Installing and configuring an ntp time server in Linux. Installing ntp in Ubuntu Ntp conf description

Setting the time in Windows server operating systems using the NTP protocol is critical for many services. Without the correct configured time, or rather, if the clocks on the server and workstations are mismatched, many protocols cannot work correctly Active Directory and synchronization services. Setting and maintaining a clock using NTP is a simple task, but sometimes comes with some complications, which we will try to address in this article.

For example, we will use not the latest system - Windows Server 2012. It is the most common and, at the same time, for many other systems, including Windows Server 2008, Windows Server 2016, similar commands and rules apply. It should be noted that the description concerns an environment setup with a single master PDC controller. More complex options are not considered.

Reset NTP Settings

In order to put the NTP service into the “default” state, you must run the following commands:

Stop- Service w32time w32tm / unregister w32tm / register

Stop-Service w32time w32tm /unregister w32tm /register

In this case, they stop the service, unregister the service and register it in the system again. You should only run these commands when absolutely necessary. As a rule, there is no need for them - NTP is configured if other system circumstances are taken into account.

Normal NTP Installation Commands

In order to configure the network time protocol on a Windows Server controller, you first need to disable synchronization via Hyper-V if the controller is virtualized using this technology. To do this, go to the settings and uncheck the Time Synchronization item in the Management -> Integration Services section

For those who do not use Hyper-V, the previous step can be omitted.

w32tm /config /manualpeerlist:"0.de.pool.ntp.org 1.de.pool.ntp.org" /syncfromflags:MANUAL

UDP protocol for NTP and firewall blocking

The time protocol uses UDP port number 123 for its communication in its standard configuration. You must ensure that the firewall does not block this port. If blocking occurs, there will be a lot of information in the ntp logs that the connection is impossible:

Log Name: System
Source: Microsoft-Windows-Time-Service
Event ID: 47
Level: Warning
Description: Time Provider NtpClient: No valid response has been received from manually configured peer pool.ntp.org after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.

In order to make sure that this is the problem, you can enable the output of additional debugging information. We configure the Windows Server logs in such a way that all the necessary information is written in them, but they do not grow more than 20 megabytes:

w32tm /debug /disable

Lock ntp The firewall catches the following phrase in debugging:

— Logging error: NtpClient has been configured to acquire time from one or more time sources, however none of the sources are currently accessible and no attempt to contact a source will be made for 1 minutes. NTPCLIENT HAS NO SOURCE OF ACCURATE TIME.

In this case (yes, in general, immediately for verification purposes), you need to check the rule in the firewall

And, if necessary, change the rule or add it.

Checking that ntp is working correctly

To check if everything is working correctly, you can start synchronization manually:

w32tm/resync

If everything went well, you will receive the following message:

Sending resync command to local computer
The command completed successfully.

If there are problems, message:

The computer did not resync because no time data was available.

In the second case, you need to check everything first: the firewall, the correctness of the specified servers (whether you made a mistake in the name). If anything, we have already provided information about resetting the settings.

Application examples

08.12.2014

NetPing devices use the NTP protocol to synchronize time. Using this protocol, all devices on the network adjust their time according to the specified server. NetPing devices connected to the Internet can use a public NTP server, as recommended in article. If there is no access to the Internet, then you can set up a local NTP server. Such a server can be any computer running Windows OS with a configured service W32Time (« Windows Time Service "). This service does not have GUI and is configured either through the command line or by editing registry keys.

Instructions for setting up an NTP server on Windows 7/8/2008/2012

Let's look at setting up a time service by editing the registry. The setup is the same for Windows versions 7/8, Windows Server 2008, Windows Server 2012.

For this setting, you must have Windows OS administrator rights.

Open the registry editor either through the dialog box “ Execute", caused by the key combination " Win» + « R", or through the search form, where we type " regedit».

In the editor that opens, in the left tree menu, open the “branch” “ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer", where we look for the key with the name " Enable" Right-click and select “Edit”. Change the key value from 0 on 1 .

By changing this parameter, we indicated that this computer acts as an NTP server. The computer simultaneously remains a client and can synchronize its time with other servers on the Internet or local network. If you want the internal hardware clock to act as a data source, then change the value of the key parameterAnnounceFlags on 5 in the thread " HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config».

For the changes to take effect, we need to restart the service. Services are accessed through " Control Panel» from menu « Start» -> « Control Panel» -> « Administration» -> « Services" It is also found in the search form when you enter “ services.msc" In the list of services that appears, we find the one we are interested in “ Windows Time Service" and through the menu called up with the right mouse button, select the item " Restart».

