[ntp:questions] Re: Sufficient # servers to sync to

Richard B. Gilbert rgilbert88 at comcast.net
Thu Mar 17 15:04:39 UTC 2005

John Sasso wrote:

> I am working on a design for the NTP infrastructure for our company.  We
>purchased 6 Stratum-1, GPS-sync'd NTP servers, three for each of our two
>data centers located at remote sites.  We have a number of subnets at each
>of our secured sites, each secured by a firewall.
>According to
> it suggests NTP clients should sync to a minimum of 4 NTP servers.
>Specifically, it states:
>"While the general rule is for 2n+1 to protect against "n" falsetickers,
>this actually isn't true for the case where n=1. It actually takes 2 servers
>to produce a "candidate" time, which is really an interval. The winner is
>the shortest interval for which more than half (counting the two that define
>the interval) have an offset (+/- the dispersion) that lies on the interval
>and that contains the point of greatest overlap."
>In the past, I've had NTP clients sync to up to 3 [out of 4] Stratum-2 NTP
>servers.  The 4 NTP servers each sync'd to 4 off-site Stratum-1 NTP servers,
>as well as off one-another for additional sanity checking.
>For the design, is it overkill for me to require to NTP clients to sync to 4
>NTP servers?  How about just 3?  The NTP clients consist of Cisco routers
>and firewalls, Windows, Sun, and Linux systems.  Part of the environment
>uses Windows AD w/ Kerberos as well as SSL, which I think require accurate
Many people would be satisfied with one "good" server.  If the 
consequences of that one "good" server being wrong someday are 
sufficiently serious to justify the expense, then four servers is the 
way to go.   Those four servers don't all have to be on-site and running 
GPS reference clocks, but you do need four.  The problem with three is 
that if one fails you have two left and no way to determine which, if 
either, is correct when they disagree.

If your two data centers are not unreasonably far apart it might make 
sense to have each serve as a backup to the other.   Everybody 
configures six servers.   In each data center, one of the local servers 
will probably be selected but five others are available as a sanity 
check and "advisory committee".  For sites more than two or three 
hundred miles apart, the network delays may add enough uncertainty to 
make this choice undesirable.

More information about the questions mailing list