Apr 08, 2019 The first-level time servers are primarily intended to act as source time servers for second-level time servers. The first-level time servers may also be capable of providing mission-critical time services. Some first-level time servers may have a restricted access policy. Second-level time servers are intended for general SNTP time service needs. To use this specific pool zone, add the following to your ntp.conf file: server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org server.
The best practice is to run your own pool of NTP servers set to sync from public NTP servers. In the event that your organization was to lose internet access, you would not want your clocks to become skewed. Further, it is rude to set thousands of hosts to public servers when you could (and should) operate a mirror.Finally, if you have a secure computing requirement, then you should operate your own independent NTP hosts. You would require special hardware for these systems to operate.EDIT: Since there was discussion of it, here is some hardware:Any hardware supporting PPS seems to work on a modern ntpd. This includes some GPS units, although this seems to be rare, at least as rare as serial GPS units are these days. There are hardware devices sold explicitly for this function, however, including one product called TSync-PCIe.
According to the manufacturer's site:The TSync-PCIe offers severalconfigurations of a synchronizedtimecode reader/generator packageoffering flexibility and easyintegration of precise timing into anembedded computing application. Choosefrom synchronization to IRIG (andother similar timecodes), GPS(internal or external receivers), orPrecise Time Protocol(PTP/IEEE-1588v2).- Site Link.
Best practice, setup 2 (or more) NTP hosts at your location, peer them. Have them sync against at least 4 (preferably, up to 8) external servers from 0.pool.ntp.org to 3.pool.ntp.org. If you use more than 4 you should adjust the frequency that they poll the pool members.Here's an edited version of my ntp.conf: server 0.us.pool.ntp.org minpoll 8 maxpoll 14server 1.us.pool.ntp.org minpoll 8 maxpoll 14server 2.us.pool.ntp.org minpoll 8 maxpoll 14server 3.us.pool.ntp.org minpoll 8 maxpoll 14peer ntp2.example.comdriftfile /var/db/drift.ntplogfile /var/log/ntp.loglogconfig +sysall +syncallYou can omit the minpoll and maxpoll arguments, I add them so I'm a bit lighter on those servers.
The values are 2^n seconds, where n is the argument; those values are higher than the defaults (6 & 10) because I already poll 12 different servers between my three NTP hosts.If you're very concerned with accuracy you might add the following as well: server tick.usno.navy.mil prefer minpoll 10 maxpoll 16This will poll the navy's atomic clock. Note the high poll times as they're fairly heavily loaded and have requested people take it easy on their server (actually a 3 node cluster).
As others have mentioned, for thousands of internal hosts, providing your own time servers is the way to go. I think most large networks use a small pool of dedicated internal ntp servers. Ntp traffic is pretty light so you probably don't need many servers to serve a large organization.As with all network services, the advantage of running your own ntp servers is you get more control and get to make more decisions. For example, if you lose network connectivity to the outside world, your machines can continue to talk to your internal ntp server and you don't have to worry about them all having to reconnect to external servers.If you have thousands of servers you should also consider running your own dedicated time server, for example off a gps device or via a. I'm not sure how much that costs these days but it can't be expensive relative to the thousands of systems you are already supporting.
Then you have an accurate time service completely independent of your connection to the outside world.Another point to consider is that running your own ntp servers is more polite. That way you have just a few machines making external requests as opposed to thousands. I'm sure the admins of the publicly accessible ntp servers out there would appreciate that. Plus it will reduce your external network traffic slightly (very slightly) which is probably a good thing.Also if you run your own ntp servers you can tighten up your firewall a little bit since just a few machines are connecting to the outside on port 123 instead of lots of machines. That might be useful.ntp is easy to set up and once you have it running it requires very little maintenance. Every company I've ever been involved with has set up it's own ntp servers and that has worked just fine. A good reason for running your own NTP server(s) in a large network is making sure all your machines agree on the correct time.
Having lots of systems with their own settings for external time servers (or all using different pool.ntp.org members) can lead to small differences in time on systems which may lead to problems.The other good reason is that having your own NTP server(s) means synchronized time will stay available from a few (monitored!) servers when the outside link goes down or is saturated with traffic.All my opinion as a timegeek.