Configure NTP service and Intranet server time synchronization in centos7.2
Network Time Protocol (NTP) is a standard Internet Protocol used for Time synchronization on the Internet. NTP is used to synchronize computer time to certain time standards. The current Time standard is Universal Time Coordinated ). The primary developer of NTP is Professor David L. Mills from the University of Delaware.
What is the use of NTP for us? Simply put, when your computer time is not accurate, you can access the Internet and synchronize the time from the Internet.
For enterprises, if you have hundreds of thousands of computers, you cannot directly connect to the Internet. Time does not affect your business. If one computer is modified, the workload is too heavy. At this time, the establishment of an NTP server will show its advantages.
In the enterprise, assume that the approximate topology of the NTP server is as follows:
Configure related yum sources to ensure that your ntp server can connect to the Internet
# Vim/etc hosts? Http://www.bkjia.com/kf/ware/vc/ "target =" _ blank "class =" keylink "> Principal + CiPM7bzTzfi52KOs1eK49r/Principal/tMSsyM/N + Principal + cjxpbwcgc3jjjpq =" http://www.2cto.com/uploadfile/Collfiles/20160414/20160414090639480.png "alt =" \ ">
1. install ntp service in yum # yum install-y ntp
Configure startup
# Chkconfig ntpd on
# Chkconfig -- list ntpd
Ntpd 0: off 1: off 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
2. Edit the ntp configuration file
# Add the following content to vim/etc/ntp. conf:
# Allow Intranet segment 192.168.0.0 other machine synchronization time restrict 192.168.0.0 mask 255.255.0.0 nomodify # China's most active time server: http://www.pool.ntp.org/zone/cnserver ntp. api. bz perfer server 210.72.145.44 # China National Time Center server 202.112.10.36 # 1.cn. pool. ntp. orgserver 59.124.196.83 # 0.asia.pool.ntp.org # Allow the upper-layer time server to actively modify the local time restrict ntp. api. bz nomodify notrap noqueryrestrict reject nomodify notrap noquery # When the external time server is unavailable, use the local time as the Time Service server timeout # local clockfudge 127.127.1.0 strat
Final parameters:
# Cat/etc/ntp. conf "awk '{if ($0 !~ /^ $/& $0 !~ /^ #/) {Print $0 }}'
Or
# Cat/etc/ntp. conf | grep "^ [^ #]"
Driftfile/var/lib/ntp/driftrestrict default kod nomodify notrap nopeer noqueryrestrict-6 default kod nomodify notrap nopeer noqueryrestrict 127.0.0.1 restrict-6: 1 restrict 192.168.0.0 mask 255.255.0.0 nomodifyserver ntp. api. bz perferserver 210.72.145.44 # China National Time Center server 202.112.10.36 # 1.cn. pool. ntp. orgserver 59.124.196.83 # 0.asia. pool. ntp. orgserver 127.127.1.0 # local clockfudge 127.127.1.0 stratum 10 server restart iburstserver restart iburstincludefile/etc/ntp/crypto/pwkeys/etc/ntp/keys
List of commonly used time servers in China:
210.72.145.44 (IP address of the National Time Service Center Server) ntp.sjtu.edu.cn 202.120.2.101 (address of the NTP server in the Network Center of Shanghai Jiao Tong University) peking University of Posts and Telecommunications (Beijing University of Posts and Telecommunications) Tsinghua University (Beijing University) s1d.time.edu.cn Southeast University s1e.time.edu.cn Tsinghua University s2a.time.edu.cn Tsinghua University (Beijing University of Posts and Telecommunications) network center in Southwest China s2e.time.edu.cn center s2g.time.edu.cn East China Region network center s2h.time.edu.cn Sichuan University Network Management Center s2j.time.edu.cn Dalian University of Technology Network Center s2k.time.edu.cn CERNET Guilin master node s2m.time.edu.cn Peking University
Use ntpdate to manually synchronize the time before configuration, so that the time difference between the local machine and the external time server is too large, so that ntpd cannot be synchronized normally
# Ntpdate-u ntp. api. bz
13 Apr 14:45:05 ntpdate [11464]: step time server 61.153.197.226 offset 28824.742403 sec
Start the service after the ntp server is configured # service ntpd start, which listens to port 123 of UDP and can be used
# Netstat-tnulp | grep ntp
Udp 0 0 192.168.8.102: 123 0.0.0.0: * 11484/ntpd
Udp 0 0 127.0.0.1: 123 0.0.0.0: * 11484/ntpd
Udp 0 0 0.0.0.0: 123 0.0.0.0: * 11484/ntpd
Udp6 0 0 fe80: 4637: e6ff: fe5: 123: * 11484/ntpd
Udp6 0 0: 1: 123: * 11484/ntpd
Udp6 0 0: 123: * 11484/ntpd
After the restart, you have to wait a few minutes or ten minutes to synchronize time,
# Ntpdate 192.168.8.100
11 Aug 11:38:30 ntpdate [7619]: adjust time server 10.17.1.60 offset 0.000178 sec
If the test is performed immediately after the restart, the following occurs:
# Ntpdate 192.168.8.100
11 Aug 11:05:28 ntpdate [1, 7326]: no server suitable for synchronization found
You can use this command parameter to view:
# Ntpdate-d 192.168.8.100
Ntpq-p: view the NTP server in the network and display the relationship between the client and each server.
