On Mon, Sep 29, 2008 at 4:20 PM, <[EMAIL PROTECTED]> wrote: > I was thinking of a distributed time topology with two peered NTP > servers in DMZ (on different sites if possible), with ISP external > sources, delivering time to two peered Cisco core routers inside the > LAN. These routers would be the masters clocks for the internal > network, composed of our ActiveDirectory DCs (with all the > workstations pointing on them), the internal network equipments, and > the internal servers (including the VMWare farm). The DMZ machines > would point to the DMZ NTP servers.
Having two NTP servers in a tier is the worst possible configuration. Three or more servers are required for redundancy and accuracy. If you have two servers, how do you know which server has the correct time? I have a client with a similar topology, and use four internal NTP servers that peer with one another at two sites. Two of these are actually VMware ESX hosts (not VMs!), which run NTP in the service console. All have one unique internet time source in addition to three "peer" lines referencing the others. All of the Windows 2003 domain controllers (again, two at each site) are configured as clients of all four "real" NTP servers. Windows clients get time from domain controllers automatically. Other non-windows servers, workstations, and network devices are NTP clients of all four of the NTP server farm via "ntp0-4" DNS aliases. We use NTP authentication where needed. Actual placement of the servers inside your network doesn't matter much - NTP is a lightweight protocol with a very small attack surface. As others have mentioned, for some reason routers make poor time servers (at least Ciscos). I used to use core routers as NTP servers at this client, and discovered they inexplicably drifted 50ms or more in either direction, even when lightly loaded. -- RPM _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
