NTP Synchronization Guide

Complete Guide for Windows & Linux Time Synchronization

Version 1.0 | January 2026

Download our NTP White Papers

Architecture, best practices and production operations

📄 White Paper (EN) 📄 Livre Blanc (FR)

1. Introduction to NTP

The Network Time Protocol (NTP) is a networking protocol designed to synchronize clocks across computer systems. Accurate time synchronization is critical for:

Goal: This guide will help you achieve <10ms accuracy with public NTP servers, or <1ms on local networks.

2. Understanding NTP Strata

Stratum Description Typical Accuracy
0 Reference clocks (GPS, atomic clocks) < 1 microsecond
1 Primary servers directly connected to Stratum 0 < 10 microseconds
2 Secondary servers synced to Stratum 1 < 100 microseconds
3-15 Downstream servers (each adds ~1ms latency) 1-100 milliseconds
Recommended: Use Stratum 2 servers for the best balance of accuracy and availability. RDEM Systems operates Stratum 2 servers in the NTP Pool at pool-ntp.rdem-systems.com.

3. Windows Configuration

3.1 Quick Fix Commands (Administrator PowerShell)

Check Current Status

w32tm /query /status

View Current NTP Configuration

w32tm /query /configuration

Configure External NTP Servers

w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

Force Immediate Sync

w32tm /resync /force

Restart Time Service

net stop w32time && net start w32time

3.2 Recommended NTP Servers for Windows

w32tm /config /manualpeerlist:"0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org pool-ntp.rdem-systems.com" /syncfromflags:manual /reliable:yes /update
Tip: Always use multiple NTP servers (at least 3-4) for redundancy and to detect false tickers.
Quick Setup: RDEM Systems Stratum 2 Servers
Copy this complete PowerShell command (run as Administrator): 
w32tm /config /manualpeerlist:"pa3.pool-ntp.rdem-systems.com pa4.pool-ntp.rdem-systems.com pa5.pool-ntp.rdem-systems.com" /syncfromflags:manual /reliable:yes /update; net stop w32time; net start w32time; w32tm /resync /force

3.3 Windows Server Domain Controllers

For Active Directory environments, the PDC Emulator should sync to external NTP:

# On PDC Emulator (run as Administrator)
w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

# On other Domain Controllers (automatic from PDC)
w32tm /config /syncfromflags:domhier /update

3.4 Troubleshooting Windows Time

Issue Command
Service not running net start w32time
Register service w32tm /register
Show peers w32tm /query /peers
Debug mode w32tm /debug /enable /file:C:\w32time.log /size:10000000 /entries:0-300

4. Linux Configuration

4.1 Using Chrony (Recommended)

Chrony is the preferred NTP client for modern Linux systems. It handles intermittent connectivity and virtual machines better than ntpd.

Installation

# Debian/Ubuntu
sudo apt install chrony

# RHEL/CentOS/Rocky/Alma
sudo dnf install chrony

Configuration (/etc/chrony/chrony.conf)

# Primary NTP Servers
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

# Optional: RDEM Systems Stratum 2
server pool-ntp.rdem-systems.com iburst

# Record rate at which system clock gains/drifts
driftfile /var/lib/chrony/drift

# Allow NTP client access from local network
#allow 192.168.0.0/16

# Serve time even if not synchronized
#local stratum 10

# Specify directory for log files
logdir /var/log/chrony

# Step clock if offset > 1 second (first 3 updates only)
makestep 1.0 3

Common Chrony Commands

# Check synchronization status
chronyc tracking

# List NTP sources
chronyc sources -v

# Show source statistics
chronyc sourcestats

# Force sync
sudo chronyc makestep

# Check if chrony is synchronized
chronyc waitsync 1 0.01

4.2 Using systemd-timesyncd (Simple)

For simple setups, systemd-timesyncd is lightweight and sufficient:

Configuration (/etc/systemd/timesyncd.conf)

[Time]
NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org
FallbackNTP=pool-ntp.rdem-systems.com

Enable and Start

sudo systemctl enable systemd-timesyncd
sudo systemctl start systemd-timesyncd
timedatectl timesync-status

4.3 Using ntpd (Legacy)

For systems requiring ntpd:

Configuration (/etc/ntp.conf)

# NTP Servers
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

# Drift file
driftfile /var/lib/ntp/drift

# Restrict default
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

Common ntpd Commands

# Check peers
ntpq -p

# Check sync status
ntpstat

# Force sync (if offset > 1000s)
sudo ntpd -gq

4.4 Quick Status Check Script

#!/bin/bash
# ntp-check.sh - Quick NTP status check

echo "=== System Time ==="
date
timedatectl

echo -e "\n=== Chrony Status ==="
if command -v chronyc &> /dev/null; then
    chronyc tracking
    chronyc sources
else
    echo "Chrony not installed"
fi

echo -e "\n=== systemd-timesyncd Status ==="
if systemctl is-active systemd-timesyncd &> /dev/null 2>&1; then
    timedatectl timesync-status
else
    echo "systemd-timesyncd not active"
fi

5. Testing Your Configuration

5.1 Online Testing Tools

5.2 Command-Line Testing

# Test NTP server response
ntpdate -q pool.ntp.org

# Or with Chrony
chronyd -Q "server pool.ntp.org iburst"

# Or with sntp
sntp -d pool.ntp.org

5.3 What Good Synchronization Looks Like

Metric Good Acceptable Needs Attention
Offset < 10ms < 100ms > 100ms
Stratum 2-3 4-5 > 5
Reach 377 (all 8) > 177 < 77
Jitter < 10ms < 50ms > 50ms

6. Security Best Practices

Important: NTP can be exploited for DDoS amplification and time-based attacks. Follow these security recommendations.

6.1 Firewall Configuration

# Allow NTP client (outbound only)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

# Block NTP server queries (if not serving time)
iptables -A INPUT -p udp --dport 123 -j DROP

6.2 Chrony Security Settings

# /etc/chrony/chrony.conf
# Disable cmdmon from network
cmdport 0

# Or restrict to localhost
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

6.3 Multiple Sources

Always configure at least 4 NTP servers to detect and exclude false tickers (Byzantine fault tolerance requires 3f+1 servers to tolerate f faulty servers).

7. Troubleshooting Common Issues

7.1 "No server suitable for synchronization found"

7.2 Large Initial Offset

# Chrony: Step the clock immediately
sudo chronyc makestep

# ntpd: Allow large offset correction
sudo ntpd -gq

7.3 Clock Drifting After Sync

7.4 Virtual Machine Time Issues

VM Best Practice: Use only ONE time sync method - either VM tools OR NTP. Using both causes conflicts. 
# Disable VMware Tools time sync
vmware-toolbox-cmd timesync disable

# Disable Hyper-V time sync (PowerShell)
Disable-VMIntegrationService -Name "Time Synchronization" -VMName "YourVM"

# Then configure NTP as normal

8. Quick Reference Card

Task Windows Linux (Chrony)
Check status w32tm /query /status chronyc tracking
List sources w32tm /query /peers chronyc sources
Force sync w32tm /resync /force chronyc makestep
Restart service net stop/start w32time systemctl restart chronyd

9. Recommended NTP Servers

Public Pool Servers

RDEM Systems Infrastructure

RDEM Systems operates Stratum 2 NTP servers contributing to the global NTP Pool. Our servers (AS206014) are monitored 24/7 and maintain sub-millisecond accuracy.

Additional Documentation

Download our white papers for a complete NTP reference: