[ntp:questions] Number of Stratum 1 & Stratum 2 Peers

William Unruh unruh at invalid.ca
Fri Dec 5 16:26:44 UTC 2014

On 2014-12-05, Rob <nomail at example.com> wrote:
> David Taylor <david-taylor at blueyonder.co.uk.invalid> wrote:
>> On 04/12/2014 20:03, Rob wrote:
>> []
>>> It is not good practice to use "pool" on 100-1000 internal systems,
>>> presumably via NAT, to poll time from internet.
>>> Simple advice is: setup 1 NTP server when you are always monitoring,
>>> or 2 servers when you cannot always be on watch to fix the one server,
>>> and keep them mutually synchronized.
>>> That will work OK in a company.  Maybe not in the head of a thought
>>> experimenter, but that is normally not what companies are after.
>> I was thinking of the general user.
>> For internal systems I would want four servers minimum, two on-site, and 
>> two on the company WAN,
> I think that is ridiculous.  Introducing too many safeguards often
> results in more failures due to extra complexity in the system.

The problem with two is that if oneof the servers goes nuts-- for some
reason starts to give out the wrong time (ie, its time is not UTC time)
then ntpd may well start jumping between the two, making the time on the
client machines very unreliable. Use 3 making sure that they are
independent (Ie one of them does not get its time from the other.)
This is not too many safeguards. It simply protects against one going

Note that they can go bad. Say one of the servers goes down for some
reason. That is fine, the other will handle things. But when the first
comes up again, it has trouble with its gps pps (using an older Garmin
18x with older firmware where the nmea time could be a second out).
Suddenly one of the servers gives a time one second out from the other.
The poor client has no idea whichis right, and hops between them.
Because of the 128ms rule, it jumps the time -- again and again. 
Of course your monitoring might catch this, or it might not, depending
on whether you had thought of this failure mode when you set it up. So
the clients could do this for days or weeks. Now if you do not care if
the time jumps around by a second, then this is fine. Some places
however need better time control than that.

> Just two servers is more than adequate for the typical network where
> of course the servers are being monitored and alerts are being handled
> in a timely fashion.

It depends on how important time is. If you do not care if the time is
days out, then do whatever you want. If you do care, use reasonable

More information about the questions mailing list