<

How to build your NTP Server Farm with CentOS

Published on
3,078 Points
78 Views
Last Modified:
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.

NTP1

LAST UPDATE: 20171110VT


(This document also applies to setup the NTP2, NTP3 and NTP4 servers to form the NTP server farm)


SETUP DATE: 201X-XX-XX

SERVER NAME: NTP1.yourdomain.com

SERVER OS: CentOS7

SERVER OS IMAGE/ISO/VM TEMPLATE: CentOS-7.0-1406-x86_64-DVD.iso

SERVER NETWORK: DC1 DMZ

SERVER IP ADDRESS: 192.168.254.70/24


NTP Server Farm Network Diagram:

PART 1: Building NTP Server

Step 1: Pre-OS Installation

1) EDGE FW SETTING (perform similar setup based on your FW vendor):

Create new node for server as dmz_192.168.254.70_ntp1


2) SETUP NAT FOR NTP1 EGRESS TRAFFIC FROM DMZ: 

(Use your FW default) Same as Gateway / Hide behind Gateway 


3) SETUP FIREWALL POLICY FOR NTP1 EGRESS:

Allow HTTP (TCP/80) – for updates and upgrades

Allow NTP (UDP/123) – for public NTP request

Allow DOMAIN (UDP/53) – for public DNS request


4) SETUP FIREWALL POLICY FOR INGRESS NTP REQUEST:

Allow NTP (UDP/123) – for inside (LAN/WAN) NTP request


Step 2: Install CentOS

CentOS INSTALLATION SUMMARY:

DATE & TIME: choose “Americas/Los Angeles” time zone, choose “AM/FM”

KEYBOARD: (default)

LANGUAGE SUPPORT: (default)

INSTALLATION SOURCE: (default)

SOFTWARE SELECTION: choose Minimal Install & Compatibility Libraries

INSTALLATION DESTINATION: check “I will configure partitioning.” then click “Done”

Next screen: choose LVM, then click “Click here to create them automatically.”

Next screen: no adjustment, then click “Done”

Next screen: review it, then click “Accept Changes”


NETWORK & HOSTNAME: enter the FQDN in the Hostname box, then click “Configure…”, then setup IPv4 as below.

Change the Connection name to eth0 (optional), or accept the default name ‘ens32’

Click on “Save…”, turn the Ethernet button “ON”, then click “Done”

Click on “Begin Installation”


While the installation process is ongoing, click on the ROOT PASSWORD and USER CREATION to complete the configuration as below.


ROOT PASSWORD: yourpassword


USER CREATION: admin, check “Make the user administrator”


When the installation completed, click on “Reboot”


Since it is a minimal install, you can only login to command line.


Network Configuration:

The network configuration file is located in /etc/sysconfig/network-scripts/ifcfg-ens32 (or -eth0)

Use # nmtui to edit network setting via network management TUI

Use # nmcli to quick view or edit network setting

Run # service network restart, once you make changes on the ifcfg-ens32 file by vi, nmtui, nmcli or etc.


Use # ip a sh or ipaddr to list all NICs

Use # ip link or ip –s link for other link status


REF: http://community.spiceworks.com/how_to/show/57482-centos-minimal-install

REF: http://www.unixmen.com/ifconfig-command-found-centos-7-minimal-installation-quick-tip-fix/


Step 3: Post-OS Installation

Get the latest updates:

Run # yum update


Setup NTP service:

REF: http://www.tecmint.com/install-ntp-server-in-centos/


1) Run # yum install ntp to install the NTP service

2) Edit the ntp.conf file by # vi /etc/ntp.conf

time.nist.gov is a global address for all servers / multiple locations

  • Add restrict x.x.x.x netmask 255.255.x.x nomodifynotrap to allow others access this NTP.The nomodifynotrap statements suggest that your clients are not allowed to configure the server or be used as peers for time sync.


3) At the end of the file, add logfile /var/log/ntp.log to troubleshoot or validate the NTP service, you should remove it when done.

Cut & Paste:

# Create a NTP log for troubleshooting

# logfile /var/log/ntp.log


Setup CentOS FW:

REF: http://www.tejasbarot.com/2014/08/05/rhel-7-centos-7-how-to-get-started-with-firewalld/#axzz3IqwSxHPB


Only allow the minimum required port.  By default, port dhcpv6-client and ssh are opened.  You must add the NTP port.


# firewall-cmd --add-service=ntp --permanent

# firewall-cmd --reload


Also run the below firewall-cmd to verify 

# firewall-cmd --state

# firewall-cmd --zone=public --list-all



PART 2: Testing NTP service

Step 1: checking the ntp daemon

Once you have update the ntp.conf, you must run the following commands.

# systemctl start ntpd

# systemctl enable ntpd


Run # systemctl status ntpd to show NTP status


Run ntpq -p to show NTP query

Run date -R to display current Date/Time


EXTRA:

Configuring Time Synchronization for all Computers in a Windows domain

REF: http://www.altaro.com/hyper-v/configuring-time-synchronization-for-all-computers-in-windows-domain/


Configure a client computer for automatic domain time synchronization

REF: http://technet.microsoft.com/en-us/library/cc758905%28v=ws.10%29.aspx


Step 2: Testing from a Windows Machine

  1. Open Windows PowerShell (or command prompt)
  2. In the Command Prompt window, type the following line, where peers is a comma-separated list of IP addresses of the appropriate time sources in quotes, and press ENTER:
    w32tm /config /manualpeerlist:< peers> /syncfromflags:MANUAL /reliable: YES /update


The time sources you choose depend on your time zone. For example, if your domain controller is located in the Pacific Time zone, this line might read:
w32tm /config /manualpeerlist:131.107.1.10 /syncfromflags:MANUAL /reliable:YES /update

 

For example:

w32tm.exe /config /manualpeerlist:”ntp1.yourdomain.com ntp2.yourdomain.com ntp3.yourdomain.com” /syncfromflags:manual /reliable:YES /update


3. Press ENTER. You should get a message that the command completed successfully. If you run into issue or similar msg as “The following error occurred: The system cannot find the file specified. (0x80070002)”, see below for troubleshooting.

4. To immediately synchronize with the external time server, type w32tm /resync and press ENTER. You should get a message that the command completed successfully.

5. Run w32tm /query /peers to confirm the peer state is Active.


Type Exit and press ENTER.


PART 3: Troubleshooting

Troubleshooting Windows NTP (w32tm) configuration:

REF: http://www.thewindowsclub.com/windows-time-service-not-working-synchronization-fails-error


Troubleshooting CentOS NTP inactive (dead)

Usually it was because of the stopped ntpd.  Simply restart ntpd by “systemctl start ntpd”

Run “systemctl status ntpd” to confirm the service is active (running)

0
Comment
Author:Vic T
0 Comments

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Join & Write a Comment

Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month