Linux Admin Reference – NTP Configuration and Troubleshooting – Red Hat Enterprise Linux :

NTP Quick ReferenceNTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to some time reference. NTP is an Internet standard protocol originally developed by Professor David L. Mills at the University of Delaware.

Time usually just advances. If you have communicating programs running on different computers, time still should even advance if you switch from one computer to another. Obviously if one system is ahead of the others, the others are behind that particular one. From the perspective of an external observer, switching between these systems would cause time to jump forward and back, a non-desirable effect.  

As a consequence, isolated networks may run their own wrong time, but as soon as you connect to the Internet, effects will be visible. Just imagine some EMail message arrived five minutes before it was sent, and there even was a reply two minutes before the message was sent. Even on a single computer some applications have trouble when the time jumps backwards. For example, database systems using transactions and crash recovery like to know the time of the last good state.     Therefore, air traffic control was one of the first applications for NTP.       (……… Ref : ntp.org)

In this Article We will be discussing about NTP related operations in Red Hat Enterprise Linux Environment

::: What are Clock Sources available by Default for Red hat Linux Server?

 
All servers have two kinds of clocks:
 
 – The System Clock  – Owned by OS
 – The hardware clock – Owned by CMOS.
 
When the Server is running, it usually provides it’s system clock as the clock resource. However, when the server is shutdown, the system clock will sync to hardware and when rebooted the hardware clock will sync to system.  Note:  If the server has been shutdown for a longtime and reboot again, the hardware clock may sync to system that may not be accurate.
 
 

::: How to Configure Basic NTP server:

 
Install the ntp package:
[root@host ~]# yum install ntp
Ensure the following entries are in /etc/ntp.conf:
The below example functions as a NTP server to the 192.168. network.
[root@ntp.server.com ~]# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server stratum2.ntp.com
server stratum2.ntp2.com
server stratum2.ntp3.com
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
Note: The public stratum 2 servers for your network’s NTP server can be found on ntp.org.
 
Start the ntpd service:
[root@ntp.server.com ~]# service ntpd start
 

 

::: How to Configure Basic NTP Client:

 
Ensure the following entries are in /etc/ntp.conf:
[root@ntp.client.com ~]# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server ntp.server.com
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
Start the NTP service:
[root@ntp.client.com ~]# service ntpd start
 

::: How to Verify NTP status from Client

 
[root@ntp.client.com ~]# ntpq -p
   remote          refid    st  t  when  poll   reach  delay    offset    jitter
================================================================================
ntp.server.com    some.ip    3  u  20    128    377    0.003    0.4312    0.3482
 
[root@ntp.client.com ~]# ntpq -c as
ind   assID   status   conf   reach   auth   condition   last_event   cnt
================================================================================
1     31893   9614     yes     yes    none    sys.peer    reachable   1
 
 
 

:::: Advanced NTP server Configuration

 
For the Requirement:
 
– Allow hosts within two example IP subnets (10.0.0.0/255.0.0.0 and 192.168.0.0/255.255.255.0) to use this server as an NTP server
– Queries from all other hosts except localhost (127.0.0.1) will not be accepted
– For Time Synchronization from External sources – Only Servers mentioned with server statements will be treated as Trusted Stable Time Sources.
 
 
Sample Configuration  Entries from /etc/ntp.conf:
 
Entry 1 -> restrict default nomodify notrap noquery
Entry 2 -> restrict 127.0.0.1
Entry 3 -> restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap
Entry 4 -> restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
Entry 5 -> server 0.pool.ntp.org
Entry 6 -> server 1.pool.ntp.org
Entry 7 -> server 2.pool.ntp.org
Entry 8 -> driftfile /var/lib/ntp/drift
Entry 9 -> broadcastdelay  0.008
Entry 10-> keys            /etc/ntp/keys
 
Entry 1 : default restrictions – apply these to anyone not specified by a better matching “restrict statement”.  We will trust any host named as a server, but will not allow queries, traps, or modifications to our service
parameters by default.
Entry 2: Permit all access over the loopback interface.
Entry 3,4 related to Client Network :  Permit systems on this network to synchronize with this time service.  Do not permit those systems to modify the configuration of this service.
Entry 5,6,7 related to TIMESERVER –  servers we want to use as stable time sources we “trust” by default (see ‘default’ statement above) so we shouldn’t need special ‘restrict’ statements for these servers to trust them as time sources.
Entry 8,9 – Drift file.
Entry 10 – Keys file.
 
 

::: Important points about NTP Configuration:

 
  • – NTP uses UDP port 123. In order for the server to both synchronize itself with its trusted time sources and service NTP clients.
  • – The server’s firewall configuration must allow UDP traffic to destination port 123.
  • – The noquery restriction used in the default restrict statement will protect the server from functioning as an NTP server to hosts not defined with restric statements as mentioned in the Entry 3 and 4 in the previous configuration example.
 

::: How to Restart NTPD service and enable it for Auto start during boot.

 

# service ntpd restart
Shutting down ntpd:                              [  OK  ]
ntpd: Synchronizing with time server:            [  OK  ]
Starting ntpd:                                   [  OK  ]
 
# chkconfig –level 345 ntpd on
 

::: How to Stop to NTP client to stop using its Undisciplined Clock Local Clock)

 
  in the case of unavailable Network Time Sources
( For Example – Some Network connectivity issues between local NTP server and Remote NTP Source)
 
The Undisciplined Local Clock is a fake driver that can simulate a reference clock when no external synchronization sources are available.
 
