[ntp:questions] Enterprise NTP Architecture

Ryan Malayter malayter at gmail.com
Tue Sep 30 03:41:53 UTC 2008

On Mon, Sep 29, 2008 at 4:20 PM,  <david.hache.david at gmail.com> wrote:

> I was thinking of a distributed time topology with two peered NTP
> servers in DMZ (on different sites if possible), with ISP external
> sources, delivering time to two peered Cisco core routers inside the
> LAN. These routers would be the masters clocks for the internal
> network, composed of our ActiveDirectory DCs (with all the
> workstations pointing on them), the internal network equipments, and
> the internal servers (including the VMWare farm). The DMZ machines
> would point to the DMZ NTP servers.

Having two NTP servers in a tier is the worst possible configuration.
Three or more servers are required for redundancy and accuracy. If you
have two servers, how do you know which server has the correct time?

I have a client with a similar topology, and use four internal NTP
servers that peer with one another at two sites. Two of these are
actually VMware ESX hosts (not VMs!), which run NTP in the service
console. All have one unique internet time source in addition to three
"peer" lines referencing the others.

All of the Windows 2003 domain controllers (again, two at each site)
are configured as clients of all four "real" NTP servers. Windows
clients get time from domain controllers automatically. Other
non-windows servers, workstations, and network devices are NTP clients
of all four of the NTP server farm via "ntp0-4" DNS aliases. We use
NTP authentication where needed.

Actual placement of the servers inside your network doesn't matter
much - NTP is a lightweight protocol with a very small attack surface.

As others have mentioned, for some reason routers make poor time
servers (at least Ciscos). I used to use core routers as NTP servers
at this client, and discovered they inexplicably drifted 50ms or more
in either direction, even when lightly loaded.

More information about the questions mailing list