A configuration guide to Network Time Protocol

NTP architecture

NTP uses UDP connectionless communications for low-latency data exchanges that help prevent time drift between client and time server devices. It uses port 123/udp, so plan accordingly when managing firewall configurations.

The stratum layers include the following:

• Stratum 0. In this layer, a reference clock receives the true time from a dedicated transmitter or satellite navigation system.
• Stratum 1. In this layer, a device directly links to a reference clock.
• Stratum 2. In this layer, a device receives its time from a stratum 1 computer.
• Stratum 3. In this layer, a device receives its time from a stratum 2 computer.

A stratum can include additional layers, which creates a hierarchy with a degree of separation and reduced accuracy with each new layer.

NTP remains a critical protocol in modern networks, especially as servers and clients remain distributed across multiple regions. It's also essential in on-premises and cloud environments.

NTP implementations

NTP is standard for Linux, macOS and Windows configurations, making it the ideal choice for network environments with a combination of systems. Many network devices also recognize NTP.

Linux systems

Configuring NTP on Linux systems involves editing the /etc/ntp.conf configuration file with a text editor, such as Vim or Nano. Use the configuration file entries to direct the service to the necessary time servers, as seen below:

server 0.pool.ntp.org

server 1.pool.ntp.org

As with other Linux configuration files, if you edit the /etc/ntp.conf file, you'll need to restart the service using the following command:

systemctl restart ntpd

Confirm the status of the ntpd daemon using this command:

ntpq -p

Linux servers rarely include a GUI, but workstations might have one. The steps to configure time services through the GUI vary depending on the selected desktop environment.

MacOS systems

Configure macOS for time services by browsing to System Settings > General > Date & Time. Enable the Set time and data automatically setting and specify a target NTP server. The default server is time.apple.com, but you can add other time servers as needed.

Query the time server manually from the Mac's Terminal by typing this command:

sntp time.apple.com

Windows standalone systems

Like macOS, Windows time services are straightforward to configure from the GUI. Browse to Control Panel > Clock and Region > Date and Time > Internet Time and select Synchronize with an internet time server. Enter the server's address to complete the settings.

You might prefer to use the Windows command-line or want to script your NTP configurations. Begin by opening the Terminal and displaying the current configuration:

w32tm /query /configuration

Set a preferred NTP server with this command:

w32tm /config /manualpeerlist:"pool.ntp.org" /syncfromflags:manual /reliable:YES /update

Don't forget to restart the service:

net stop w32time

net start w32time

Check the service's status by typing the following command:

w32tm /query /status

You can force an immediate time synchronization using the following command:

w32tm /resync /rediscover

Windows domain members

Configuring NTP isn't typically necessary in AD environments. Domain members automatically synchronize their time with the Domain Controller that authenticated them. All DCs synchronize their time with the Primary DC Emulator, a critical Flexible Single Master Operations role in Windows Server AD. Domain administrators configure the PDC to sync with an external time source.

This hierarchy ensures a simple, reliable and synchronized configuration throughout the domain, which is essential to authentication services that rely on timestamps, such as Kerberos.

Advanced NTP configurations

NTP has two advanced settings that require further investigation. These are polling times and the iburst parameter.

Polling times define the intervals at which the NTP client polls its specified NTP servers. The minpoll option sets the minimum time, and maxpoll specifies the maximum time.

• minpoll. Shortest interval between polls.
• maxpoll. Longest interval between polls.

Time increments are exponents of 2. The default minpoll value is 6 -- or 64 seconds -- and the usual maxpoll setting is 10 -- which is 1024 seconds, or about 17 minutes.

Add these values to the server entry in /etc/ntp.conf:

server ntp.example.com minpoll 4 maxpoll 6

It's rarely necessary to modify the defaults, but some time-sensitive applications might require these settings.

The iburst setting speeds the initial time synchronization when the ntpd first starts. The standard setting, with no iburst parameter set, causes the NTP client to send one query for time synchronization. However, if the specified NTP server does not respond, the NTP client delays time synchronization. The iburst parameter causes the client to send a burst of eight packets about two seconds apart, which increases the chances of receiving a response.

Modify the time server entry in /etc/ntp.conf by adding the iburst setting:

server ntp.example.com iburst

This configuration usually matters when the system boots up. Don't confuse this setting with burst, which sends multiple queries at every polling interval. The iburst option only sends multiple queries during the initial synchronization task, which is much more efficient.

Define polling and iburst settings in the /etc/ntp.conf configuration file for more efficient time management.

Troubleshooting common NTP issues

One configuration and troubleshooting concern involves environments with only two time servers defined. Issues arise when client devices cannot determine the correct time due to a time disagreement between the two target time servers. A third or fourth NTP server acts as a tiebreaker. This issue is sometimes called the NTP two-server problem.

Avoid configurations where AD domain members -- such as Windows servers and workstations -- recognize a different time than non-domain members, such as Linux, macOS and network devices. Authentication and access problems might occur if these devices need to share resources but disagree on the current time.

Use the following NTP commands on Linux and similar systems to troubleshoot NTP issues:

• ntpd -d. Runs the ntpd in debug mode, providing useful trace information.
• ntpq. Queries the ntpd for statistics and status data.
• ntpstat. Displays the client's current synchronization status.

On most Linux distributions, ntpd logs to /etc/messages by default. However, edit the /etc/ntp.conf file to define a dedicated log file location, such as /var/log/ntp.log.

Windows systems log NTP entries in Event Viewer. Browse the Application Event Log entries for NTP details.

Best practices for NTP configuration

NTP is a well-established and reliable part of the TCP/IP suite, so plenty of documentation exists for how to manage it. Rely on the following best practices to get the most from your NTP settings:

• Use the iburst option to speed up the initial time synchronization after starting or restarting the service.
• Configure polling intervals for systems with time-sensitive applications.
• Configure multiple NTP servers. Four is the preferred number.
• Rely on AD for time management in AD deployments.
• Configure highly available, dedicated NTP sources, especially for internal network time servers that will support client devices.
• Design a consistent NTP infrastructure across your internal network. Larger environments should mimic the standard stratum layered design.

Configure an efficient and reliable NTP environment to ensure robust time synchronization across Linux, macOS, and Windows devices. Consider integrating network devices like routers and switches into the design, too. While time management is straightforward in most networks, it's also critical.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.