Urgent Need help to setup NTP to synchoronize times between redhat servers

I have 3 redhat servers and i want to set one of them as NTP server and the others as clients.
Please provide me the steps as simple as possible.
LVL 4
mukhtar2tAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

iamgibbonCommented:
1. install ntp services using either of these commands:
# yum install ntp
or
# up2date ntp

configure /etc/ntp.conf file using command:
# vi /etc/ntp.conf
add address of ntp server to ntp.conf file, save the file and restart the ntp service

on your other 2 servers edit the ntp.conf to look at the server you configured, restart the services.

you can also force an ntp update using the command :
# ntpdate ntp.server.etc
hth.
0
suggestionstickCommented:
Hi

Checkout http://www.pool.ntp.org/ for available time servers.


a ntpd.conf for your main linux ntp server

# default restrictions
restrict default noquery notrust nomodify

# override the default restrictions here for your other 2  Linux server boxes
restrict  1.2.3.4 mask 255.255.255.255 nomodify  
restrict  1.2.3.5 mask 255.255.255.255 nomodify

# public NTP servers to sync with
server Public-timeserver1
server Public-timeserver2

restrict Public-timeserver1 noquery nomodify
restrict Public-timeserver2 noquery nomodify


# NTP drift file - used to keep track of your system clocks
# time deviation
driftfile /etc/ntp.drift

# NTP log file
logfile /var/log/ntp.log


example config file for your other linux boxes


# default restrictions
restrict default noquery notrust nomodify

# Permit all access over the loopback interface
restrict 127.0.0.1

# public NTP servers to sync with
server FQDN-of-your-primary-ntp-server


restrict  FQDN-of-your primary-ntp-server noquery nomodify

# NTP drift file - used to keep track of your system clocks
# time deviation
driftfile /etc/ntp.drift

# NTP log file
logfile /var/log/ntp.log


Checkout http://www.pool.ntp.org/ for available time servers.

Trev
0
iamgibbonCommented:
Hi.
dont forget to forward udp port 123 to your server that gets its time sync from external source.
hth.
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

suggestionstickCommented:
Hi

Also make sure that the servers have the (roughly) correct time before you start the ntpd service "service ntpd start" as otherwise the intial sync may fail.

if you have any issue once the ntpd service is running pls type the following on the command line and copy/post the output.

grep ntpd /var/log/messages

Trev
0
mukhtar2tAuthor Commented:
Peace be upon you suggestionstick.
First let us do this for just tow server and i will apply for the third.
My NTP server address is 10.0.0.202
This is the ntp.conf:

# Prohibit general access to this service.
restrict default ignore
restrict 66.187.233.4 mask 255.255.255.255 nomodify notrap noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap


# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip



# --- NTP MULTICASTCLIENT ---
#multicastclient                  # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 66.187.233.4
fudge      127.127.1.0 stratum 10      

