1. Introduction
The Network Time Protocol (NTP), is a commonly used set of tools, used to synchronize the time on your computer or your network of computers using a time server that is accessed over the Internet. NTP provides a very high degree of accuracy typically less than a few milliseconds. It can use multiple redundant servers to achieve high availability and maintain the accuracy of your computers time.
NTP works by querying one or more specified time servers. Messages are then exchanged with these servers. There is a variable time interval between messages ranging from around one minute to about 15 minutes. Once the daemon is started there will be a delay before your clock in synchronized because several groups of messages are used to manipulate the data for your machine. This initial delay can be shorted with options in the configuration file, See later. If your machine is left turned on and connected to the Internet all the time then your machine will be kept synchronized.
This HOWTO is written for GNU Linux with all the examples being taken from my own installations of Ubuntu 7.10 and 8.04. Please note that the directory and file structures varies from the vendor to vendor, but you may still find this helpful.
1.1. Copyright
Copyright (c) 2008 by Richard W. Brown
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available from http://www.fsf.org/licenses/fdl.html.
1.2. Disclaimer
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies which could be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility.
Owners hold all copyrights, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
This document is how I configure and use the various software tools related to NTP on my own system. I am not, nor do I pretend to be a Linux expert. I am just some guy who has benefited from the expertise of others and wish to add my contribution back to the Linux community.
Note: You are strongly recommended to take backup copies of all files before they are modified.
1.3. Feedback.
Feedback is most certainly welcome for this document. Send your additions, comments and criticisms to the following email address: howtos at Mythical Beast dot co dot uk Errors and omission will be added to the next version of this document.
2. Installation.
2.1. Install Using The 'apt-get' Software
Start by installing the NTP software daemon some utilities and the documentation (ntp-doc) which is only necessary if you want to find out more. 
sudo apt-get install ntp ntpdate ntp-doc
2.2. Stop The Server And Create Some Backups
Before we do anything else we will:
- Stop the NTP server that was started as part of the installation
- Make a copy of the NTP configuration file that was just installed. We will not be using it.
- Create a new blank configuration file
sudo /etc/init.d/ntp stop
cd /etc
sudo mv ntp.conf ntp.conf.org
sudo touch ntp.conf
sudo chmod 644 ntp.conf
3. Finding Some Public Time Servers.
3.1. What Are Time Servers
In very simple terms and without getting into all the maths involved regarding how the Time Servers work. you will not need to find some time servers to use with your computer or computers.
The NTP Time servers operate with a hierarchy of levels, these levels are called the stratum with each being assigned a number from 1 to 16. Stratum 1 (primary) servers, are the most accurate, at the lowest level and are directly synchronized to national time services.
Stratum 2 (secondary) servers at the next level up are synchronize to stratum 1 servers and so on. Unless you are maintaining this NTP for a commercial build cluster or some other network of machines. You will not be inconvenienced by a very slight inaccuracy (< 20ms) in the synchronized time. We can therefore use Time Servers from the Public Pool. Even then you should find servers that are physically close to you, as the Internet goes, as this will give better accuracy. Since we are NTP clients and servers with a relatively small number of clients, we do not synchronize to public primary servers. We will use some of the hundreds of public Time Servers and still get astonishingly accurate time synchronization.
3.2. Time Server - Rules Of Engagement
Please read the Rules of Engagement before going any further with this HOWTO. It gives a nice clear concise explanation of which type of server to use and why.
3.3. Looking At The Lists Of Time Servers
Again without going into all the complex maths you need to find 4 time servers. This removes single point of failure if you only connect to one server and it goes down. Also connecting to two or three servers does not give protection again "Bad" Time Servers.
