Friday, April 1, 2011

configuration ntp server

The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 as its transport layer. It is designed particularly to resist the effects of variable latency (Jitter).

Using NTP is a great way to keep your system clock set correctly. It works by contacting a number of servers around the world, asking them for the time and then calculating what the correct local time is from their responses.

If you have install ntpdate package before you need to uninstall using the following command

sudo aptitude remove ntpdate

Install NTP server in Ubuntu

sudo aptitude install ntp

This will install all the required packages for NTP.

Configure NTP Server

The configuration file for ntpd is located at /etc/ntp.conf. The default Ubuntu file probably requires some modification for optimal performance.You need to edit the /etc/ntp.conf file using the following command

sudo nano /etc/ntp.conf

do the following changes shown in this example

Example Configuration

You need to add a number of servers to the server list. The Debian default is pool.ntp.org which works but isn’t always amazingly accurate because it makes no attempt to use time servers near you. If you want more accuracy use the time servers either on your continent (for instance europe.pool.ntp.org) or your country (for instance uk.pool.ntp.org) one of your local country servers.The optimal number of servers to listen to is three but two will also give a good accuracy. If your ISP runs a time server for you it is worth including it in your server list as it will often be more accurate than the pooled servers and will help keep the load down on the pool.

I am using the following two servers for my configuration

server ntp0.pipex.net
server ntp1.pipex.net

Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.

restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery

The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.

If this server is also going to provide time for other computers, such as PCs, other Linux servers and networking devices, then you’ll have to define the networks from which this server will accept NTP synchronization requests. You do so with a modified restrict statement removing the noquery keyword to allow the network to query your NTP server. The syntax is:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.

We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords

restrict 127.0.0.1

Save the file and exit

Now you need to restart NTP server for these settings to take effect using the following command

sudo /etc/init.d/ntp restart

Determining If NTP Is Synchronized Properly

Use the ntpq command to see the servers with which you are synchronized. It provided you with a list of configured time servers and the delay, offset and jitter that your server is experiencing with them. For correct synchronization, the delay and offset values should be non-zero and the jitter value should be under 100.

sudo ntpq -np

In the output of above command A star by any one of the chosen server names means that the system clock is synchronising with the NTP clock. If you don’t have a star (as in the example above) it means that the clocks are unreachable, already synchronized to this server or has an outrageous synchronization distance. Try running ntpdate (you will need to stop the ntp server) with your first ntp server as an argument. This will set your system clock fairly accuratly and mean that the server will be able to choose a clock to synchronize with.

Firewall Configuration for NTP

NTP servers communicate with one another using UDP with a destination port of 123. Unlike most UDP protocols, the source port isn’t a high port (above 1023), but 123 also. You’ll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.

NTP Linux Client Configuration

If you want to configure ntp client you need to install the following packages

sudo aptitude install ntp ntp-simple ntpdate

Configuring NTP client

You need to edit the /etc/ntp.conf file you need to point the following settings to NTP server ip address

sudo nano /etc/ntp.conf

Server configuration settings

server 192.168.1.1

Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.

restrict default notrust nomodify nopeer

Localhost configuration

restrict 192.168.1.1

In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.

We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords

restrict 127.0.0.1

Now you need to save and exit the file

Run ntpdate command against your server

sudo ntpdate 192.168.1.1

Restart ntp service using the following command

sudo /etc/init.d/ntp restart

Windows Clients Configuration

Windows machines use a simplified version of NTP called Simple Network Time Protocol (SNTP), and can synchronize with NTP servers. In order to synchronize with your new server, double click on the time and go to the “Internet Time” tab. Put the IP address of your server in the “Server” field.

No comments:

Post a Comment