#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay      0.008

#
# Authentication delay.  If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys            /etc/ntp/keys

and this is the result for grep ntpd /var/log/messages

Mar 27 00:14:03 server ntpd[5064]: time reset 0.176357 s
Mar 27 00:14:03 server ntpd[5064]: synchronisation lost
Mar 27 03:38:17 server ntpd[5064]: time reset -0.246986 s
Mar 27 03:38:17 server ntpd[5064]: synchronisation lost
Mar 27 08:21:24 server ntpd[5064]: time reset 0.180443 s
Mar 27 08:21:24 server ntpd[5064]: synchronisation lost
Mar 27 09:06:31 server ntpd[5064]: time reset 0.607093 s
Mar 27 09:06:31 server ntpd[5064]: synchronisation lost
Mar 27 09:21:54 server ntpd[5064]: time reset 0.211869 s
Mar 27 09:21:54 server ntpd[5064]: synchronisation lost
Mar 27 09:37:09 server ntpd[5064]: time reset -0.153912 s
Mar 27 09:37:09 server ntpd[5064]: synchronisation lost
Mar 27 09:52:21 server ntpd[5064]: time reset -0.227535 s
Mar 27 09:52:21 server ntpd[5064]: synchronisation lost
Mar 27 10:07:35 server ntpd[5064]: time reset 0.260253 s
Mar 27 10:07:35 server ntpd[5064]: synchronisation lost
Mar 27 11:33:24 server ntpd[5064]: time reset -0.202148 s
Mar 27 11:33:24 server ntpd[5064]: synchronisation lost
Mar 27 12:51:41 server ntpd[5064]: time reset 0.136955 s
Mar 27 12:51:41 server ntpd[5064]: synchronisation lost
Mar 27 14:21:43 server ntpd[5064]: ntpd exiting on signal 15
Mar 27 14:21:43 server ntpd: ntpd shutdown succeeded
Mar 27 14:43:18 server ntpdate[15717]: step time server 66.187.233.4 offset 1.260074 sec
Mar 27 14:43:18 server ntpd:  succeeded
Mar 27 14:43:18 server ntpd[15721]: ntpd 4.1.2@1.892 Thu Sep 11 05:38:15 EDT 2003 (1)
Mar 27 14:43:18 server ntpd: ntpd startup succeeded
Mar 27 14:43:18 server ntpd[15721]: precision = 9 usec
Mar 27 14:43:18 server ntpd[15721]: kernel time discipline status 0040
Mar 27 14:43:18 server ntpd[15721]: frequency initialized 61.597 from /var/lib/ntp/drift
Mar 27 14:47:47 server ntpd[15721]: kernel time discipline status change 41
Mar 27 14:48:50 server ntpd[15721]: kernel time discipline status change 1
Mar 27 15:23:12 server ntpd[15721]: time reset 0.601682 s
Mar 27 15:23:12 server ntpd[15721]: synchronisation lost
Mar 27 16:35:04 server ntpd[15721]: time reset -0.320047 s
Mar 27 16:35:04 server ntpd[15721]: synchronisation lost

My client NTP Address is: 10.0.0.200
0
mukhtar2tAuthor Commented:
NTP server :
Red Hat Enterprise Linux WS release 3 (Taroon)
NTP Client:
Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
0
suggestionstickCommented:
Hi

stop ntp

"service ntpd stop"

run the following command

ntpdate  66.187.233.4

should look like this

28 Mar 01:20:24 ntpdate[2053]: adjust time server 66.187.233.4 offset 0.017163 sec.

then

start the ntp service

"service ntpd start"

wait for a few minutes, then run
ntpq -p

copy/post

assuming that you posted the config from your local NTP server on  10.0.0.202
backup the ntp.conf file on both servers before making any changes
Then under the section
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

add a line

restrict 10.0.0.200  mask 255.255.255.0  nomodify notrap

then in the client server conf use 10.0.0.202 instead of  66.187.233.4 (backup ntp.conf before making any changes).


might also change authenticate yes to authenticate no.

also your ntp version is different, but I could not see any mention in the logs of ntpd listening on any interfaces.

could you copy/clean/post
lsof -i | grep ntpd

you will have to clean this output for public consumption as it will have internal host names.

Trev


0
mukhtar2tAuthor Commented:
At the server
service ntpd stop
Shutting down ntpd:                                        [  OK  ]
#ntpdate  66.187.233.4
27 Mar 18:47:49 ntpdate[17973]: adjust time server 66.187.233.4 offset -0.098214 sec
#service ntpd start
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]
# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==================================================
 clock1.redhat.c .CDMA.           1 u   33   64    1  658.611  -10.990   0.004
#lsof -i|grep ntpd
ntpd      17991     ntp    4u  IPv4 309683362       UDP *:ntp
ntpd      17991     ntp    5u  IPv4 309683363       UDP localhost.localdomain:ntp
ntpd      17991     ntp    6u  IPv4 309683364       UDP servername.lan:ntp

i added the line to /etc/ntp.conf and backed it up.