OS Windows family contain the W32Time time service. This service is designed to synchronize time within an organization. W32Time is responsible for the operation of both the client and server parts of the time service, and the same computer can be both a client and an NTP (Network Time Protocol) server at the same time.

By default, the Windows time service is configured as follows:

When installing an operating room Windows systems starts an NTP client that synchronizes with an external time source;

When you add a computer to a domain, the synchronization type changes. All client computers and member servers in the domain use a domain controller to synchronize time, which verifies their authenticity;

When a member server is promoted to a domain controller, an NTP server is launched on it, which uses a controller with the PDC emulator role as a time source;

The PDC emulator, located in the forest root domain, is the primary time server for the entire organization. At the same time, it itself is also synchronized with an external time source.

This scheme works in most cases and does not require intervention. However, the structure of the time service in Windows may not follow the domain hierarchy, and any computer can be designated as a reliable time source.

As an example, let's look at setting up an NTP server in Windows Server 2008 R2; by analogy, you can set up an NTP server in Windows 7.

Starting the NTP server

The Windows Server Time Service does not have a GUI and can be configured from either command line, or by directly editing the system registry. Let's consider the second method:

The NTP server needs to be started. Open the registry branch:

HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpServer.

To enable the NTP server, the Enabled parameter must be set to 1. Then we restart the time service with the command net stop w32time && net start w32time.

After restarting the NTP service, the server is already active and can serve clients. You can verify this using the w32tm /query /configuration command. This command outputs full list service parameters. If the NtpServer section contains the line Enabled:1 , then everything is in order, the time server is running.

In order for the NTP server to serve clients, the firewall must open UDP port 123 for incoming and outgoing traffic.

Basic NTP server settings

Open the registry branch:

HKLM\System\CurrentControlSet\services\W32Time\Parameters.

NoSync - the NTP server is not synchronized with any external time source. The system clock is used, built into the CMOS chip of the server itself (in turn, this clock can be synchronized from a NMEA source via RS-232, for example);

NTP - The NTP server synchronizes with external time servers that are specified in the NtpServer registry parameter;

NT5DS - NTP server synchronizes according to the domain hierarchy;

AllSync - the NTP server uses all available sources for synchronization.

The default value for a computer that is part of a domain is NT5DS, for separately standing computer- NTP.

The NtpServer parameter specifies the NTP servers with which this server will synchronize time. By default, this parameter contains the Microsoft NTP server (time.windows.com, 0×1); if necessary, you can add several more NTP servers by entering their DNS names or IP addresses separated by a space. At the end of each name you can add a flag (eg ,0×1) that determines the mode for synchronization with the time server.

The following mode values are allowed:

0×1 - SpecialInterval, use of polling time interval;

0×2 – UseAsFallbackOnly mode;

0×4 – SymmetricActive, symmetrical active mode;

0×8 – Client, sending a request in client mode.

Another important AnnounceFlags setting is located in the registry key:

HKLM\System\CurrentControlSet\services\W32Time\Config.

It is responsible for how the NTP server announces itself. To declare a member server (not a domain controller) as a reliable time source, flag 5 is needed.

If the server being configured is, in turn, an NTP client (receives time from a GPS receiver via NTP, for example), you can configure the interval between updates. This parameter may also be relevant for client PCs. The SpecialPollInterval key, located in the registry branch, is responsible for the update time:

HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpClient.

It is specified in seconds and by default its value is 604800, which is 1 week. It's a lot, so It is worth reducing the SpecialPollInterval value to a reasonable value - 1 hour (3600).

After configuration, you need to update the service configuration. This can be done with the w32tm /config /update command.

And a few more commands for configuring, monitoring and diagnosing the time service:

w32tm /monitor – using this option you can find out how much system time of this computer different from the time on the domain controller or other computers. For example: w32tm/monitor/computers:time.nist.gov

w32tm /resync - using this command you can force the computer to synchronize with the time server it uses.

w32tm /stripchart – shows the time difference between the current and remote computer. Team w32tm /stripchart /computer:time.nist.gov /samples:5 /dataonly will make 5 comparisons with the specified source and display the result in text form.

w32tm /config is the main command used to configure the NTP service. With its help, you can set the list of time servers used, the type of synchronization and much more. For example, you can override the default values and set up time synchronization with an external source using the command w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov /update

w32tm /query - shows the current service settings. For example, the command w32tm /query /source will show the current time source, and w32tm /query /configuration will display all service parameters.

net stop w32time - stops the time service if running.

w32tm /unregister - removes the time service from the computer.

w32tm /register – registers the time service on the computer. In this case, the entire branch of parameters in the registry is created anew.

net start w32time - starts the service.

