Guide to configure NTP on ESX servers
search cancel

Guide to configure NTP on ESX servers

book

Article ID: 343404

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

System time is an issue of great importance to many computer applications. Databases, security monitoring tools, e-mail systems, syslog and other logging tools all use time stamps in writing transactions and/or noting various events. VMtools has an option for virtual machines to sync with the ESX host they are running on. It should be obvious that all of the ESX hosts in a given resource cluster should have their own system clocks synchronized so that when a virtual machine is vMotion'd from one ESX host to another, its system time would remain consistent.
ESX hosts include NTP software and start the ntpd service by default. ESX hosts are not configured to actually make use of NTP upon installation, nor is there anything in the standard installation process which gives the administrator a chance to set this. Proper NTP usage only occurs when the administrator is knowledgeable of NTP and its administration, and has as standard practice, configuration of NTP as one of their post-installation tasks. This is often not the case.
This article is intended for adminstrators and VMware Tech Support Engineers as a guideline to configuring ESX hosts for NTP use.
Note: For ESX 3.5 and above, NTP can be configured from vSphere Client and no longer requires manual configuration. For more information, consult the Datacenter & Cloud Infrastructure section of VMware documentation for your version of ESX.


Environment

VMware ESX 4.1.x
VMware ESX 4.0.x
VMware ESX Server 2.5.x
VMware ESX Server 3.5.x
VMware ESX Server 3.0.x
VMware ESX Server 2.0.x
VMware ESX Server 2.1.x

Resolution

Setting time on your ESX host:
  1. Connect to an ESX host using an SSH client.
  2. Log in with an user having administrative privileges.
  3. To open up the ntpClient port in the internal ESX host firewall, run the commands:

    esxcfg-firewall -q ntpClient
    esxcfg-firewall -e ntpClient
    esxcfg-firewall -q ntpClient

    Note: The first line tells the status of the ntpClient port. The second line enables the ntpClient port. The third line shows you that it is open.
  4. Now set the system time to the right time. If your ESX host has ntp access to the Internet, you can just issue the ntpdate command, with the -u switch, and point it at an ntp server. If your ESX host is blocked by your corporate firewall, you have to point it at an internal ntp server. If you do not have one, you have to set one up. Any of these ntpdate command should work:

    ntpdate -u pool.ntp.org
    ntpdate -u north-america.pool.ntp.org
    ntpdate -u 0.us.pool.ntp.org

    Or for example, if your internal ntp server was called ntp.yourdomain.com, you would issue the command:

    ntpdate -u ntp.yourdomain.com

    Note: Some programs react badly to sudden large changes in system time. For this reason, just updating and restarting ntpd as described below is preferred by some ntpd updates the system clock slowly for this reason.

  5. Configure the ESX host as an ntp client. Make a backup copy of /etc/ntp.conf using the command:

    cp /etc/ntp.conf /etc/ntp.conf.bak.`date +%d%m%y`
  6. Create a new ntp.conf file that contains this information:

    restrict 127.0.0.1
    server 0.us.pool.ntp.org
    server 1.us.pool.ntp.org
    server 2.us.pool.ntp.org
    server 3.us.pool.ntp.org
    server north-america.pool.ntp.org
    server pool.ntp.org
    server 127.127.1.0 # local clock
    fudge 127.127.1.0 stratum 10
    driftfile /var/lib/ntp/drift
    broadcastdelay 0.008

    Note: This ntp.conf assumes that the ESX host can send an ntp request out to the Internet. If you have outgoing ntp traffic blocked by your corporate firewall, you must instead set up an internal ntp server and make sure that it has access to the Internet so it can get an accurate time. While it is possible for you to configure one of your ESX hosts as an ntp server as well as a client, we recommend that ESX hosts be used solely as ESX hosts, and that they not be used for supporting IT infrastructure needs like ntp.

    If your corporate firewall has ntp access blocked to the Internet, then your ntp.conf file should contain something like this, under the assumption that you have an internal ntp server, which separately has Internet ntp access:

    restrict 127.0.0.1
    server ntp.yourdomain.com
    server 127.127.1.0 # local clock
    fudge 127.127.1.0 stratum 10
    driftfile /var/lib/ntp/drift
    broadcastdelay 0.008

  7. Restart the ntpd service using any of these commands:

    service ntpd restart
    /etc/init.d/ntpd restart

  8. Update the hardware clock with the current time of the system clock. Even though the system clock is updated from a known ntp server which has the right time and reconfigured ntp and restarted ntpd service, when the machine reboots, it sets its system clock based upon the time from the internal hardware clock.

    /sbin/hwclock --systohc

Related KB Articles

Additional Information

For translated versions of this article, see:
Powered by Wolken Software