[ntp:questions] Number of Stratum 1 & Stratum 2 Peers

William Unruh unruh at invalid.ca
Sat Dec 6 15:55:22 UTC 2014

On 2014-12-06, Rob <nomail at example.com> wrote:
> William Unruh <unruh at invalid.ca> wrote:
>> On 2014-12-05, Rob <nomail at example.com> wrote:
>>> William Unruh <unruh at invalid.ca> wrote:
>>>>>> For internal systems I would want four servers minimum, two on-site, and 
>>>>>> two on the company WAN,
>>>>> I think that is ridiculous.  Introducing too many safeguards often
>>>>> results in more failures due to extra complexity in the system.
>>>> The problem with two is that if oneof the servers goes nuts-- for some
>>>> reason starts to give out the wrong time (ie, its time is not UTC time)
>>> a. that will almost never happen
>>> b. that will be caught by the monitoring (e.g. nagios) and an alert will
>>>    be sent and/or the system will be shut down automatically.
>> Would it not be nicer is the alert is sent, but the system still keeps
>> going and not shutting down? Shutting down a system seems like a pretty
>> heavy price to pay for not having three instead of 2 sources.
> Not shutting down the client, shutting down the errant timeserver.
> Or only its NTP service.
> When you have two NTP servers and one goes nuts, just shut it down and
> send an alert to the operator so it can be fixed.  The clients continue
> to sync to the other server without problem.
> That is so much easier than to setup 4 servers and configure them in
> all clients and let the complicated voting process happen in all clients.

It is both hard, and somewhat dangeous to allow clients to shut down
servers. Imagine the opportunity for nefarious activity. 

And how in the world is it hard to set up 4 servers rather than 2, and
configure them. And the voting is done by the program. How does that
make anything harder.

You are of course completely free to have however many servers you want.
The "4" is not a regulation, it is a suggestion. It depends on how
important having accurate time is to you and your company. If your
proceedure works well for you, please continue to use it. 

>>>> Of course your monitoring might catch this, or it might not, depending
>>>> on whether you had thought of this failure mode when you set it up. So
>>>> the clients could do this for days or weeks. Now if you do not care if
>>>> the time jumps around by a second, then this is fine. Some places
>>>> however need better time control than that.
>>> The monitoring for ntpd servers shipped by default with nagios has no
>>> problem detecting this.
>> And when it does, what happens-- the company goes out of business? Noone
>> cares? It also sends out for coffee and doughnuts for the IT team?
> It becomes clearer and clearer to me that you are an armchair theorist
> that has never been in touch with a professionally managed IT environment.

REsorting to attempted personal attacks does not much for your
credibility. TO disentangle it for you, I was asking how important
keeping time is for you. If it is not, then whatever you want to do is
fine. If it is important (eg your company goes out of business) you had
better think carefully about your setup. 
I do manage computers. I also know that everyone has many things on
their plates and adding one more urgent issue is not helpful. Having
three sources allows a bit of extra time to fix the problem. 
I have some machines with one source. Why? I donot really care if their
time is accurate or not. If I do, I have more.

More information about the questions mailing list