Features noticed in Windows 7 - the time service does not start automatically when Windows starts. Fixed in SP1 for Windows 7.

In this article we will look at setting up an NTP client.

Setting the time zone

First, let's look at what time zone we have set. To do this we use the command.

# date Fri Mar 8 17:38:47 MSK 2019

If the time zone is set incorrectly, then set the correct time zone. To do this, create a file /etc/localtime from the corresponding time zone from the /usr/share/zoneinfo/ directory. For example for Moscow.

Ln -sf /usr/share/zoneinfo/Europe/Moscow /etc/localtime

Configuring NTP client synchronization with NTP server

Install the ntp package

Yum install ntp

To synchronize a local client machine on Linux with an NTP server, you need to edit the file /etc/ntp.conf. The following example specifies multiple time servers, which is useful in case one of them is unavailable. Or you can register other external servers, for example pool.ntp.org

Server 0.rhel.pool.ntp.org iburst server 1.rhel.pool.ntp.org iburst server 2.rhel.pool.ntp.org iburst server 3.rhel.pool.ntp.org iburst

iburst: This option improves synchronization accuracy; instead of one packet, eight are sent. When the server is not responding, packets are sent every 16 seconds; when the server is responding, every 2 seconds.

Server 192.168.1.1 prefer

prefer: If this option is specified, the specified server is considered preferable to others, but if the response from this server differs significantly from the responses of other servers, it will be ignored. Instead of 192.168.1.1, enter the IP address of your server

Starting the NTP service

After changing ntp.conf and setting the necessary parameters, start the NTP service (daemon). Depending on the settings, it can work both as a server and as a client.

Systemctl start ntpd

and add it to startup

Systemctl enable ntpd

to check the time, type the command

Checking NTP Status

You can check the NTP status using the ntpq command. If you receive a connection refused error, it means that the time server is not responding, the NTP service on the client is not running, or the port is closed.

Sudo ntpq –p remote refid st t when poll reach delay offset jitter ===================================== ===================================== *elserver1 192.168.1.1 3 u 300 1024 377 1.225 -0.071 4.606

remote– name or address of the time server. It is preceded by a service character, in this case “*”, which means the server being used. “+” means that the server is suitable for updating, “-” - that it is unsuitable, “x” - the server is unavailable;
refid– the server that is higher in the Stratum hierarchy;
st– server level in the Stratum hierarchy;
t– connection type (u – unicast, single connection, b – broadcast, broadcast connection, l – local clock);
when– time elapsed since the last response;
poll– polling period in seconds;
reach– availability state (when represented in binary form, 1 means a successful attempt, 0 means failure. After 8 successful attempts, the value is set to 377);
delay– time of double turnover of the package;
offset– current time offset relative to the server;
jitter– standard deviation of time.

Meaning jitter should be low, if not, check the clock offset in the driftfile. If it is too high, you may need to change the NTP server. The following command manually synchronizes the time with the NTP server:

Manual time synchronization

To query the NTP server and set the date and time manually, use the command ntpdate. This is usually only required once.

First, disable the ntp service

Systemctl stop ntpd

Start synchronization by specifying the server from which you want to synchronize time

Ntpdate 192.168.1.1

Start the ntp service

Systemctl start ntpd

After this initial synchronization, the NTP client will regularly poll the NTP server to ensure that the local time is accurate.

If you find an error, please highlight a piece of text and click Ctrl+Enter.

Time synchronization is an important task, although not many people have thought about it. Well, what's wrong with time running away on a server? Did you know that many clock problems affect protocols related to cryptography? For this reason, in Active Directory, clock differences greater than 5 minutes will cause Kerberos authentication problems.

Hourly levels. Strata.

To understand the NTP device you need to know about the concept strata or stratum. Authoritative time sources such as GPS satellites, cesium atomic clocks, WWVB radio waves - all this stratum 0. They are authoritative on the basis that they have some way of maintaining highly accurate timekeeping. You can, of course, use an ordinary quartz watch, but knowing that it is easy to lose 15 seconds with them in a month, it is better not to use them as a measure of time. Stratum 0 This is when a second is not lost in 300,000 years!

Computers that directly (not over the network!) take time from stratum 0- This stratum 1. Since there are always delays due to signal transmission and costs for setting the time, computers stratum 1 not as accurate as stratum 0, but in real life the difference reaches a couple of microseconds (1 μs = 10 -6 s), which is a completely acceptable deviation.

