NTP Server (Network Time Protocol) – Linux


To totally unlock this section you need to Log-in


Login

Network Time Protocol - NTP is a protocol which runs over port 123 UDP at Transport Layer and allows computers to synchronize time over networks for an accurate time with a configured NTP server. While time is passing by, computers internal clocks tend to drift which can lead to inconsistent time issues, especially on servers and clients logs files or if you want to replicate servers resources or databases.

NTP server package is provided by default from official CentOS /RHEL 7 repositories and can be installed by issuing the following command.

# yum install ntp

NTP Server (Network Time Protocol) - Linux

After the server is installed, first go to official NTP Public Pool Time servers (http://www.pool.ntp.org/en/), choose your Continent area where the server physically is located, then search for your Country location and a list of NTP servers should appear.

Then open NTP daemon main configuration file for editing, comment the default list of Public Servers from pool.ntp.org project and replace it with the list provided for your country like in the screenshot below.

NTP Server (Network Time Protocol) - Linux

Further, you need to allow clients from your networks to synchronize time with this server. To accomplish this, add the following line to NTP configuration file, where restrict statement controls, what network is allowed to query and sync time - replace network IPs accordingly.

restrict 192.168.1.0 netmask 255.255.255.0 nomodify notrap

The nomodify notrap statements suggest that your clients are not allowed to configure the server or be used as peers for time sync.

If you need additional information for troubleshooting in case there are problems with your NTP daemon add a log file statement which will record all NTP server issues into one dedicated log file.

logfile /var/log/ntp.log

NTP Server (Network Time Protocol) - Linux

After you have edited the file with all configuration explained above save and close ntp.conf file. Your final configuration should look like in the screenshot below.

NTP Server (Network Time Protocol) - Linux

Add Firewall Rules and Start NTP Daemon

NTP service uses UDP port 123 on OSI transport layer (layer 4). It is designed particularly to resist the effects of variable latency (jitter). To open this port on RHEL/CentOS 7 run the following commands against Firewalld service.

# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload

After you have opened firewall port 123, start NTP server and make sure you enable it system-wide. Use the following commands to manage the service.

# systemctl start ntpd
# systemctl enable ntpd
# systemctl status ntpd

NTP Server (Network Time Protocol) - Linux

Verify Server Time Sync

After NTP daemon has been started, wait a few minutes for the server to synchronize time with its pool list servers, then run the following commands to verify NTP peers synchronization status and your system time.

# ntpq -p
# date -R

NTP Server (Network Time Protocol) - Linux

If you want to query and synchronize against a pool of your choice use ntpdate command, followed by the server or servers addresses, as suggested in the following command line example:

# ntpdate -q  0.ro.pool.ntp.org  1.ro.pool.ntp.org

NTP Server (Network Time Protocol) - Linux

Setup Windows NTP Client

If your windows machine is not a part of a Domain Controller, so a Windows domain Active Directory, you can configure Windows to synchronize time with your NTP server by going to Time from the right side of Taskbar -> Change Date and Time Settings -> Internet Time tab -> Change Settings -> Check Synchronize with an Internet time server -> put your server’s IP or FQDN on Server filed -> Update now -> OK.

NTP Server (Network Time Protocol) - Linux

Add NTP server on a Windows Domain Controller

Most modern operating systems, including Windows, can synchronize their system time to a NTP server. Windows utilizes a time service called Windows Time, which is automatically installed in the service list. The program executable is ‘w32time.exe’. The service is installed and enabled by default during installation.

Windows synchronizes time in different ways, depending on the network implementation utilized. When peer-to-peer networking is employed, each individual workstation sync to a time reference independently.

However, when Windows Domain Networking is deployed, only the Primary Domain Controller (PDC) synchronizes with a time reference. All other servers and workstations in the domain sync to the PDC using Windows proprietary protocol. The default installation procedure automatically configures workstations and servers to sync to the controlling PDC. Only the PDC needs to be configured to synchronize to an external time reference.

The first step is to logon to Domain Controller (with PDC role) with Administrator account and open elevated command prompt. If you have multiple domain controller and don't know which DC holds PDC role then use following command:

netdom /query fsmo

Run the following command on the PDC emulator:

w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update

(where timeserver is a –space delimited– list of your time source servers)

Once done, restart W32Time service.

net stop w32time && net start w32time

Force domain computers to synchronize the time with the DC; use elevated command prompt:

w32tm /config /syncfromflags:domhier /update 

net stop w32time && net start w32time

Following commands will reset the time service to default:

net stop w32time 
w32tm /unregister 
w32tm /register 
net start w32time

Checking the time server (PDC Emulator)

You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC); find the value of Type under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

You can also check for time advertisement on the PDC emulator by running the following command, then check for EventID 139:

w32tm.exe /resync /rediscover /no_wait 

To check the source time server:

w32tm /query /status