Re: 'restrict' line in ntp.conf

---

• From: Tom Smith <smith@xxxxxxxxxxxxxx>
• Date: Sat, 16 Jul 2005 13:50:59 GMT

---

derek.flake@xxxxxxx wrote:

I've looked through a lot of documentation but I haven't been able to
find a solid explanation of the 'restrict' line seen in many sample
ntp.conf files. I'm running NTP v4 on Windows 2003.

See http://www.eecis.udel.edu/~mills/ntp/html/accopt.html . The HTML
documentation is included in the source distribution.

I need to set up hierarchical NTP so that a Windows 2003 server syncs to
a GPS stratum 1 clock, and a client syncs to the Windows 2003 server at
a stratum 3 level. It seems that simply placing "server x.x.x.x" in
each consecutive ntp.conf file creates a conflict of some sort, and the
offsets are inconsistent (from 5ms to 900ms or more).

Setting aside the fact that, for a robust configuration, each
system should have 4 or more servers, you do in fact only need
each system to have server declarations for each of the
lower stratum servers it will use. Add to that some basic
security and a drift file, and you have something like the
following starter kit for every level:

driftfile [path]/ntp.drift
server 1.2.3.4
[more servers]
restrict default nomodify notrap nopeer
restrict 127.0.0.1

There are other declarations and options that are useful
depending on your situtation. For example, adding "iburst"
to the server line is often a good idea for servers that are
on a WAN and/or to accelerate initial synchronization.

It will take some time for NTP to stabilize on a system that
has never been synchronized before. Expect the offsets to
oscillate for even a few days before it computes a good
characteristic drift rate for that system and settles in.
You can (and should) accelerate this process by first setting
the time with "ntpdate -b [server]" or an alternative
sntp-based clock setting method before starting ntpd. If you
haven't done that, monitor your ntp.drift file and make sure
it hasn't gotten some absurdly large absolute value (in the
hundreds). If it has, stop ntpd, delete the drift file, set the
clock with ntpdate (or an alternative), start ntpd
again, and wait for it and ntp.drift to stabilize before
stopping it.

Cheers,
Tom
.

---

• References:
  • 'restrict' line in ntp.conf
    • From: derek . flake

• Prev by Date: Re: Drift file/Log files don't get created
• Next by Date: Re: 'restrict' line in ntp.conf
• Previous by thread: 'restrict' line in ntp.conf
• Next by thread: Re: 'restrict' line in ntp.conf
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Binding Windows Services to Specific Addresses Only ... Document the server. ... If this is a corporate environment, ... Install the minimums. ... The network configuration for the server should restrict what the server has ... (Focus-Microsoft) RE: Restrict WAN access ... I need to restrict access to the Terminal ... Server from outside the network for some users. ... LAN & WAN access to others. ... (microsoft.public.windows.terminal_services) Re: Xen virtual machines and ntp ... I have set up a local ntp server with this ntp.conf: ... restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap ... (RedHat) Re: Xen virtual machines and ntp ... I have set up a local ntp server with this ntp.conf: ... restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap ... (RedHat) Re: notrust alternative? ... There is a fundamental misunderstanding of the notrust option, understandable because the documentation is buggy. ... The notrust option applies to clients attempting to retrieve time from your server. ... What you want is the nopeer option, which prevents broadcast, manycast and symmetric peers to mobilize associations and potentially synchronize your clock. ... restrict default kod nomodify notrap nopeer noquery ... (comp.protocols.time.ntp)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)