The next level of computers taking time over the network from stratum 1- this is... drum roll... intrigue... stratum 2! Again due to various delays (network delays for sure), stratum 2 a little behind stratum 1 and certainly from stratum 0. In practice, this is a difference from several microseconds (1 μs = 10 -6 s) to several milliseconds (1 ms = 10 -3 s). Many people want to sync with the layer no further stratum 2.

As is clear from the diagram, stratum 4 takes time from a superior stratum 3. stratum 5 at stratum 4 and so on. stratum 16 is considered the lowest layer and time is counted there unsynchronized.

To synchronize time using NTP, you must first manually set your time. There must not be a difference of more than 1000 seconds between your exact time and your watch. If the time server you are using is lying for more than 1000 milliseconds (1 second), it will be excluded from the list and others will be used instead. This mechanism allows you to filter out bad time sources.

Time client.

In the /etc/ntp.conf file, the Server lines are important for the client. There can be several of them - up to 10 pieces!

How much to add? Please keep in mind:

If you have only one server (one line server), then if this server starts to lie, then you will blindly follow it. If his time runs out by 5 seconds and you run after him.
If 2 servers are added (2 server lines), then NTP will mark them both as false tickers. If one of them lies, then NTP cannot understand who is lying, since there is no quorum.
If 3 or more time servers are added, then one liar can be identified false tickers. If there are 5 or 6 time servers, then you can find 2 liars false tickers. If there are 7 or 8 servers, then 3 false tickers. If there are 9 and 10 servers, then 4 false tickers.

NTP Pool Project.

There is a project called NTP Pool at which address pool.ntp.org/zone/ru/ you can find time servers recommended for Russian users.

server 0.ru.pool.ntp.org
server 1.ru.pool.ntp.org
server 2.ru.pool.ntp.org
server 3.ru.pool.ntp.org

Operating systems such as Debian and Ubuntu offer users their own time servers.

server 0.debian.pool.ntp.org
server 1.debian.pool.ntp.org
server 2.debian.pool.ntp.org
server3.debian.pool.ntp.org

server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

If you run the command ntpq -pn on your Linux computer that uses NTP

Remote refid st when poll reach delay offset jitter =============================== ===================================================== +93.180.6.3 77.37.134.150 2 u 62 1024 377 53.658 -0.877 1.174 +85.21.78.23 193.190.230.65 2 u 1027 1024 377 54.651 0.167 1.531 *62.173.138.130 89.109.251.24 2 u 940 102 4 377 52.796 -0.143 1.001 +91.206.16.3 194.190.168.1 2 u 258 1024 377 93.882 -0.680 2.196 -91.189.94.4 193.79.237.14 2 u 596 1024 377 100.219 1.562 1.482

What the column names say:

remote- remote servers with which you synchronize time.
refid- superior stratum for this server.
st- stratum level. From 0 (not available to us) to 16 (not desirable to us). Ideal - 2.
t- connection type. " u" - unicast or manycast, " b" - broadcast or multicast, " l" local reference clock, " s" - symmetrical knot, " A" - manycast server, " B" - broadcast server, " M" - multicast server.
when- time when the server last responded to us. The parameter displays the number in seconds, but may display in minutes if the number is with m or in hours if h.
poll- polling frequency. Minimum 16 seconds, maximum 32 hours. The number must be 2n. Typically, this parameter displays either 64 seconds or 1024.
reach- 8 bits of an octet indicating the status of communication with a remote time server: successful or failed. If the bits are set, then it is successful, otherwise it is a failure. The value 377 is binary 0000 0000 1111 1111.
delay- the value in milliseconds shows the time between sending and receiving a response (round trip time - RTT).
offset- the offset in milliseconds between you and the time servers. Can be a positive or negative number.
jitter- the absolute value in milliseconds indicating the standard deviation of your offset.

There is a symbol before the IP address of the NTP server - this is tally code. Kinds tally code:

" " - discarded as invalid. For example, there is no connection with him or he is offline, he is too high rank and does not serve people like you.
"x"- rejected by the intersection algorithm. The intersection algorithm prepares a list of candidate partners that can become synchronization sources and calculates a confidence interval for each of them.
"." - discarded due to table overflow.
"-" - discarded by the cluster algorithm. The clustering algorithm sorts the list of candidates by layer and synchronization distance codes.
"+" - the server is turned on by the “combine algorithm”. This server is an excellent candidate if your current time server starts to fail you.
"#" - the server is an excellent alternative time server. The server with # can only be seen if you have more than 10 server entries in /etc/ntp.conf
"*" - current time server. Its readings are used to synchronize your watch.
"o"- Pulse per second (PPS) server. This usually means that the time server in question uses time sources like GPS satellites and other precise time signals. If drawn O, then other types of tally code will no longer be displayed.