There are hundreds of NTP Pool Time Servers that have been added to form a virtual cluster, by the NTP Pool Project. You can very simply find the names of the servers you will use as they are arranged in to geographical pools. As I live in England I will be using the UK pool. There are more than 4 servers so I don't have to pick and mix. The pool servers are allocated at random via a DNS round robin (well not so random). For me I will be using four server from the UK pool. Now to start adding the chosen time servers to the file </etc/ntp.conf> file. This is actually the very basic requirements for setting up an NTP server and should work, without any further changes. Okay, now load up the configuration file with your favorite editor and paste in the lines below. Remember to run this as root and save the new lines.
driftfile /var/lib/ntp/ntp.drift
# You do need to talk to an NTP server or four.
server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org
3.4. Types Of Server
3.4.1. NTP server types
NTP documentation mentions server type. This was something that seemed to be accepted as a fact but what made a server a certain type was buried somewhere else. Here you can find a quick answer to this rather useful definition. The type the server is given by NTP is defined by the class of the IP address. Addresses are classed by type as:
- s - A remote server or peer (IP class A, B and C),
- b - The broadcast address of a local interface,
- m - A multicast address (IP class D)
- r - A reference clock address (127.127.x.x).
4. Configuring Your First Machine
4.1. Getting Your Machine Synchronized.
4.1.1. Internal Clock, Out Of Sync When First Turned On.
As already stated there can be a delay in synchronization of your clock when NTP is first started. If the internal clock on your machine is inaccurate which most PC clocks are and you frequently turn off your machine for long periods. Such as over night or when you are at work. This will mean your machine will be badly out of synchronization when it is first tuned on. There are two solutions to this, you can use either.
4.1.1.1. Using The -g Flag With ntpd.
The command line flag -g for ntpd is used when you want to force the clock to be set when the time variance is greater than the panic threshold of 1000 seconds. A time variance of this size or greater would normally cause ntpd to close down. You can set this option by amending the file /etc/default/ntp and adding &-g; as should on the code line below
NTPD_OPTS='-g'
4.1.1.2. Running ntpdate
ntpdate is an old utility program that is due to be retired from NTP. But while it is still included... . The official documentation suggest you use a call to ntpd using the -g -q command line switches. This gives me an error 
sudo ntpd -q -g 0.uk.pool.ntp.org
ntpd: Command line arguments not allowed
A second way to set the internal clock on your machine at boot time is to add a call to ntpdate into the B/etc/rc.local> file. Commands in this file are run after all the other init scripts for the current run level are completed. This means that there will already be a copy of ntpd running and so UDP port 123 will already be in use. This means you will need to stop and start ntpd.
A third way is to add a call to ntpdate in the NTP startup script /etc/init.d/ntp. Add the lines to define the variable NTPDATE_SERVERS and then add the extra lines of code.
NTPDATE_SERVERS="0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org"
case $1 in
start)
log_daemon_msg "Initial date/time being set" "ntpdate"
NTPDATE_OUT=`ntpdate -u $NTPDATE_SERVERS`
log_daemon_msg $NTPDATE_OUT "ntpdate"
Note: If you are not in the UK you should use different time servers.
We now have all that is needed to get your machine synchronized with the time servers in the pool. It will work but it is really insecure. NTP has an access control list mechanism containing address/match combinations.
4.1.2. Add The iburst Option To the Server Lines.
I have seen a number of references that state you should have the iburst option added to server lines in /etc/ntp. The iburst option makes the client send a burns of requests normally 2 seconds apart when a server is unreachable.
This makes our server lines look like this:
server 0.uk.pool.ntp.org iburst
server 1.uk.pool.ntp.org iburst
server 2.uk.pool.ntp.org iburst
server 3.uk.pool.ntp.org iburst
4.2. Restricting Access To Your ntpd.
ntpd uses access control lists to build up security and uses address/match patterns to create them.
Start by allowing local host full access .
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
As our machine will not be turned on all the time and may at times not be very well synchronized with the real world, it would be polite not to corrupt the time servers we are querying from. We should therefore restrict the time servers we are querying and set restrict lines so they are not allowed to modify the run-time configuration or query our NTP server. Add one line per server line you have already added.
# Stop the servers we query from querring us as we are inaccurate
restrict 0.uk.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 1.uk.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 2.uk.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 3.uk.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
We can also say we don't want to allow anyone to configure our time by adding the next two lines.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
5. Configuring NTP on a small network
5.1. Example Local Network
This is a description of the local network we will be using in the examples below.
| Hostname | Static IP | NTP Function | Description | |||
| linux60 | 192.168.0.7 | Main NTP server | Main server, usually turned on | |||
| linux32 | 192.168.0.5 | Secondary NTP server | Secondary server, sometimes turned on | |||
| linux12 | 192.168.0.6 | NTP Client | On and off regularly |
I will describe an example local network here that will be used for the remaining parts of this HOWTO. We have a number of GNU Linux machines all running various versions and flavours of Ubuntu.
The main server, linux60, is normally turned on as it has a huge disk. This disk houses many NFS and autofs mounted filesystems. It is usually turned on. linux32 in a secondary server and also has some NFS/autofs mounted file systems. This machine is usually turned on. Linux12 is a workstation and is never the only machine that is up.
We will therefore setup time synchronization on linux60 using Ntpd as detailed above "Configuring Your First Machine". This will be used as a local master time server for our own network. We only need one machine synchronized to the public time servers. This saves not only our own network from many extra packets but stops our own little network bugging the public time servers unnecessarily.
Linux32 will synchronize its clock with linux60 when linux60 is up. If linux60 is not available it will start to access the public servers.
Linux12 will always use linux60 as its time server or fall back to linux32 on the rare occasions when it is not available.
5.2. Making a Local Time Server.
As linux60, in our example, is also going to provide time synchronization for other local machines, we will have to define the networks from which this server will accept NTP synchronization requests. We do so with a restrict statement removing the noquery option to allow the network to query your NTP server. Linux60 is in the subnet 192.168.0 hence the mask 255.255.255.0 the final zero in the mask allows all 255 possible IP addresses access. linux32 is 192.168.0.5 and is therefore included.
We need to add the following line to the /etc/ntp.conf on linux60
# make this machine a server for the local subnet.
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
After these changes have been made we will need to restart ntpd and we are all done with the local server configuration. The time server on linux60 should now be all setup and running.
sudo /etc/init.d/ntp restart
5.3. Configuring A Secondary Local Time Server.
Now we need to copy the /etc/ntp.conf file from linux60 and use it on linux32 with a few minor changes. Make a backup copy of the original /etc/ntp.conf on your secondary machine and add the following line to list of servers. The line will use linux60 as a time server and the additional option prefer means that if linux60 is contactable it will be used. When linux 60 is up it will be used as the time server and the other servers listed will not be contacted.
# This is our local time server talk to it in preference to the others listed
server linux60 prefer
sudo /etc/init.d/ntp restart
Well that's all there is to it .
5.4. Accessing Only A Local Time Server.
To set up a local machine to access your own local time server is simple too. We need to point a server at the local server. Restrict access, so nothing can read the client as it is the bottom of the chain and ... Well actually that is it. There is no and . This will be setting the ntp configuration options for linx12 in our example. We want it to get the time from linux60 or linux32 if linx60 is not available. One of these two machines will always be there.
So the /etc/ntp.conf for linux12 or machines that only connect to local time servers is as follows:
driftfile /var/lib/ntp/ntp.drift
# This is our local time server talk to it in preference to the others listed
server linux60 prefer
server linux32
restrict 127.0.0.1
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
linux12 will connect to only linux60 if linux60 is up and runnig otherwise it will use linux32 to synchronize its time clock.
6. Monitoring & Troubleshooting
One common problem is that the UDP port that NTP uses is blocked by a firewall. NTP uses UDP port 123. This should already be listed in your /etc/services files. NTP does not use TCP. As port 123 is below 1024 it can only be used root.
