Mac OS X,  Mac OS X Server,  Mac Security,  Ubuntu,  Unix,  Windows XP

NTP, OS X, Windows, Cisco and You

At this point, most Mac admins know to how to enable ntp on a Mac OS X Server and set clients to the server. Most Mac admins also know how to use managed preferences to set ntp as well. We all know that time is pretty important and most are using ntp at this point.

Network time should, almost by definition, be continuous, which allows ntpd in Mac OS X can update clocks in small denominations. Thus, managing corrections with little overhead or impact to the system enables ntp to be an inexpensive method for managing clocks. But ntp is also built to keep things running smoothly even when there are a lot of corrections. When there are a lot of corrections made by ntp, these are tracked and can be seen using the ntpdc command. The ntpdc is used to view and set the state of the ntp daemon and is interactive. To enter the interactive environment, simply type ntpdc at a terminal prompt:

ntpdc

Once you are in the ntpdc interactive environment you will need to use one of the many verbs provided for ntpdc. One such verb is looping, used to “display loop filter information:”

ntpdc> loopinfo

offset: 0.017866 s
frequency: -499.996 ppm
poll adjust: 13
watchdog timer: 209 s

The above output has four items of interest:

  • Offset: How far off the client is from the server (drift is natural, so all zeros in this category typically represent the server being offline).
  • Frequency: Frequency external signals can offset correction of the kernel clock
  • Poll adjust: Used to Increase or decrease the polling interval. The range is -30 to 30. 13 is an increase of 13 seconds whereas -30 would represent a decrease of 30 seconds.
  • Watchdog timer: The time since the last update to the system.

Note: To make it easier to parse, you can run looping with a online option, placing output into a single comma seperated line.

There are other verbs as well, which allow you to add servers (addserver), show peers (showpeer), set a password to use for password requests (passed), see various statistics (sysstats, sysinfo, stats, instates, ctlstats, clockstat, iostats) and set encryption keys (keyid, trustedkey, untrustedkey, etc). There’s a pretty good bit you can with these verbs; just run help to see a full list of supported verbs (my favorite verb other than looping is fudge).

You can also check ntp information on the fly using the ntpq command. Here, ntpq -p will show you the name, IP address and other information live:

ntpq -p

Returns:

remote refid st t when poll reach delay offset jitter
==============================================================================
*time.apple.com 17.72.133.55 2 u 181m 512 376 32.169 17.084 0.315

Windows clients using Active Directory domains automatically get time from domain controllers. If a client is part of an Open Directory or SMB-based domain, you can add a NTP server by clicking on the time in the system tray (bottom right corner of the Windows screen). Click on Internet Time. Click the check box for Automatically synchronize with an Internet time server. Enter the name or IP of the ntp server. Click the Update Now button.
When finished, you’ll see a note that Your time has been successfully synchronized.

For clients other than Windows, it makes little sense to set ntp settings with a GPO, given that systems not in Active Directory won’t really use them. And most environments that don’t have a directory service are pretty small. But this isn’t to say that you won’t want to deploy these settings en masse. Much as you can use the /etc/ntp.conf file or the systemsetup -setnetworktimeserver command to configure a time server in Mac OS X you can use the registry to do so in Windows. If you can use the registry to configure a setting you can then use regedit or regedit32 to set the keys programatically.

But if you choose to, the keys are in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters (most notably is the NtpServer key) or you can use w32tm with the /config option. Once configured, reset the time to that of the time server to test. This can be tested with w32tm:

w32tm /resync /rediscover

Mac OS X and Windows can use an ntp-based server, but given that ntp is so widely used, what else? Using ntp with appliances can help with authentication protocols and also assist with triangulating issues from within log files. So, how about a Cisco IOS device. SSH into one and let’s get started. First off, run the enable command and then provide a password:

enable

Then, go into config mode:

config t

Now we’re going to use the ntp command and issue and update calendar to tell IOS to update the hardware clock from the software clock:

ntp update-calendar

Then we’ll specify our ntp server(s):

ntp server 10.0.0.88

Note: Just run the ntp server command twice if you want to specify a second ntp server.

Then exit config mode:

exit

And write your new settings into memory:

wr mem