Back to posts
14 May 2026 Gist: 14.05.2026 07:22

NTP Server Management Guide

This guide explains how to configure, monitor, and troubleshoot NTP services on Linux to keep system time accurate and reliable. It also shows how to verify synchronization status, validate server responses, and diagnose common time-related issues in both hosts and containerized environments.

ntp linux docker
Open original on GitHub Gist

NTP Server Management Guide

Overview

Network Time Protocol (NTP) is used to keep system clocks synchronized across servers, virtual machines, network devices, and applications. Accurate time is critical for authentication, logging, monitoring, distributed systems, and scheduled tasks.

This document describes the basic administration and verification of an NTP server on Linux.

Common NTP Implementations

Linux systems typically use one of the following services:

  • chronyd (recommended on most modern Linux distributions)
  • ntpd
  • systemd-timesyncd (mainly a client, not a full NTP server)

For production NTP server management, chrony is usually the best choice.

Main Administrative Tasks

1. Check Current Time Status

Use the following command to verify whether the host is synchronized:

timedatectl status

Key values to review:

  • System clock synchronized: yes
  • NTP service: active
  • Correct local time and UTC time

2. Check Which NTP Service Is Running

systemctl status chronyd
systemctl status ntpd
systemctl status systemd-timesyncd

Only one active time synchronization service should normally manage the clock.

3. Verify Synchronization Sources

For chrony:

chronyc tracking
chronyc sources -v
chronyc sourcestats -v

Important indicators:

  • Selected source marked with ^*
  • Stable offset values
  • Reasonable stratum level
  • Reachability not equal to zero

For ntpd:

ntpq -p

Important indicators:

  • Selected peer marked with *
  • Low offset and jitter
  • Reach value showing stable communication

NTP Server Configuration

Chrony Configuration File

Typical file location:

/etc/chrony/chrony.conf

Example configuration:

pool pool.ntp.org iburst
allow 10.0.0.0/8
allow 192.168.0.0/16
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync

Key directives:

  • pool or server defines upstream time sources
  • allow permits client subnets to query this server
  • makestep allows large initial clock correction
  • rtcsync keeps the hardware clock aligned

After changes:

systemctl restart chronyd

Check if the Host Serves NTP Requests

If the Linux host should act as an NTP server for other systems, verify that it is listening on UDP port 123:

ss -ulnp | grep :123

You should also ensure firewall rules allow inbound UDP/123 traffic.

Examples:

firewall-cmd --add-service=ntp --permanent
firewall-cmd --reload

or with ufw:

ufw allow 123/udp

Test the NTP Server from Another Host

From a client machine, query the server:

ntpdate -q <server_ip>

If chrony is installed on the client:

chronyd -q 'server <server_ip> iburst'

Expected result:

  • The server responds successfully
  • Reported offset is small
  • No timeout or unreachable errors appear

Troubleshooting

Service Is Inactive in a Container

If systemd-timesyncd is inactive with a message like:

ConditionVirtualization=!container was not met

this usually means the system is running inside a container. In that case, time is typically inherited from the host, and NTP must be verified on the host system rather than inside the container.

Large Time Drift

Possible causes:

  • Incorrect upstream servers
  • Firewall blocking UDP/123
  • Virtualization or host clock issues
  • DNS resolution problems
  • System resumed after long suspension

If an application reports errors such as expired tokens, invalid certificate dates, or cache expiration in the past, first compare system time with an external reference:

date -u
curl -I https://google.com

Compare the local UTC time with the HTTP Date header.

Best Practices

  1. Use chrony for modern Linux servers.
  2. Synchronize the host, not individual containers.
  3. Use multiple reliable upstream NTP sources.
  4. Restrict client access with allow rules and firewall controls.
  5. Monitor offset, reachability, and stratum regularly.
  6. Verify time-sensitive applications after any clock correction.

Quick Verification Checklist

  • NTP service is active
  • System clock is synchronized
  • Upstream sources are reachable
  • UDP/123 is open if the server serves clients
  • External clients can query the server
  • System time matches external reference time
Back to posts More on GitHub