6.1. Check That ntpd is Actually Running.
Use the pgrep command to find out if there is an ntpd process running. pgrep is like using the ps and grep commands without all the typing.
pgrep -l ntpd
6324 ntpd
6.2. Using ntpq
The utility program ntpq is the simplest way to monitor your ntpd and determine what is going on.
On your machine that is connecting to the public time servers try the following command:
$ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
+starbug.netiner 193.62.22.66 2 u 80 64 376 23.335 -1.710 3.596
*spork.qfe3.net 195.66.241.2 2 u 41 64 377 20.403 -0.858 1.883
+ntp1.arse.org 195.66.241.10 2 u 23 64 377 20.856 -3.762 2.539
-lyla.preshweb.c 129.215.160.240 3 u 61 64 377 23.733 -6.293 3.038
Using the interactive mode the three commands that can be used to verify that normal operations are happening are the as, pe and rv commands.
The as command shows a list of association and identifiers. The pe command shows a list of IP abd DNS addresses for associations and the status of each association. The rv command shows a list of system variables. These commands can also be given on the command line by adding the -c option as in the following. If you also use the watch command you can see the status get updated every 2 seconds or you can add an -n7 option to the command line after the word watch to only update after 7 seconds.
watch -n7 ntpq -cpe -cas
7. Stopping And Starting The NTP Daemon.
This is really simple just run the NTP startup script in /etc/init.d with stop, start or restart. I bet you worked that out already
sudo /etc/init.d/ntp stop
sudo /etc/init.d/ntp start
sudo /etc/init.d/ntp restart
8. Further Information.
8.1. Links I Found Useful
- Home of the Network Time Protocol The best source of information, once you understand what is going on.
- Quick HOWTO : The NTP Server, Linux Home Networking This post got me going in the right direction.
- Public Time servers and how to access them.
- LinuxHelp_NTP.html
- Ntp advanced text guy from HP
- Ubuntu Formum
- NTP-s-trouble
- NTP-a-faq
A. Network IP Address Classes
Standard IP address classes are defined by looking at the left most number of the four numbers that make up the IP address of a machine connected to a network.
| Class | 1st Octet Range | Number of networks | Number of hosts | |||
| A | 0xxx 1 - 126 | 126 | 16,777,314 | |||
| B | 10xx 128 - 191 | 16,384 | 65,534 | |||
| C | 110x 192 - 223 | 2,097,152 | 254 | |||
| D | 1110 224 - 239 | Multicasting | ||||
| E | 1111 240 - 254 | For furtive use, | (better hurry as IPv6 is close) |
IP addresses starting with 127 are reserved for the local machine for loopback and testing. Which is why all networked machines will talk to them selves when you access 127.0.0.1.
To show the ranges of the three classes of network A, B and C in a different way, see below where the Network part is in bold and the host part for the specific machine is in italics.
| Class | IP Address Pattern | |
| A | NNNNNNNN. hhhhhhhh. hhhhhhhh. hhhhhhhh | |
| B | NNNNNNNN. NNNNNNNN. hhhhhhhh. hhhhhhhh | |
| C | NNNNNNNN. NNNNNNNN. NNNNNNNN. hhhhhhhh |
A.1. Private Subnets.
There are three IP network addresses reserved for private networks. That is those networks that are not connected directly to the Internet The addresses are
| IP Address | Subnet Mask | Alternate Notation | ||
| 10.0.0.0 | 255.0.0.0 | 10.0.0.0/8 | ||
| 172.16.0.0 | 255.240.0.0 | 172.16.0.0/12 | ||
| 192.168.0.0 | 255.255.0.0 | 192.168.0.0/16 |
This is why in most HOWTOs and tutorials you see IP addresses starting with 192.168.0.x. They are designed to be used by anyone with a home LAN behind a NAT or proxy server or a router. It is always safe to use these because routers on the Internet by default will never forward packets coming from these addresses.