This article will show you step-by-step instructions to build your own NTP CentOS server. The network diagram shows the best practice to setup the NTP server farm for redundancy. This article also serves as your NTP server documentation.
LAST UPDATE: 20171110VT
(This document also applies to setup the NTP2, NTP3 and NTP4 servers to form the NTP server farm)
SETUP DATE: 201X-XX-XX
SERVER NAME: NTP1.yourdomain.com
SERVER OS: CentOS7
SERVER OS IMAGE/ISO/VM TEMPLATE: CentOS-7.0-1406-x86_64-DVD.iso
SERVER NETWORK: DC1 DMZ
SERVER IP ADDRESS: 192.168.254.70/24
NTP Server Farm Network Diagram:
PART 1: Building NTP Server
Step 1: Pre-OS Installation
1) EDGE FW SETTING (perform similar setup based on your FW vendor):
Create new node for server as dmz_192.168.254.70_ntp1
2) SETUP NAT FOR NTP1 EGRESS TRAFFIC FROM DMZ:
(Use your FW default) Same as Gateway / Hide behind Gateway
3) SETUP FIREWALL POLICY FOR NTP1 EGRESS:
Allow HTTP (TCP/80) – for updates and upgrades
Allow NTP (UDP/123) – for public NTP request
Allow DOMAIN (UDP/53) – for public DNS request
4) SETUP FIREWALL POLICY FOR INGRESS NTP REQUEST:
Allow NTP (UDP/123) – for inside (LAN/WAN) NTP request
Step 2: Install CentOS
CentOS INSTALLATION SUMMARY:
DATE & TIME: choose “Americas/Los Angeles” time zone, choose “AM/FM”
LANGUAGE SUPPORT: (default)
INSTALLATION SOURCE: (default)
SOFTWARE SELECTION: choose Minimal Install & Compatibility Libraries
INSTALLATION DESTINATION: check “I will configure partitioning.” then click “Done”
Next screen: choose LVM, then click “Click here to create them automatically.”
Next screen: no adjustment, then click “Done”
Next screen: review it, then click “Accept Changes”
NETWORK & HOSTNAME: enter the FQDN in the Hostname box, then click “Configure…”, then setup IPv4 as below.
Change the Connection name to eth0 (optional), or accept the default name ‘ens32’
Click on “Save…”, turn the Ethernet button “ON”, then click “Done”
Click on “Begin Installation”
While the installation process is ongoing, click on the ROOT PASSWORD and USER CREATION to complete the configuration as below.
ROOT PASSWORD: yourpassword
USER CREATION: admin, check “Make the user administrator”
When the installation completed, click on “Reboot”
Since it is a minimal install, you can only login to command line.
The network configuration file is located in /etc/sysconfig/network-scripts/ifcfg-ens32 (or -eth0)
Use # nmtui to edit network setting via network management TUI
Use # nmcli to quick view or edit network setting
Run # service network restart, once you make changes on the ifcfg-ens32 file by vi, nmtui, nmcli or etc.
Use # ip a sh or ipaddr to list all NICs
Use # ip link or ip –s link for other link status
Step 3: Post-OS Installation
Get the latest updates:
Run # yum update
Setup NTP service:
1) Run # yum install ntp to install the NTP service
2) Edit the ntp.conf file by # vi /etc/ntp.conf
time.nist.gov is a global address for all servers / multiple locations
- Add restrict x.x.x.x netmask 255.255.x.x nomodifynotrap to allow others access this NTP.The nomodifynotrap statements suggest that your clients are not allowed to configure the server or be used as peers for time sync.
3) At the end of the file, add logfile /var/log/ntp.log to troubleshoot or validate the NTP service, you should remove it when done.
Cut & Paste:
# Create a NTP log for troubleshooting
# logfile /var/log/ntp.log
Setup CentOS FW:
Only allow the minimum required port. By default, port dhcpv6-client and ssh are opened. You must add the NTP port.
# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload
Also run the below firewall-cmd to verify
# firewall-cmd --state
# firewall-cmd --zone=public --list-all
PART 2: Testing NTP service
Step 1: checking the ntp daemon
Once you have update the ntp.conf, you must run the following commands.
# systemctl start ntpd
# systemctl enable ntpd
Run # systemctl status ntpd to show NTP status
Run ntpq -p to show NTP query
Run date -R to display current Date/Time
Configuring Time Synchronization for all Computers in a Windows domain
Configure a client computer for automatic domain time synchronization
Step 2: Testing from a Windows Machine
- Open Windows PowerShell (or command prompt)
- In the Command Prompt window, type the following line, where peers is a comma-separated list of IP addresses of the appropriate time sources in quotes, and press ENTER:
w32tm /config /manualpeerlist:< peers> /syncfromflags:MANUAL /reliable: YES /update
The time sources you choose depend on your time zone. For example, if your domain controller is located in the Pacific Time zone, this line might read:
w32tm /config /manualpeerlist:22.214.171.124 /syncfromflags:MANUAL /reliable:YES /update
w32tm.exe /config /manualpeerlist:”ntp1.yourdomain.com ntp2.yourdomain.com ntp3.yourdomain.com” /syncfromflags:manual /reliable:YES /update
3. Press ENTER. You should get a message that the command completed successfully. If you run into issue or similar msg as “The following error occurred: The system cannot find the file specified. (0x80070002)”, see below for troubleshooting.
4. To immediately synchronize with the external time server, type w32tm /resync and press ENTER. You should get a message that the command completed successfully.
5. Run w32tm /query /peers to confirm the peer state is Active.
Type Exit and press ENTER.
PART 3: Troubleshooting
Troubleshooting Windows NTP (w32tm) configuration:
Troubleshooting CentOS NTP inactive (dead)
Usually it was because of the stopped ntpd. Simply restart ntpd by “systemctl start ntpd”
Run “systemctl status ntpd” to confirm the service is active (running)