Commenting below lines from the /etc/ntp.conf will  prevent ntpd from using the BIOS real-time-clock as a backup time source
 
# server 127.127.1.0
# fudge 127.127.1.0 stratum 10
 

## How to Sync the System Clock to NTP server – immediately.

 
# /sbin/service ntpd status
ntpd (pid 2249) is running…
 
# /sbin/service ntpd stop
Shutting down ntpd:                                        [  OK  ]
 
 
The below command will step the System Clock to NTP server immediately:
# /usr/sbin/ntpdate time.nist.gov
20 May 16:27:51 ntpdate[1364]: adjust time server 192.43.244.18 offset 0.000041 sec
 
# /sbin/service ntpd start
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]
 
# /usr/sbin/ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 clock.util.phx2 .CDMA.           1 u    1   64    1  276.170    0.691   0.001
 file.pek.redhat .INIT.          16 u    –   64    0    0.000    0.000   0.000
 
 After Complete Sync with NTP server ( may take 10-15 minutes. The output will appear as below
 
# /usr/sbin/ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*clock.util.phx2 .CDMA.           1 u   23 64  377  275.905    0.646   0.323
 file.pek.redhat .INIT.          16 u    – 64    0    0.000    0.000   0.000
 

 

 ## What is the Significance “*”, “+” or “empty space”   in front of NTP Server from the “ntp -q” output ?

 
  •  – if there is a “*” before the ntp server name, it means the ntpd have collected enough time data and trusts the time server. ntpd will continuously sync with the ntp server.
  •  – If there is no “*” on any ntp server or the “*” is on a local fudge server after 10-15 minutes, that means the ntp haven’t trust the ntp server and Further Checks required for ntp server and configuration.
  •  – Th + indicates that this peer is a candidate
  • –  An empty space indicates that the peer unreachable and therefore rejected (stratum 16)
 

## How to Diagnosis NTP Error – “no server suitable for synchronization found” ?

 
Running ntpdate command ( to set the date and time using NTP server) with diagnosis switch as below, will help to identify the causes for the error
 
# ntpdate -d time.unixadminschool.com
20 Oct 00:20:51 ntpdate[26388]: ntpdate 4.2.2p1@1.1570-o Thu Nov 26 11:34:35 UTC 2009 (1)
Looking for host time.unixadminschool.com and service ntp
host found : time.unixadminschool.com
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
server 66.125.13.54, port 123
stratum 1, precision -16, leap 00, trust 000
refid [CDMA], delay 0.32297, dispersion 0.00040
transmitted 4, in filter 4
reference time:    d245a5fe.2fdfe09b  Mon, Oct 17 2011  0:20:38.187
originate timestamp: d245a60c.e2117d1e  Mon, Oct 17 2011  0:20:52.883
transmit timestamp:  d245a60c.b9c9b413  Mon, Oct 17 2011  0:20:52.725
filter delay:  0.32361  0.32382  0.32297  0.32619 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.003892 0.004005 0.003607 0.004972
         0.000000 0.000000 0.000000 0.000000
delay 0.32297, dispersion 0.00040
offset 0.003607
 
20 Oct 00:20:53 ntpdate[26388]: adjust time server 66.187.233.4 offset 0.003607 sec
 
 

## How to address NTP Error : “ntpd: Synchronizing with time server:[FAILED]”

 
Steps fo Diagnosis the issue:
 
 

::: Check ntp.conf

$ grep -i server /etc/ntp.conf
 
server my.ntp.server
server my.ntp2.server
 
 

::: Ensure that all servers in ntp.conf are functional:

$ ntpdate -d my.ntp.server
$ ntpdate -d my.ntp2.server
 
 
::: Check start up script for ntpd, /etc/init.d/ntpd, and find that if /etc/ntp/step-tickers exists on start-up the script executes ntpdate command against servers written in the file.
ntpstep=/etc/ntp/step-tickers
        if [ -s “$ntpstep” -o -n “$dostep” ]; then
 
            # Synchronize with servers if step-tickers exists
            # or the -x option is used
            echo -n $”$prog: Synchronizing with time server: “
            /usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers
            RETVAL=$?
            [ $RETVAL -eq 0 ] && success || failure
            echo
            if [ $RETVAL -eq 0 ]; then
                [ “$SYNC_HWCLOCK” = “yes” ] && sync_hwclock
            else
                OPTIONS=”$OPTIONS -g”
            fi
        else
 

::: Check /etc/ntp/step-tickers and find servers that are not functional.

#ntpdate -d bad.ntp.server
 
Finally, If you find that any of the servers mentioned in the /etc/ntp/step-tickers, then replace them with funcational ntp servers.
 

 

### what is the purpose of ntpdate and ntpd services, which one starts first during reboot?

 
First ntpdate will sync the system clock with the NTP server and then ntpd will keep it on sync.
The ntp daemon may not sync if the offset is beyond the permitted limit i.e. 128 ms. Because the default behavior is to slew the clock but to sync beyond 128 ms, we need to step the clock
 
Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

5 Responses

  1. Robert says:

    Hey Ramdev, here is a suggestion for you: Why not having your articles as down-loadable pdf?

  2. anil says:

    Hi Ramdev,
    can you please let me know thw NTP4 server and clinet configuration in solaris 10.

    Thanks

  3. satyam says:

    HI Image are not loading

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us