Best practices for a NTP

e24ohm

I am thinking about setting all of my LAN resources: computer, servers, routers, switches...etc, to use a NTP server, but I am not sure what is best practice or what works well, so I need a little help.

My method of thinking – is to have a low end server on my LAN configured with NTP, and use “time-nw.nist.gov” 131.107.1.10 Microsoft, Redmond, Washington for my NTP. My local machines will then pull NTP from my low end NTP server on my local LAN.

Is this a good model or method?

Thank you,
E

royal

From a Windows perspective, on your Forest Root PDC Emulator, configure time there. All DCs will syncronize from their domain's PDC Emulator and all clients in that domain will syncronize from any DC in their domain. PDC Emulators from child domains and from other trees will syncronize their time with the PDC Emulator from the Root Forest. If you're also configuring an outside time source for things such as VMWare or other hardware devices, make sure you use the same time source to make sure time is as close as possible and definitely within 5 minutes (default) which is required for Kerberos authentication to work properly.

darkerosxx

e24ohm wrote: »

I am thinking about setting all of my LAN resources: computer, servers, routers, switches...etc, to use a NTP server, but I am not sure what is best practice or what works well, so I need a little help.

My method of thinking – is to have a low end server on my LAN configured with NTP, and use “time-nw.nist.gov” 131.107.1.10 Microsoft, Redmond, Washington for my NTP. My local machines will then pull NTP from my low end NTP server on my local LAN.

Is this a good model or method?

Thank you,
E

Yes, that's a good idea. I prefer to use military NTP servers, personally. You can use either of these:

tick.usno.navy.mil
tock.usno.navy.mil

JDMurray

USNO NETWORK TIME SERVERS

tiersten

Please make sure you're actually allowed to use the time server you've picked. There have been cases of misuse in the past where organisations/companies have withdrawn their free NTP service because of this.

Article about NTP misuse.

For most cases, you don't need to synchronise to a stratum 1 or better server. Your ISP probably runs a NTP server which you can use. Also you should synchronise with several servers just in case one of them has a problem.

astorrs

tiersten wrote: »

Please make sure you're actually allowed to use the time server you've picked. There have been cases of misuse in the past where organisations/companies have withdrawn their free NTP service because of this.

Article about NTP misuse.

For most cases, you don't need to synchronise to a stratum 1 or better server. Your ISP probably runs a NTP server which you can use. Also you should synchronise with several servers just in case one of them has a problem.

+1

Consult the list here: WebHome < Servers < NTP to find the appropriate servers for your state/country. Like tiersten said, if all you're doing is syncing LAN devices and don't need an extremely high level of precision, use a couple of stratum-2 servers. Whatever you choose to do just make sure you follow the rules (listed on that site) for each server.

hypnotoad

NTP is lightweight. You can run an NTP daemon in a virtual machine almost anywhere - i wouldnt even bother giving it a dedicated machine. With the DC is the way to go in Windows though.

tiersten

hypnotoad wrote: »

NTP is lightweight. You can run an NTP daemon in a virtual machine almost anywhere - i wouldnt even bother giving it a dedicated machine. With the DC is the way to go in Windows though.

You shouldn't run NTP in a VM. The accuracy will be terrible due to the virtualisation of timers and interrupts.

tiersten

Oh and regarding the original question. Yes. You should run a local time server somewhere and point all your devices/servers at that.