NTP – Use AD Server as NTP for Non-Windows Hosts

active-directorylinuxntptime-synchronizationwindows-server-2012-r2

We currently have an AD server that we are using as a time source.

Our AD server is setup to host time locally and the windows domain clients sync up to this machine fine. We have the firewall disabled entirely on the hosts and there are no firewalls in between (all machines are on the same lan).

The ntp.conf looks like:

driftfile /var/lib/ntp/drift
restrict default
restrict 127.0.0.1
restrict ::1
server 192.168.1.10 iburst prefer
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
logfile /var/log/ntpd.log

I can stop the ntpd service and run:

ntpdate 192.168.1.10
16 Sep 15:12:18 ntpdate[297583]: adjust time server 192.168.1.10 offset 0.188928 sec

ntpdate -d 192.168.1.10
Looking for host 192.168.1.10 and service ntp
host found : 192.168.1.10
transmit(192.168.1.10)
receive(192.168.1.10)
transmit(192.168.1.10)
receive(192.168.1.10)
transmit(192.168.1.10)
receive(192.168.1.10)
transmit(192.168.1.10)
receive(192.168.1.10)
server 192.168.1.10, port 123
stratum 1, precision -23, leap 00, trust 000
refid [LOCL], delay 0.02579, dispersion 0.00081
transmitted 4, in filter 4
reference time:    e4eca422.d31c6b70  Wed, Sep 15 2021 16:56:02.824
originate timestamp: e4edde44.131c82ed  Thu, Sep 16 2021 15:16:20.074
transmit timestamp:  e4edde43.fbf54378  Thu, Sep 16 2021 15:16:19.984
filter delay:  0.02589  0.02580  0.02579  0.02582
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.092817 0.091966 0.091143 0.090334
         0.000000 0.000000 0.000000 0.000000
delay 0.02579, dispersion 0.00081
offset 0.091143
16 Sep 15:16:19 ntpdate[298357]: adjust time server 192.168.1.10 offset 0.091143 sec

.And the system syncs without issues. I proceed to start ntpd service and monitor using
ntpq -p

The offset continues to grow every poll. I run ntpstat and it continues to report unsynchronized.

ntpstat
unsynchronised
 time server re-starting
  polling server every 8 s

Can linux hosts running ntp not connect to AD in this fashion? I read through Microsoft – how windows time works but failed to get a grasp on how non-windows domain systems connecting to an AD time server using NTP work with this.

Best Answer

I managed to find the solution after digging in more.

Windows NTP Servers (at times for various reaons), will report a large root dispersion. This in turn causes chronyd/ntpd to ignore the ntp server fpr inaccurate data.

In order to resolve I needed to add:

tos maxdist 16

to my /etc/ntp.conf. After restarting the service everything began working.

This article helped gave a simple explanation.

https://access.redhat.com/solutions/4652771

I also stumbled upon this post regarding inadequate times which further helped troubleshoot and identify the issue.

Why is NTP considering my server inadequate?

Related Solutions

Linux – Single NTP server on isolate network

NTP should work fine. Look at some of the options for fast synchronization on start-up. Look at the burst and iburst options for the system B. Look at the true option for the GPS clock source.

Consider using the hardware clock as a backup time source on both systems. Set a higher stratum system B. Something like the following should work:

server  127.127.1.0
fudge   127.127.1.0 stratum 8

Watch the output of ntpq -c peers to see when you get a trusted clock source. Normally ntp wants a number of responses from a trusted time source before it trusts it. This is indicated by the first character on each line.

While NTP likes more sources, any odd number of time sources within one stratum level should work well. As you only have two servers and a GPS clock the priority (stratum) of the sources should increase from GPS, clock on server A, clock on server B. Increasing the stratum between each by three or four levels will ensure priorities are respected.

EDIT: If you have the busybox NTP server on server A, it may be worthwhile installing the full ntp server package. Understanding what is happening with server A should go a long way to solving your problem. You will need at least one trusted time source there before server B should trust it. If ntpq -c peers doesn't work, then you can try ntpdc peers. Both these commands allow you to query other hosts. A peerstats log could also be useful.

On server B use ntpclient as documented the busybox ntp howto to log what is happening on it

The clocks should be reasonably close to the correct time if the servers haven't been down for long. If you need to sync the two systems, that should be sufficient. The GPS will bring the time into sync with the real world eventually.

'ntpd -q' synchronizes quickly, but exits (ntpdate behaviour). It needs to be followed by an ntpd command without the quit option to have continuous synchronization.

EDIT2: I check my server and found one of the servers was off by a second. While fixing this I played with the settings. iburst gets a server trusted very quickly. true ensured the clock driver was trusted if there weren't multiple other trusted sources. The clock took a little more than a minute before it was locally trusted and could be trusted remotely.

When testing you should be able to restart the ntpd process once it is synchronized and test how fast settings work. In the above case Server B may need to be restarted to test how fast it synchronizes. When monitoring ntpd changes I use a line like:

while ntpq -c peers localhost; do sleep 10; done

The hostname and sleep time are adjusted as require. In some cases I chain two or more ntpq command lines in the loop. When doing so I use an echo and/or date command to provide an indication of where sets of data change.

Linux – NTP: ntpdate to sync time between the PCs on a private network

ntpdate does not read the ntp.conf file.

To synchronize one-time, pass the IP address of the server on the command line:

ntpdate 169.254.10.10

Best Answer

Related Solutions

Linux – Single NTP server on isolate network

Linux – NTP: ntpdate to sync time between the PCs on a private network

Related Topic