We're having issues with our ESX servers time drifting ahead or behind the time on our DNS servers. This seems to be happening every couple of days, if I run the following commands the time is corrected: service ntpd restart and hwclock --systohc
I followed this linked document () when setting up the time on my ESX boxes. Here is the entry on my NTP.conf file:
--- OUR TIMESERVERS
-----
or remove the default restrict line
Permit time synchronization with our time source, but do not
permit the source to query or modify the service on this system.
restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
server mytrustedtimeserverip
restrict default kod nomodify notrap
server 172.16.151.246
server 172.16.151.247
server 172.16.151.248
Anyone have any ideas on some change that may help?
Thanks!
This might be a dumb question - Are your DNS servers configured to synchronize their time off of an NTP server?
When there is a noticeable difference in time between your ESX host and the DNS servers, run the following command:
#ntpdate -q xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the IP address of an NTP server)
The output will show the time differential between the ESX server and the NTP server. This will help confirm for us whether the ESX server or the DNS server has the incorrect time
###############
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Here is the results of an ESX server that is a little out of sync:
server 172.16.151.246, stratum 4, offset 43.101731, delay 0.04207
20 Nov 10:25:01 ntpdate[24697]: step time server 172.16.151.246 offset 43.101731 sec
Here is another that is a little off:
server 172.16.151.246, stratum 4, offset 63.482701, delay 0.04201
20 Nov 10:26:40 ntpdate[28789]: step time server 172.16.151.246 offset 63.482701 sec
What NTP servers are the DNS servers using to synch their clocks? 172.16.151.246 or something different?
###############
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
They are using a different address I assume (I sent an e-mail to one of our domain admins to see how they are getting the time for our DNS servers), 172.16.151.246 is the address of one of our DNS servers.
It seems like your ESX server is only syncronzing during a service ntpd restart and not by itself. I have seen that behaviour before.
Please show us your complete /etc/ntp.conf and /etc/ntp/step-tickers
Frank
ntp.conf file
Prohibit general access to this service.
restrict default ignore
Permit all access over the loopback interface. This could
be tightened as well, but to do so would effect some of
the administrative functions.
restrict 127.0.0.1
-- CLIENT NETWORK -------
Permit systems on this network to synchronize with this
time service. Do not permit those systems to modify the
configuration of this service. Also, do not use those
systems as peers for synchronization.
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
--- OUR TIMESERVERS -----
or remove the default restrict line
Permit time synchronization with our time source, but do not
permit the source to query or modify the service on this system.
restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
server mytrustedtimeserverip
restrict default kod nomodify notrap
server 172.16.151.246
server 172.16.151.247
server 172.16.151.248
--- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
--- GENERAL CONFIGURATION ---
#
Undisciplined Local Clock. This is a fake driver intended for backup
and when no outside source of synchronized time is available. The
default stratum is usually 3, but in this case we elect to use stratum
0. Since the server line does not have the prefer keyword, this driver
is never used for synchronization, unless no other other
synchronization source is available. In case the local host is
controlled by some external source, such as an external oscillator or
another protocol, the prefer keyword would cause the local host to
disregard all other synchronization sources, unless the kernel
modifications are in use and declare an unsynchronized condition.
#
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#
Drift file. Put this in a directory which the daemon can write to.
No symbolic links allowed, either, since the daemon updates the file
by creating a temporary in the same directory and then rename()'ing
step-tickers.conf file
172.16.151.246
172.16.151.247
172.16.151.248
The problem seems to be with your ntp.conf file.
Do the following:
mv /etc/ntp.conf /etc/ORIG.ntp.conf
Then
vi /etc/ntp.conf
and insert only the following in the file:
restrict 127.0.0.1
restrict default kod nomodify notrap
server 172.16.151.246
server 172.16.151.247
server 172.16.151.248
driftfile /var/lib/ntp/drift
The save the file and do a service ntpd restart
Message was edited by: dkfbp
I'm pointing my ESX servers at our Domain Controllers (the 172.16.151.246 address) and those are using the following to sync their time:
ntp-1.vt.edu or ntp-2.vt.edu or ntp-3.vt.edu
Would it help to just point our ESX servers to these addresses instead of Domain Controllers?
Todd H.
Was something in my file causing the time not to sync on its own?
the ntp.conf file you pasted seems to have a strange format. I don't know if it is because you have pasted it into this forum or what.
But it is best practise to clear the file and only use what I told you to. This is how I manage my 55 hosts.
You could probably see the ntp error in /var/log/messages if I remember correctly ntp logs to that file. I am not 100% sure, I don't have access
to any esx console from this PC.
Frank
I'm not sure if altering the ntp.conf file solved the issue.
If not, I would go ahead and just have the ESX hosts synch of off the same NTP servers the DCs are synching off of.
###############
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
I made the changes to my ntp.conf file in one of our ESX clusters, I'll give it a couple of days and see how it goes. If this doesn't seem to keep them insync I'll try pointing them at the external NTP servers that our domain controllers use.
Thanks for the help guys, I'll reply back to the thread when I have some results.
Our ntp.conf is very similar to yours apart from a few differences.
I've commented out the restrict default ignore line and the server 127.127.1.0 # local clock after talking to our networking/ntp guy. Also commented out keys /etc/ntp/keys
We sync ESX with the router that is in sync with an atomic clock out there somewhere - the AD also syncs to the router(s) - it seems to work ok.
Did you configure your step-tickers file too?
Jon