Linux Admin Reference – NTP Configuration and Troubleshooting – Red Hat Enterprise Linux :
NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to some time reference. NTP is an Internet standard protocol originally developed by Professor David L. Mills at the University of Delaware.Time usually just advances. If you have communicating programs running on different computers, time still should even advance if you switch from one computer to another. Obviously if one system is ahead of the others, the others are behind that particular one. From the perspective of an external observer, switching between these systems would cause time to jump forward and back, a non-desirable effect.
As a consequence, isolated networks may run their own wrong time, but as soon as you connect to the Internet, effects will be visible. Just imagine some EMail message arrived five minutes before it was sent, and there even was a reply two minutes before the message was sent. Even on a single computer some applications have trouble when the time jumps backwards. For example, database systems using transactions and crash recovery like to know the time of the last good state. Therefore, air traffic control was one of the first applications for NTP. (……… Ref : ntp.org)
In this Article We will be discussing about NTP related operations in Red Hat Enterprise Linux Environment
::: What are Clock Sources available by Default for Red hat Linux Server?
All servers have two kinds of clocks:
– The System Clock – Owned by OS
– The hardware clock – Owned by CMOS.
When the Server is running, it usually provides it’s system clock as the clock resource. However, when the server is shutdown, the system clock will sync to hardware and when rebooted the hardware clock will sync to system. Note: If the server has been shutdown for a longtime and reboot again, the hardware clock may sync to system that may not be accurate.
::: How to Configure Basic NTP server:
Install the ntp package:
[root@host ~]# yum install ntp
Ensure the following entries are in /etc/ntp.conf:
The below example functions as a NTP server to the 192.168. network.
[root@ntp.server.com ~]# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server stratum2.ntp.com
server stratum2.ntp2.com
server stratum2.ntp3.com
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
Note: The public stratum 2 servers for your network’s NTP server can be found on ntp.org.
Start the ntpd service:
[root@ntp.server.com ~]# service ntpd start
::: How to Configure Basic NTP Client:
Ensure the following entries are in /etc/ntp.conf:
[root@ntp.client.com ~]# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server ntp.server.com
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
Start the NTP service:
[root@ntp.client.com ~]# service ntpd start
::: How to Verify NTP status from Client
[root@ntp.client.com ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
================================================================================
ntp.server.com some.ip 3 u 20 128 377 0.003 0.4312 0.3482
[root@ntp.client.com ~]# ntpq -c as
ind assID status conf reach auth condition last_event cnt
================================================================================
1 31893 9614 yes yes none sys.peer reachable 1
:::: Advanced NTP server Configuration
For the Requirement:
– Allow hosts within two example IP subnets (10.0.0.0/255.0.0.0 and 192.168.0.0/255.255.255.0) to use this server as an NTP server
– Queries from all other hosts except localhost (127.0.0.1) will not be accepted
– For Time Synchronization from External sources – Only Servers mentioned with server statements will be treated as Trusted Stable Time Sources.
Sample Configuration Entries from /etc/ntp.conf:
Entry 1 -> restrict default nomodify notrap noquery
Entry 2 -> restrict 127.0.0.1
Entry 3 -> restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap
Entry 4 -> restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
Entry 5 -> server 0.pool.ntp.org
Entry 6 -> server 1.pool.ntp.org
Entry 7 -> server 2.pool.ntp.org
Entry 8 -> driftfile /var/lib/ntp/drift
Entry 9 -> broadcastdelay 0.008
Entry 10-> keys /etc/ntp/keys
Entry 1 : default restrictions – apply these to anyone not specified by a better matching “restrict statement”. We will trust any host named as a server, but will not allow queries, traps, or modifications to our service
parameters by default.
Entry 2: Permit all access over the loopback interface.
Entry 3,4 related to Client Network : Permit systems on this network to synchronize with this time service. Do not permit those systems to modify the configuration of this service.
Entry 5,6,7 related to TIMESERVER – servers we want to use as stable time sources we “trust” by default (see ‘default’ statement above) so we shouldn’t need special ‘restrict’ statements for these servers to trust them as time sources.
Entry 8,9 – Drift file.
Entry 10 – Keys file.
::: Important points about NTP Configuration:
- – NTP uses UDP port 123. In order for the server to both synchronize itself with its trusted time sources and service NTP clients.
- – The server’s firewall configuration must allow UDP traffic to destination port 123.
- – The noquery restriction used in the default restrict statement will protect the server from functioning as an NTP server to hosts not defined with restric statements as mentioned in the Entry 3 and 4 in the previous configuration example.
::: How to Restart NTPD service and enable it for Auto start during boot.
# service ntpd restart
Shutting down ntpd: [ OK ]
ntpd: Synchronizing with time server: [ OK ]
Starting ntpd: [ OK ]
# chkconfig –level 345 ntpd on
::: How to Stop to NTP client to stop using its Undisciplined Clock Local Clock)
in the case of unavailable Network Time Sources
( For Example – Some Network connectivity issues between local NTP server and Remote NTP Source)
The Undisciplined Local Clock is a fake driver that can simulate a reference clock when no external synchronization sources are available.
Commenting below lines from the /etc/ntp.conf will prevent ntpd from using the BIOS real-time-clock as a backup time source
# server 127.127.1.0
# fudge 127.127.1.0 stratum 10
## How to Sync the System Clock to NTP server – immediately.
# /sbin/service ntpd status
ntpd (pid 2249) is running…
# /sbin/service ntpd stop
Shutting down ntpd: [ OK ]
The below command will step the System Clock to NTP server immediately:
# /usr/sbin/ntpdate time.nist.gov
20 May 16:27:51 ntpdate[1364]: adjust time server 192.43.244.18 offset 0.000041 sec
# /sbin/service ntpd start
ntpd: Synchronizing with time server: [ OK ]
Starting ntpd: [ OK ]
# /usr/sbin/ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
clock.util.phx2 .CDMA. 1 u 1 64 1 276.170 0.691 0.001
file.pek.redhat .INIT. 16 u – 64 0 0.000 0.000 0.000
After Complete Sync with NTP server ( may take 10-15 minutes. The output will appear as below
# /usr/sbin/ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*clock.util.phx2 .CDMA. 1 u 23 64 377 275.905 0.646 0.323
file.pek.redhat .INIT. 16 u – 64 0 0.000 0.000 0.000
## What is the Significance “*”, “+” or “empty space” in front of NTP Server from the “ntp -q” output ?
- – if there is a “*” before the ntp server name, it means the ntpd have collected enough time data and trusts the time server. ntpd will continuously sync with the ntp server.
- – If there is no “*” on any ntp server or the “*” is on a local fudge server after 10-15 minutes, that means the ntp haven’t trust the ntp server and Further Checks required for ntp server and configuration.
- – Th + indicates that this peer is a candidate
- – An empty space indicates that the peer unreachable and therefore rejected (stratum 16)
## How to Diagnosis NTP Error – “no server suitable for synchronization found” ?
Running ntpdate command ( to set the date and time using NTP server) with diagnosis switch as below, will help to identify the causes for the error
# ntpdate -d time.unixadminschool.com
20 Oct 00:20:51 ntpdate[26388]: ntpdate 4.2.2p1@1.1570-o Thu Nov 26 11:34:35 UTC 2009 (1)
Looking for host time.unixadminschool.com and service ntp
host found : time.unixadminschool.com
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
server 66.125.13.54, port 123
stratum 1, precision -16, leap 00, trust 000
refid [CDMA], delay 0.32297, dispersion 0.00040
transmitted 4, in filter 4
reference time: d245a5fe.2fdfe09b Mon, Oct 17 2011 0:20:38.187
originate timestamp: d245a60c.e2117d1e Mon, Oct 17 2011 0:20:52.883
transmit timestamp: d245a60c.b9c9b413 Mon, Oct 17 2011 0:20:52.725
filter delay: 0.32361 0.32382 0.32297 0.32619
0.00000 0.00000 0.00000 0.00000
filter offset: 0.003892 0.004005 0.003607 0.004972
0.000000 0.000000 0.000000 0.000000
delay 0.32297, dispersion 0.00040
offset 0.003607
20 Oct 00:20:53 ntpdate[26388]: adjust time server 66.187.233.4 offset 0.003607 sec
## How to address NTP Error : “ntpd: Synchronizing with time server:[FAILED]”
Steps fo Diagnosis the issue:
::: Check ntp.conf
$ grep -i server /etc/ntp.conf
server my.ntp.server
server my.ntp2.server
::: Ensure that all servers in ntp.conf are functional:
$ ntpdate -d my.ntp.server
$ ntpdate -d my.ntp2.server
::: Check start up script for ntpd, /etc/init.d/ntpd, and find that if /etc/ntp/step-tickers exists on start-up the script executes ntpdate command against servers written in the file.
ntpstep=/etc/ntp/step-tickers
if [ -s “$ntpstep” -o -n “$dostep” ]; then
# Synchronize with servers if step-tickers exists
# or the -x option is used
echo -n $”$prog: Synchronizing with time server: “
/usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers
RETVAL=$?
[ $RETVAL -eq 0 ] && success || failure
echo
if [ $RETVAL -eq 0 ]; then
[ “$SYNC_HWCLOCK” = “yes” ] && sync_hwclock
else
OPTIONS=”$OPTIONS -g”
fi
else
::: Check /etc/ntp/step-tickers and find servers that are not functional.
#ntpdate -d bad.ntp.server
Finally, If you find that any of the servers mentioned in the /etc/ntp/step-tickers, then replace them with funcational ntp servers.
### what is the purpose of ntpdate and ntpd services, which one starts first during reboot?
First ntpdate will sync the system clock with the NTP server and then ntpd will keep it on sync.
The ntp daemon may not sync if the offset is beyond the permitted limit i.e. 128 ms. Because the default behavior is to slew the clock but to sync beyond 128 ms, we need to step the clock
Hey Ramdev, here is a suggestion for you: Why not having your articles as down-loadable pdf?
Hi Robert, I will check if I can add this functionality for the site. Thanks for your suggestion.
Hi Ramdev,
can you please let me know thw NTP4 server and clinet configuration in solaris 10.
Thanks
HI Image are not loading
i have fixed the font color problem