CentOS 7 ntpd not synchronize with AD domain controller

centos7ntpd

i've a problem with time syncronization of a CentOS 7 host with a Windows 2008 R2 Domain controller.
If I use the command ntpdate -u host.domain
the synchronization is ok.
But using ntpd the time is always the same, here the result of the command ntpq -p:

 10.10.10.221    .LOCL.           1 u   65   64  377    1.740  965414.   4.054
 10.10.10.220    10.10.10.221     2 u   62   64  377    1.912  965408.  12.899

and the ntp.conf is the following:

driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server 10.10.10.221 iburst prefer
server 10.10.10.220 iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
logfile /var/log/ntp.log

Best Answer

I managed to find the solution after digging in more to a very similar issue on my end (different OS but same problem).

Windows NTP Servers (at times for various reaons), will report a large root dispersion. This in turn causes chronyd/ntpd to ignore the ntp server fpr inaccurate data.

In order to resolve I needed to add:

tos maxdist 16

to my /etc/ntp.conf. After restarting the service everything began working.

This article helped gave a simple explanation.

https://access.redhat.com/solutions/4652771

I also stumbled upon this post regarding inadequate times which further helped troubleshoot and identify the issue.

Why is NTP considering my server inadequate?

Related Solutions

Problem Synchronizing Server Time with ntpd – Solutions

Many distributions these days are configuring ntpd to restrict access. If restrict lines are present in your server's /etc/ntp.conf, only hosts/networks matching those lines will be permitted to connect to ntpd. You probably need to add additional restrict lines for the hosts or networks you want to allow to sync to your server. For example, to let the client you mentioned sync, add one of the following lines:

# allow just this host
restrict 10.99.84.134 nomodify notrap

# or allow the whole /24 segment
restrict 10.99.84.0 mask 255.255.255.0 nomodify notrap

After that, restart ntpd, and your clients should be able to sync.

Ntpdate works, but ntpd can’t synchronize

The 377 in the reach column means that connectivity is ok; telnet won't connect because NTP is UDP.

Try removing the server 127.127.1.0 from your config - the * by *LOCAL(0) tells us that the local server with stratum 5 is being used for sync, preferred over the remote server with stratum 1; the delay and offset both being 0.000 likely has a lot to do with that.

Best Answer

Related Solutions

Problem Synchronizing Server Time with ntpd – Solutions

Ntpdate works, but ntpd can’t synchronize

Related Topic