TheSystemMaster.com | Synchronising the System Time

The reasons are many and good for making sure your servers are all set to the same time. The usual way to synchronise time with Unix is through NTP - Network Time Protocol. The ntpd daemon can operate as a server, a client, or a relay system.

One note here. Whilst researching this topic I found scads and scads of information regarding the setting up of Time Servers. For such an apparently simple concept, it can get very involved. However, what I present here are the basics of getting it installed and running, which is really quite simple, and then it's up to the reader to take it to the next levels, if required.

Prerequisites

Note you must have PERL installed before continuing. If you are using FreeBSD 6.x or later, PERL may not be present. See Installing PERL.

Download the latest NTPD package from ntp.isc.org, in this case I used ntp-4.2.0.tar.gz [2.4MB].

Perform the usual list of installation routines..

cd /usr/local/src

tar -zxvf ntp-4.2.0.tar.gz

cd ntp-4.2.0

./configure

make

make install

Once installed, find your nearest NTP Server and run a test connection using the ntptrace command..

ntptrace au.pool.ntp.org

..you should get a reply back similar to this..

efexor.vampiress.net: stratum 3, offset 20.535114, synch distance 0.14081
mel001.pacific.net.au: stratum 2, offset 20.531832, synch distance 0.08061
clock.tl.fukuoka-u.ac.jp: stratum 1, offset 20.523599, synch distance 0.00069,
refid 'GPS'

- if you get a timeout but can otherwise access the internet, it's most likely a blocked port at the firewall. NTP uses port 123, so make sure this is open. For more, see tracing the server.

NTP is configured by the /etc/ntp.conf file and there are stacks of settings. I like to keep things simple, so here's a very basic configuration file, with a preferred Australian time server and a backup in New Zealand..

server au.pool.ntp.org prefer
server nz.pool.ntp.org

To start the daemon, edit /etc/rc.conf and add the following line..

vi /etc/rc.conf

ntpd_enable="YES"

..and reboot the server. The daemon should be running, although it may seem to take a while for it to kick in, for the following reason.

Some references suggest to create a /etc/ntp.drift file, however I tend not to as once started, the system will build its own within an hour. To quote FreeBSD.org's Hypertext Man Pages..

Frequency Discipline

The ntpd behavior at startup depends on whether the frequency file, usually ntp.drift, exists. This file contains the latest estimate of clock frequency error. When the ntpd is started and the file does not exist, the ntpd enters a special mode designed to quickly adapt to the particular system clock oscillator time and frequency error. This takes approximately 15 minutes, after which the time and frequency are set to nominal values and the ntpd enters normal mode, where the time and frequency are continuously tracked relative to the server. After one hour the frequency file is created and the current frequency offset written to it. When the ntpd is started and the file does exist, the ntpd frequency is initialized from the file and enters normal mode immediately. After that the current frequency offset is written to the file at hourly intervals.

Thanks ntpd! Once running, the command line utility ntpq can be used to check the status of the NTP daemon on the local machine (or on a remote host)..

ntpq
ntpq> peers

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*b.pool.ntp.uq.e im-ntp.its.uq.e  2 u  176  256  377  224.489  -116.96  15.090
+levy.catalyst.n gen3.ihug.co.nz  3 u   42  256  377   88.565  -205.22  13.766

ntpq> quit

The peers command obtains a current list peers of the server, along with a summary of each peer's state. For more detail it's back to the FreeBSD.org's man pages.

Controlling Access to the Server

By default the NTP server will be accessible to all hosts on the Internet. The restrict option in /etc/ntp.conf allows control over which machines can access the server.

To deny all machines from accessing the NTP server, add the following line to /etc/ntp.conf:

restrict default ignore

To only allow machines within your own network to synchronize their clocks with your server, but ensure they are not allowed to configure the server or used as peers to synchronize against, add..

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

instead, where 192.168.1.0 is an IP address on your network and 255.255.255.0 is your network's netmask.

The /etc/ntp.conf can contain multiple restrict options. For more details, see the Access Control Support subsection of ntp.conf.

Links and References

http://www.eecis.udel.edu/~ntp/ntp_spool/html/ntpd.html
http://www.freebsddiary.org/xntpd.php
http://ntp.isc.org/bin/view/Main/WebHome
http://ntp.isc.org/bin/view/Servers/NTPPoolServers
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-ntp.html