In field refid can have the following values:

IP address - address of the remote time server.
.ACST.- NTP manycast server.
.ACTS.- Automated Computer Time Service from the American National Institute of Standards and Technology.
.AUTH. - authentication error.
.AUTO. - error in Autokey sequences.
.BCST.- NTP broadcast server.
.CHU.- Shortwave radio receiver from station CHU in Ottawa, Ontario, Canada.
.CRYPT. - Autokey protocol error.
.DCFx.- LF radio receiver from station DCF77 in Mainflingen, Germany.
.DENY.- Access denied.
.GAL.- European Galileo satellite receiver.
.GOES.- American Geostationary Operational Environmental Satellite receiver.
.GPS.- American Global Positioning System receiver.
.HBG.- LF radio receiver from HBG station in Prangins, Switzerland.
.INIT.- Peer association initialized.
.IRIG.- Inter Range Instrumentation Group time code.
.JJY.- LF radio receiver from JJY station in Mount Otakadoya, near Fukushima or Mount Hagane on Kyushu Island, Japan.
.LFx.- Regular LF radio receiver.
.LOCL. - local host clock.
.LORC.- LF radio receiver from Long Range Navigation (LORAN-C).
.MCST.- NTP multicast server.
.MSF.- Anthorn Radio Station near Anthorn, Cumbria.
.NIST.- American National Institute of Standards and Technology.
.PPS.- Pulse per second clock.
.PTB.- Physikalisch-Technische Bundesanstalt from Brunswick and Berlin, Germany.
.RATE. - NTP polling threshold exceeded.
.STEP. - change the NTP step. Bias offset less than 1000 milliseconds but more than 125 milliseconds.
.TDF.- LF radio receiver from TéléDiffusion de France station in Allouis, France.
.TIME.- NTP association timeout.
.USNO.- United States Naval Observatory.
.WWV.- HF radio receiver from WWV station in Fort Collins, Colorado, United States.
.WWVB.- LF radio receiver from WWVB station in Fort Collins, Colorado, United States.
.WWVH.- HF radio receiver from the WWVH station in Kekaha, on the island of Kauai on Hawaii, United States.

First, get rid of the idea of how to get time from stratum 1, they say they are closest to the exact time. They are closer to the most accurate time on the planet, but they themselves are overloaded and have high RTT delays for regular servers. Better find a normal one stratum 2 and don't worry about it. Don't forget that we are talking about microseconds and milliseconds, which is quite enough in ordinary life.

Secondly, remember that connecting to the nearest time server is not always ideal. What is more important is not the territorial proximity, but the level of stratum. The NTP Pool project publishes a list of tier-only servers stratum 1 And stratum 2 and it’s better to take up to 10 time servers from this list, which will be just great.

Thirdly, if you are a simple home user-client, then the servers recommended for you in your operating system will be an ideal option that does not require unnecessary movements.

For large offices, the best option would be to set up their own time server for work computers. This server will receive accurate time from time servers on the Internet and provide it to local computers. On Debian and Ubuntu servers, just uncomment the line

Restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap

V configuration file ntpd daemon - /etc/ntp.conf

Users from the 192.168/16 network will be able to take accurate clock readings from your server. For internal Linux-based servers that are not time servers and are engaged in their own tasks, instead of running the ntpd daemon in client mode, it is quite enough to specify it in the /etc/cron.daily/syncntpd file. It is recommended that you read the differences between ntpdate and ntp and decide for yourself.
#!/bin/sh
/usr/sbin/ntpdate IP.address.of.your.server > /dev/null 2>&1
exit 0

and once a day, thanks to the ntpdate command, time synchronization will be performed. To avoid misunderstandings, do not be lazy before implementing a time server and synchronizing everything via the NTP protocol - manually set the correct time on all servers and workstations available to you. If your unsynchronized time is too different from the correct one, then you can create a lot of unnecessary problems in the beginning.

Fourthly, NTP has nothing to do with which country and which time zones are used and how the transition to summer and winter time occurs and whether such a transition is made in a given country. This responsibility lies with the operating system, which you need to update if there are changes in watchmaking in the country. On Debian and Ubuntu systems, the tzdata package is responsible for this and must be up to date.

Fifthly, it is better not to run your NTP server on a highly loaded system.