How to build your NTP Server Farm with CentOS

Vic TInfraOps Security
Published:
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.

NTP1

LAST UPDATE: 20171110VT


(This document also applies to setup the NTP2, NTP3 and NTP4 servers to form the NTP server farm)


SETUP DATE: 201X-XX-XX

SERVER NAME: NTP1.yourdomain.com

SERVER OS: CentOS7

SERVER OS IMAGE/ISO/VM TEMPLATE: CentOS-7.0-1406-x86_64-DVD.iso

SERVER NETWORK: DC1 DMZ

SERVER IP ADDRESS: 192.168.254.70/24


NTP Server Farm Network Diagram:

PART 1: Building NTP Server

Step 1: Pre-OS Installation

1) EDGE FW SETTING (perform similar setup based on your FW vendor):

Create new node for server as dmz_192.168.254.70_ntp1


2) SETUP NAT FOR NTP1 EGRESS TRAFFIC FROM DMZ: 

(Use your FW default) Same as Gateway / Hide behind Gateway 


3) SETUP FIREWALL POLICY FOR NTP1 EGRESS:

Allow HTTP (TCP/80) – for updates and upgrades

Allow NTP (UDP/123) – for public NTP request

Allow DOMAIN (UDP/53) – for public DNS request


4) SETUP FIREWALL POLICY FOR INGRESS NTP REQUEST:

Allow NTP (UDP/123) – for inside (LAN/WAN) NTP request


Step 2: Install CentOS

CentOS INSTALLATION SUMMARY:

DATE & TIME: choose “Americas/Los Angeles” time zone, choose “AM/FM”

KEYBOARD: (default)

LANGUAGE SUPPORT: (default)

INSTALLATION SOURCE: (default)

SOFTWARE SELECTION: choose Minimal Install & Compatibility Libraries

INSTALLATION DESTINATION: check “I will configure partitioning.” then click “Done”

Next screen: choose LVM, then click “Click here to create them automatically.”

Next screen: no adjustment, then click “Done”

Next screen: review it, then click “Accept Changes”


NETWORK & HOSTNAME: enter the FQDN in the Hostname box, then click “Configure…”, then setup IPv4 as below.

Change the Connection name to eth0 (optional), or accept the default name ‘ens32’

Click on “Save…”, turn the Ethernet button “ON”, then click “Done”

Click on “Begin Installation”


While the installation process is ongoing, click on the ROOT PASSWORD and USER CREATION to complete the configuration as below.


ROOT PASSWORD: yourpassword


USER CREATION: admin, check “Make the user administrator”


When the installation completed, click on “Reboot”


Since it is a minimal install, you can only login to command line.


Network Configuration:

The network configuration file is located in /etc/sysconfig/network-scripts/ifcfg-ens32 (or -eth0)

Use # nmtui to edit network setting via network management TUI

Use # nmcli to quick view or edit network setting

Run # service network restart, once you make changes on the ifcfg-ens32 file by vi, nmtui, nmcli or etc.


Use # ip a sh or ipaddr to list all NICs

Use # ip link or ip –s link for other link status


REF: http://community.spiceworks.com/how_to/show/57482-centos-minimal-install

REF: http://www.unixmen.com/ifconfig-command-found-centos-7-minimal-installation-quick-tip-fix/


Step 3: Post-OS Installation

Get the latest updates:

Run # yum update


Setup NTP service:

REF: http://www.tecmint.com/install-ntp-server-in-centos/


1) Run # yum install ntp to install the NTP service

2) Edit the ntp.conf file by # vi /etc/ntp.conf

time.nist.gov is a global address for all servers / multiple locations

  • Add restrict x.x.x.x netmask 255.255.x.x nomodifynotrap to allow others access this NTP.The nomodifynotrap statements suggest that your clients are not allowed to configure the server or be used as peers for time sync.


3) At the end of the file, add logfile /var/log/ntp.log to troubleshoot or validate the NTP service, you should remove it when done.

Cut & Paste:

# Create a NTP log for troubleshooting

# logfile /var/log/ntp.log


Setup CentOS FW:

REF: http://www.tejasbarot.com/2014/08/05/rhel-7-centos-7-how-to-get-started-with-firewalld/#axzz3IqwSxHPB


Only allow the minimum required port.  By default, port dhcpv6-client and ssh are opened.  You must add the NTP port.


# firewall-cmd --add-service=ntp --permanent

# firewall-cmd --reload


Also run the below firewall-cmd to verify 

# firewall-cmd --state

# firewall-cmd --zone=public --list-all



PART 2: Testing NTP service

Step 1: checking the ntp daemon

Once you have update the ntp.conf, you must run the following commands.

# systemctl start ntpd

# systemctl enable ntpd


Run # systemctl status ntpd to show NTP status


Run ntpq -p to show NTP query

Run date -R to display current Date/Time


EXTRA:

Configuring Time Synchronization for all Computers in a Windows domain

REF: http://www.altaro.com/hyper-v/configuring-time-synchronization-for-all-computers-in-windows-domain/


Configure a client computer for automatic domain time synchronization

REF: http://technet.microsoft.com/en-us/library/cc758905%28v=ws.10%29.aspx


Step 2: Testing from a Windows Machine

  1. Open Windows PowerShell (or command prompt)
  2. In the Command Prompt window, type the following line, where peers is a comma-separated list of IP addresses of the appropriate time sources in quotes, and press ENTER:
    w32tm /config /manualpeerlist:< peers> /syncfromflags:MANUAL /reliable: YES /update


The time sources you choose depend on your time zone. For example, if your domain controller is located in the Pacific Time zone, this line might read:
w32tm /config /manualpeerlist:131.107.1.10 /syncfromflags:MANUAL /reliable:YES /update

 

For example:

w32tm.exe /config /manualpeerlist:”ntp1.yourdomain.com ntp2.yourdomain.com ntp3.yourdomain.com” /syncfromflags:manual /reliable:YES /update


3. Press ENTER. You should get a message that the command completed successfully. If you run into issue or similar msg as “The following error occurred: The system cannot find the file specified. (0x80070002)”, see below for troubleshooting.

4. To immediately synchronize with the external time server, type w32tm /resync and press ENTER. You should get a message that the command completed successfully.

5. Run w32tm /query /peers to confirm the peer state is Active.


Type Exit and press ENTER.


PART 3: Troubleshooting

Troubleshooting Windows NTP (w32tm) configuration:

REF: http://www.thewindowsclub.com/windows-time-service-not-working-synchronization-fails-error


Troubleshooting CentOS NTP inactive (dead)

Usually it was because of the stopped ntpd.  Simply restart ntpd by “systemctl start ntpd”

Run “systemctl status ntpd” to confirm the service is active (running)

0
2,715 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.