Local or public NTP servers?

Solution 1:

The best practice is to run your own pool of NTP servers set to sync from public NTP servers. In the event that your organization was to lose internet access, you would not want your clocks to become skewed. Further, it is rude to set thousands of hosts to public servers when you could (and should) operate a mirror.

Finally, if you have a secure computing requirement, then you should operate your own independent NTP hosts. You would require special hardware for these systems to operate.

EDIT: Since there was discussion of it, here is some hardware:

Any hardware supporting PPS seems to work on a modern ntpd. This includes some GPS units, although this seems to be rare, at least as rare as serial GPS units are these days. There are hardware devices sold explicitly for this function, however, including one product called TSync-PCIe. According to the manufacturer's site:

The TSync-PCIe offers several configurations of a synchronized timecode reader/generator package offering flexibility and easy integration of precise timing into an embedded computing application. Choose from synchronization to IRIG (and other similar timecodes), GPS (internal or external receivers), or Precise Time Protocol (PTP/IEEE-1588v2). - Site Link: http://i564f.6o.to

Solution 2:

Even on a small network I use a local NTP service, which itself updates from an external one. One reason is purely historical, dating back to when the only connection to the Internet was via dial-up modems. The other is that if the NTP service is wrong for any reason I would prefer all the machines to still be consistent, which is more likely to be the case if they all update from a single source.

Solution 3:

Best practice, setup 2 (or more) NTP hosts at your location, peer them. Have them sync against at least 4 (preferably, up to 8) external servers from 0.pool.ntp.org to 3.pool.ntp.org. If you use more than 4 you should adjust the frequency that they poll the pool members.

Here's an edited version of my ntp.conf:

server 0.us.pool.ntp.org minpoll 8 maxpoll 14
server 1.us.pool.ntp.org minpoll 8 maxpoll 14
server 2.us.pool.ntp.org minpoll 8 maxpoll 14
server 3.us.pool.ntp.org minpoll 8 maxpoll 14

peer ntp2.example.com

driftfile /var/db/drift.ntp
logfile /var/log/ntp.log
logconfig +sysall +syncall

You can omit the minpoll and maxpoll arguments, I add them so I'm a bit lighter on those servers. The values are 2^n seconds, where n is the argument; those values are higher than the defaults (6 & 10) because I already poll 12 different servers between my three NTP hosts.

If you're very concerned with accuracy you might add the following as well:

server tick.usno.navy.mil prefer minpoll 10 maxpoll 16

This will poll the navy's atomic clock. Note the high poll times as they're fairly heavily loaded and have requested people take it easy on their server (actually a 3 node cluster).

Solution 4:

As others have mentioned, for thousands of internal hosts, providing your own time servers is the way to go. For reasons such as (as other already mentioned):

  • structure: configure time setup as you choose; with as many as 1 stratum sources as possible
  • robustness: configure ntp system to be robust as needed; using own clock sources (GPS) and/or NTP sources with different routes
  • politeness: kind consideration for hosting organization of external time sources; less load for them
  • performance: limiting external NTP network traffic to a few hosts (minor issue)
  • security: limiting NTP network traffic externally to a few hardened hosts

As far as best practices:

From http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm, here is a recommended structure for NTP only sources.

EDITED - per Paul Gear and comment after diagram on ntp.org website

 1a  1b     1c  1d     1e  1f      outside   
..\ /...\../..\/..\.../.\./...............  
   2a ---p--- 2b ---p--- 2c        inside   (stratum 2 has many stratum 1 sources)
    \   /|\   /|\  /|\  /
          ntp clients

ORIGINAL diagram

 1a  1b     1c  1d     1e  1f      outside
. \ / ...... \ / ...... \ / ..............
   2a ---p--- 2b ---p--- 2c        inside
  /|\        /|\        /|\
 / | \      / | \      / | \
3a 3b 3c   3e 3f 3g   3h 3i 3j

Key: 1 = stratum-1, 2 = stratum-2, 3 = stratum-3, p = peer

Additional information for setting up an NTP server is from http://www.pool.ntp.org/join/configuration.html . Examples being:

  • Setup about 5 servers
  • Use the standard ntpd
  • Don't use the LOCAL clock driver
  • use NTP time sources that are geographically/network closest to you and low stratum numbers