# Ntpq-p
Remote refid st t when poll reach delay offset jitter
========================================================== ==============================================
* 61.153.197.226 216.218.192.202 2 u 37 64 1 47.274 10.405 0.000
210.72.145.44. INIT. 16 u-64 0 0.000 0.000
Gus.buptnet.edu 10.3.9.9 4 u 35 64 1 81.880 2.559 0.000
59-124-196-83.H. INIT. 16 u-64 0 0.000 0.000 0.000
LOCAL (0). LOCL. 10 l-64 0 0.000 0.000
Ntp2.aliyun.com 10.137.38.86 2 u 22 64 1 35.176 4.490 1.640
The ntpstat command is used to check the time synchronization status. It usually takes 5 to 10 minutes to connect to and synchronize data. Therefore, wait a moment after the server is started.
When starting, it is generally:
# Ntpstat
Unsynchronised
Time server re-starting
Polling server every 64 s
After connection and synchronization:
# Ntpstat
Synchronised to NTP server (110.75.186.248) at stratum 3
Time correct to within 225 MS
Polling server every 64 s
NTP configuration file:
The configuration file of/etc/ntp. conf NTP service.
1) permission settings are mainly set by the restrict parameter. The main syntax is: restrict IP Address mask subnet mask parameter where IP can be an IP address or default, default indicates that all IP Parameters include the following: ignore: Disable all NTP online services nomodify: the client cannot change the time parameter of the server, but the client can perform network calibration through the server. Notrust: unless the client passes authentication, the client source will be considered as untrusted subnet noquery: No Time query is provided for the client. 2) set the upper-level time server with the server parameter. Syntax: server IP address or domain name [prefer] IP address or domain name is our designated superior time Server. If prefer is added to the server parameter, it means that our NTP Server is calibrated mainly based on the host time. 3) use the driftfile parameter settings to solve the transmission delay during NTP server Calibration Time: the time spent by the driftfile file name in contacting the upper-level time server is recorded in the file after the driftfile parameter. Note: driftfile must be followed by a complete path file name, not a link file, and the file permission must be set to ntpd daemon for writing.
The/usr/share/zoneinfo/directory stores the setting files corresponding to each time zone.
/Etc/localtime local system time setting file.
/Etc/sysconfig/clock local time zone setting file.
Configure Intranet NTP-Clients
Other devices on the Intranet are configured as NTP clients, which are relatively simple and the configurations of all devices are the same.
Install the NTPD service and configure it to self-start (exactly the same as NTP-Server ). Find one of the configuration files/etc/ntp. conf. After the configuration is verified, copy the file to another client and use it directly.
