is to select publicly available time servers with which to sync your LAN server. Yes, you can choose to use your own server as a local time server but it isn’t recommended. You should always sync your LAN’s time server with an external source. And, to ensure that your LAN’s time is always accurate, you should specify more than one source. For the purpose of this article, only stratum 2 servers are considered for use. If you want to know more about time strategy and rules of engagement, read the official document on the subject.
Edit your /etc/ntp.conf file and make the following changes. You’ll want to adjust some of these to fit your own needs.
# Referenced Time Servers
# Restricts reverse access. Disallow configuration modification and queries.
restrict ntp-1.cso.uiuc.edu mask 255.255.255.255 nomodify notrap noquery
restrict ntp1.kansas.net mask 255.255.255.255 nomodify notrap noquery
# Restricts modifications by local (LAN) computers but allow access
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Restrictions on the local system (None)
Save the file and restart the ntpd and you’re ready to serve time.
Before the excitement of providing time services to your LAN overwhelms you, take a moment to check your time server’s synchronization status.
$ ntpq -p
remote refid st t when poll reach delay offset jitter
ntp-1.gw.illino 184.108.40.206 2 u 28 64 17 123.092 -26.551 23.649
triangle.kansas 220.127.116.11 2 u 30 64 11 132.316 -31.254 31.254
If your reach, delay, offset or jitter values are 0.000 (or 4000), then you don’t have proper synchronization. Check that your firewalls allow port 123 (UDP), iptables can interfere if you’re running it on the same system and, under certain circumstances, you might have to remove the nomodify and notrap from your LAN access restrict entry. Should your synchronization still fail, use the IP addresses of the time servers instead of their DNS names.
To configure your Windows clients to use your new time server, you’ll have to change where the NTP looks for synchronization. Go to Control Panel, Date and Time, Internet Time and enter the name or IP address of your time server into the Server field. Click the Update button when finished. The system time should synchronize with your time server. Click OK when finished. Repeat for each Windows system (Workstation and Server) on your network.
Providing time services to your network computers is an essential service that may go unappreciated by your users. NTP is a lowly protocol that goes unnoticed until it breaks. Don’t be surprised if no one gives you a pat on the back for setting up this awesome service. Doing time is a lonely and often solitary pursuit but certainly worth the effort.