[ntp:questions] Re: Sufficient # servers to sync to
Richard B. Gilbert
rgilbert88 at comcast.net
Thu Mar 17 15:04:39 UTC 2005
John Sasso wrote:
> I am working on a design for the NTP infrastructure for our company. We
>purchased 6 Stratum-1, GPS-sync'd NTP servers, three for each of our two
>data centers located at remote sites. We have a number of subnets at each
>of our secured sites, each secured by a firewall.
>
>According to
>http://ntp.isc.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.
> it suggests NTP clients should sync to a minimum of 4 NTP servers.
>Specifically, it states:
>
>"While the general rule is for 2n+1 to protect against "n" falsetickers,
>this actually isn't true for the case where n=1. It actually takes 2 servers
>to produce a "candidate" time, which is really an interval. The winner is
>the shortest interval for which more than half (counting the two that define
>the interval) have an offset (+/- the dispersion) that lies on the interval
>and that contains the point of greatest overlap."
>
>In the past, I've had NTP clients sync to up to 3 [out of 4] Stratum-2 NTP
>servers. The 4 NTP servers each sync'd to 4 off-site Stratum-1 NTP servers,
>as well as off one-another for additional sanity checking.
>
>For the design, is it overkill for me to require to NTP clients to sync to 4
>NTP servers? How about just 3? The NTP clients consist of Cisco routers
>and firewalls, Windows, Sun, and Linux systems. Part of the environment
>uses Windows AD w/ Kerberos as well as SSL, which I think require accurate
>time.
>
>--john
>
>
>
>
Many people would be satisfied with one "good" server. If the
consequences of that one "good" server being wrong someday are
sufficiently serious to justify the expense, then four servers is the
way to go. Those four servers don't all have to be on-site and running
GPS reference clocks, but you do need four. The problem with three is
that if one fails you have two left and no way to determine which, if
either, is correct when they disagree.
If your two data centers are not unreasonably far apart it might make
sense to have each serve as a backup to the other. Everybody
configures six servers. In each data center, one of the local servers
will probably be selected but five others are available as a sanity
check and "advisory committee". For sites more than two or three
hundred miles apart, the network delays may add enough uncertainty to
make this choice undesirable.
More information about the questions
mailing list