# Yum install-y ntp
# Chkconfig ntp on
# Vim/etc/ntp. conf
Add the following content:
# Set the time server to a local time server
Server 192.168.8.100
Restrict 192.168.8.100 nomodify notrap noquery
Server 127.127.1.0 # local clock
Fudge 127.127.1.0 stratum 10
Before requesting the server, use ntpdate to manually synchronize the next time
# Ntpdate-u 192.168.8.100
13 Apr 14:49:51 ntpdate [4114]: no server suitable for synchronization found
Synchronization may fail. Generally, the reason is that the local NTPD server is not properly started. It usually takes several minutes to start synchronization.
For error determination, refer to the subsequent error handling.
# Service ntpd restart
View synchronization status after startup
# Ntpq-p
# Ntpstat
.....
Because it is an intranet, ntpstat can be synchronized very soon. Wait a few minutes.
After the local client configuration is complete, use SCP to copy/etc/ntp. conf to other client machines to be synchronized and start the NTPD service.
The operation configurations on other client machines are as follows:
# Ntpdate-u 192.168.8.100
# Scp 192.168.8.xxx:/etc/ntp. conf/etc/ntp. conf
# Service ntpd start
No server suitable for synchronization found
When you use ntpdate-d for query, you will find the following two error messages that cause no server suitable for synchronization found:
Error 1. Server dropped: Strata too high
When ntpdate serverIP is run on the ntp client, the error "no server suitable for synchronization found" is displayed.
On the ntp client, use ntpdate-d serverIP to view the error "Server dropped: strata too high" and display "stratum 16 ". Normally, the value range of stratum is "0 ~ 15 ".
This is because the NTP server is not synchronized with itself or its server.
The following definition is to keep the NTP Server synchronized with itself. If the server defined in/ntp. conf is unavailable, the local time will be used as the ntp service and provided to the ntp client.
Server 127.127.1.0 fudge
127.127.1.0 stratum 8
After you restart the ntp service on the ntp server, it may take five minutes for the ntp server to synchronize itself or with its server, during this time, when the client runs the ntpdate command, the no server suitable for synchronization found error is generated.
So how do I know when the ntp server completes the synchronization process with itself?
Run the following command on the ntp server:
# Watch ntpq-p
Screen:
Every 2.0 s: ntpq-p Thu Jul 10 02:28:32 2008
Remote refid st t when poll reach delay offset jitter
========================================================== ==============================================
192.168.30.22 LOCAL (0) 8 u 22 64 1 2.113 179133. 0.001
LOCAL (0) LOCAL (0) 10 l 21 64 1 0.000 0.000
Note that LOCAL is the ntp server synchronized with itself.
Note that the value of reach increases from 0 after the ntp server service is started. When the value is increased to 17, it is changed 5 times from 0 to 17, the number of seconds for each poll value, which is the time for 64 seconds * 5 = 320 seconds.
If the ntp server synchronization from the ntp client still fails, use ntpdate-d to query the detailed error information and make a judgment.
Error 2. Server dropped: no data
When netdate-d is executed from the client, the error message is as follows:
Transmit (192.168.30.22)
Transmit (192.168.30.22)
Transmit (192.168.30.22)
Transmit (192.168.30.22)
Transmit (192.168.30.22)
192.168.30.22: Server dropped: no data
Server 192.168.30.22, port 123
.....
28 Jul 17:42:24 ntpdate [14148]: no server suitable for synchronization found
There may be two reasons for this problem:
1. Check the ntp version. If you use a version later than ntp4.2 (including 4.2) and use notrust In the restrict definition, the above error will occur.
Run the following command to check the ntp version:
# Ntpq-c version
The following is a description from the ntp Official Website:
The behavior of notrust changed between versions 4.1 and 4.2.
In 4.1 (and earlier) notrust meant "Don't trust this host/subnet for time ".
In 4.2 (and later) notrust means "Ignore all NTP packets that are not cryptographically authenticated." This forces remote time servers to authenticate themselves to your (client) ntpd
Solution:
Remove notrust.
2. Check the ntp server firewall. It may be that the server's firewall shields upd port 123.
You can use commands
# Service iptables stop
To disable the iptables service and then try to synchronize data from the ntp client. If it succeeds, it turns out that it is a firewall problem and you need to change the iptables settings.
Centos7 firewall shutdown method;
# Systemctl stop firewalld. service
Disable random start
# Systemctl disable firewalld. service