I'm trying to switch to using an external source for NTP on my ESX hosts.
This works fine when using an internal physical Windows DC as the source. I haven't had much luck but I think this is due to a Internet routing issue on most servers.
On the one server that is on a different subnet starting the ntpd service seems to synchronize but when I run watch "ntpq -p" this is the result.
Every 2s: ntpq -p Tue Jul 24 09:46:22 2007
remote refid st t when poll reach delay offset jitter
=====================================================
*LOCAL(0) LOCAL(0) 10 l 8 64 7 0.000 0.000 0.008
time-a.nist.gov 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
I assume the - in when isn't a good thing.
Any ideas?
I basically get the same thing with that command although I sync from the pool instead. These are the steps I followed to set this up. Is your ESX server resolving the time server host name correctly. Have you enabled NTP in the ESX firewall and does your network allow for NTP traffic outside your network.
How can I configure my ESX Server to automatically sync the time from a NTP source?
Login to service console
Edit /etc/ntp.conf with Nano or Vi
Add the below lines to the OUR TIMESERVERS section
o restrict default kod nomodify notrap
o server 0.pool.ntp.org
o server 1.pool.ntp.org
o server 2.pool.ntp.org
Save & exit
Edit /etc/ntp/step-tickers with Nano or Vi
Add the below lines
o 0.pool.ntp.org
o 1.pool.ntp.org
o 2.pool.ntp.org
o pool.ntp.org
Save & exit
Type esxcfg-firewall enableService ntpClient or use VI Client to enable under ConfigurationSecurity ProfileProperties
Type service ntpd restart may say failed for stop if not currently running
Type chkconfig --level 345 ntpd on to enable NTP daemon to autostart
Type hwclock -systohc to set hardware clock to system clock
Type ntpdate q 0.pool.ntp.org to see the offset between local and ntp clock
I basically get the same thing with that command although I sync from the pool instead. These are the steps I followed to set this up. Is your ESX server resolving the time server host name correctly. Have you enabled NTP in the ESX firewall and does your network allow for NTP traffic outside your network.
How can I configure my ESX Server to automatically sync the time from a NTP source?
Login to service console
Edit /etc/ntp.conf with Nano or Vi
Add the below lines to the OUR TIMESERVERS section
o restrict default kod nomodify notrap
o server 0.pool.ntp.org
o server 1.pool.ntp.org
o server 2.pool.ntp.org
Save & exit
Edit /etc/ntp/step-tickers with Nano or Vi
Add the below lines
o 0.pool.ntp.org
o 1.pool.ntp.org
o 2.pool.ntp.org
o pool.ntp.org
Save & exit
Type esxcfg-firewall enableService ntpClient or use VI Client to enable under ConfigurationSecurity ProfileProperties
Type service ntpd restart may say failed for stop if not currently running
Type chkconfig --level 345 ntpd on to enable NTP daemon to autostart
Type hwclock -systohc to set hardware clock to system clock
Type ntpdate q 0.pool.ntp.org to see the offset between local and ntp clock
I tried the pool addresses to begin with and had no luck that's why I'm trying a different server with a static IP. The ESX firewall isn't an issue as it works with an internal source.
Outbound NTP is allowed and the firewall administrator has shown me the logs with accepts on port 123.
I've added the IP address and name for the server I'm attempting to use to the hosts file but that hasn't helped. Using the external server we use for our Windows DC produces the same result.
Looks like I might have to keep a Windows physical DC!
What firewall product do you use?
I know of at least one firewall product, widely used by governmental and other public institutions in the US, which has a serious bug which will prevent NTP from working under certain circumstances.
It's hosted externally but I believe it's Checkpoint.
Wouldn't that cause a problem for our Windows DC also if that was the case?
Checkpoint isn't the product I'm thinking off.
Wouldn't that cause a problem for our Windows DC also if that was the case?
If the Windows DC synchronizes with an external time source - yes.
One thing I noticed in your first post is the LOCAL time source.
This shouldn't be there.
Double check your config against the KB article.
Mine also has the LOCAL for that command.
Is your outbound NTP rule UDP and not TCP? Can your network admin sniff the traffic to see why the server is not talking to the NTP server.
Also the fact that if you configure it to use a internal NTP source (your DC) which works fine and it is just when you configure it to use with an external NTP source really points to network/firewall configs and not the ESX server. I think putting a sniffer on there will definitely show why it is not working.
remote refid st t when poll reach[/b] delay offset jitter
=====================================================
*LOCAL(0) LOCAL(0) 10 l 8 64 7[/b] 0.000 0.000 0.008
time-a.nist.gov 0.0.0.0 16 u - 64 0[/b] 0.000 0.000 4000.00
time-a[/b] has not been reached for 3 cycles now.
There is a connectivity problem.
I reconfigured this box using the IP address for the server and it now it looks like it's working. Looks like it can't find the server using a host name.
Every 2s: ntpq -p Tue Jul 24 14:43:42 2007
remote refid st t when poll reach delay offset jitter
===================================================
*time-a.nist.gov .ACTS. 1 u 99 1024 377 249.999 -59.098 46.586
LOCAL(0) LOCAL(0) 10 l 35 64 377 0.000 0.000 0.008
Also the fact that if you configure it to use a
internal NTP source (your DC) which works fine and it
is just when you configure it to use with an external
NTP source really points to network/firewall configs
and not the ESX server. I think putting a sniffer on
there will definitely show why it is not working.
It is definitely a firewall problem, it works on one segment using the hostname or IP address. It just doesn't work on the other segment at all.
This was actually the correct answer though I marked your other reply as correct.