At the client
#ntpdate  10.0.0.202
27 Mar 18:55:27 ntpdate[11873]: no server suitable for synchronization found

0
suggestionstickCommented:
Hi

have you opened up your iptables firewall on 10.0.0.202 to allow UDP Port 123 from 10.0.0.200? If not open and try a "ntpdate 10.0.0.202" again

if you run ntpq -p the reach value should now read one of the following values  1, 3, 7, 17, 37, 77, 177, 377

the fact that you are not displaying  a reach value of 0 on your main NTP server is a good sign. it means that the last sync attempt to redhats  time server was good.

Trev


 

0
suggestionstickCommented:
Hi

"if you run ntpq -p the reach value should now read one of the following values  1, 3, 7, 17, 37, 77, 177, 377"

this is on your ntp server

Trev
0
mukhtar2tAuthor Commented:
I did the forword but i can't verify is it success or not
i typed this command which i got it from an expert here
iptables -A INPUT -p udp -m udp -d 10.0.0.202 -s 10.0.0.200 --dport  123 -j ACCEPT
but the client still not working
 ntpdate  10.0.0.202
27 Mar 21:05:30 ntpdate[15929]: no server suitable for synchronization found



The client conf file:


# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

restrict default nomodify notrap noquery
restrict 10.0.0.202 mask 255.255.255.255 nomodify notrap noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap


# --- OUR TIMESERVERS -----
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org


# --- NTP MULTICASTCLIENT ---
#multicastclient                  # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server      127.127.1.0      # local clock
fudge      127.127.1.0 stratum 10      

#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay      0.008

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys            /etc/ntp/keys
0
suggestionstickCommented:
Hi


The "ntpdate 10.0.0.202" command will not use the ntp.conf filefile settings, however your client ntp.conf  in the time servers section should contain.(notice the defaultsare commented)

# --- OUR TIMESERVERS -----
server 10.0.0.202
#server 0.pool.ntp.org
#server 1.pool.ntp.org
#server 2.pool.ntp.org

also delete "restrict 10.0.0.202 mask 255.255.255.255 nomodify notrap noquery" line as this is covered under the default restrict.

save and restart "service ntpd condrestart"


I think the issue is still with your firewalls, you will also have to allow ntp on your ntp client server. (if the box is behind a another firewall, and you are not masq for internal clients then a quick firewall stop/start might be in order)

on both boxes "service iptables stop"  quickly run ntpdate 10.0.0.202 on the client box , observe the results and then quickly  run "service iptables start" on both boxes.  if you don't want to stop your firewall i can understand,  instead do a "service iptables condrestart"  on your ntp server box and then "service iptables status"  can you see a rule for ntp listed?




can you also run a ntpq-p on the ntp server and copy/paste the results


Trev
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mukhtar2tAuthor Commented:
On the client
I added the server 10.0.0.202
deleted the line restrict 10.0.0.202 mask 255.255.255.255 nomodify notrap noquery
#service ntpd condrestart
#ntpdate  10.0.0.202
28 Mar 12:54:39 ntpdate[16762]: no server suitable for synchronization found

On the server
ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
========================================================= clock1.redhat.c .CDMA.           1 u   17   64    3  862.194  112.954  45.692
0
mukhtar2tAuthor Commented:
Now on the client
chkconfig ntpd on
service ntpd start
Starting ntpd:                                             [  OK  ]
#ntpdate -u 10.0.0.202
28 Mar 13:25:40 ntpdate[17683]: step time server 10.0.0.202 offset 2.913365 sec

On the server
# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==========================================================*clock1.redhat.c .CDMA.           1 u   50   64  377  829.291  -36.215  54.734
0
mukhtar2tAuthor Commented:
Peace be upon you suggestionstick
I realy appreciate your support.
if there is degree more than A, it must be for you.
i hope my god give you a good
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.