Problems getting ntpd to work

I am having a difficult time getting ntpd to work correctly. I reviewed several previous topics regarding ntpd problems but could not find a resolution.

I am running TrueNAS CORE 13.0 U6.1 on a 2012 Mac Pro server, 6x 16TB WD Red Pro in a raidz2, connected to the network via a Chelsio T420-CR fiber card. This network is “air-gapped” and has no internet access but it does have an Active Directory domain. My server is not joined to the AD domain, but I want to sync the clock to the AD domain controllers via NTP (my research suggests this should work). My server has a clock drift of approximately +4.2ms per minute (or +6 seconds per day) compared to the AD domain controllers. I experimented with various settings for kern.timecounter.hardware, but did not find any setting that improved on the default (TSC-low). I also just recently replaced the clock battery on the motherboard.

Everything seems to be set up and working correctly except for ntpd actually adjusting the time. The offsets just continue increasing, even over a period of a few days approaching a full week. The peer connections appear to be good:

root@nas-mac-pro[~]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 dc1.domain.ad   192.168.10.200   2 u   17   64  377    0.089  +22778.  18.082
 dc2.domain.ad   192.168.10.200   2 u   44   64  377    0.184  +22775.  18.416

After ntpd starts and runs for a while, the drift file is created, but it always reads zero and never changes (even though there is clearly a drift):

root@nas-mac-pro[~]# cat /var/db/ntp/ntpd.drift
0.000

Here is my ntp.conf (automatically generated from the GUI settings):

root@nas-mac-pro[~]# cat /etc/ntp.conf
server dc1 iburst maxpoll 10 minpoll 6
server dc2 iburst maxpoll 10 minpoll 6
restrict default ignore
restrict -6 default ignore
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
restrict dc1 nomodify notrap nopeer noquery
restrict dc2 nomodify notrap nopeer noquery

The system log seems to indicate that ntpd starts, but I see no indication that it is doing anything:

Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.302979-07:00 nas-mac-pro.domain.ad ntpd 3484 - - ntpd 4.2.8p15-a (1): Starting
Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.303093-07:00 nas-mac-pro.domain.ad ntpd 3484 - - Command line: /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -f /var/db/ntp/ntpd.drift -g
Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.303100-07:00 nas-mac-pro.domain.ad ntpd 3484 - - ----------------------------------------------------
Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.303105-07:00 nas-mac-pro.domain.ad ntpd 3484 - - ntp-4 is maintained by Network Time Foundation,
Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.303110-07:00 nas-mac-pro.domain.ad ntpd 3484 - - Inc. (NTF), a non-profit 501(c)(3) public-benefit
Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.303115-07:00 nas-mac-pro.domain.ad ntpd 3484 - - corporation.  Support and training for ntp-4 are
Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.303120-07:00 nas-mac-pro.domain.ad ntpd 3484 - - available at https://www.nwtime.org/support
Jun 14 10:35:54 nas-mac-pro 1 2024-06-14T10:35:54.303125-07:00 nas-mac-pro.domain.ad ntpd 3484 - - ----------------------------------------------------
Jun 15 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload request received, reloading configuration;
Jun 15 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload finished;
Jun 16 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload request received, reloading configuration;
Jun 16 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload finished;
Jun 17 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload request received, reloading configuration;
Jun 17 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload finished;
Jun 18 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload request received, reloading configuration;
Jun 18 00:00:00 nas-mac-pro syslog-ng[1641]: Configuration reload finished;

Conversely, ntpdate seems to work fine, whether “stepping” the clock:

root@nas-mac-pro[~]# service ntpd stop
Stopping ntpd.
Waiting for PIDS: 3485.

root@nas-mac-pro[~]# ntpdate -q dc1.domain.ad dc2.domain.ad
server 192.168.20.99, stratum 2, offset +9.474273, delay 0.02573
server 192.168.20.100, stratum 2, offset +9.472587, delay 0.02574
20 Jun 07:52:36 ntpdate[93747]: step time server 192.168.20.99 offset +9.474273sec
root@nas-mac-pro[~]# ntpdate -b dc1.domain.ad dc2.domain.ad
20 Jun 07:53:35 ntpdate[93748]: step time server 192.168.20.99 offset +9.477389sec
root@nas-mac-pro[~]# ntpdate -q dc1.domain.ad dc2.domain.ad
server 192.168.20.99, stratum 2, offset +0.000486, delay 0.02573
server 192.168.20.100, stratum 2, offset -0.001323, delay 0.02582
20 Jun 07:53:40 ntpdate[93757]: adjust time server 192.168.20.99 offset +0.000486 sec

… or “slewing” the clock (at least for smaller offsets; I didn’t try larger ones):

root@nas-mac-pro[~]# ntpdate -q dc1.domain.ad dc2.domain.ad
server 192.168.20.99, stratum 2, offset +0.125496, delay 0.02585
server 192.168.20.100, stratum 2, offset +0.123857, delay 0.02592
20 Jun 08:26:30 ntpdate[94114]: adjust time server 192.168.20.99 offset +0.125496 sec
root@nas-mac-pro[~]# ntpdate -B dc1.domain.ad dc2.domain.ad
20 Jun 08:26:48 ntpdate[94115]: adjust time server 192.168.20.99 offset +0.126334 sec
# (A few minutes later)
root@nas-mac-pro[~]# ntpdate -q dc1.domain.ad dc2.domain.ad
server 192.168.20.99, stratum 2, offset -0.008508, delay 0.02573
server 192.168.20.100, stratum 2, offset -0.011025, delay 0.02582
20 Jun 08:32:00 ntpdate[94178]: adjust time server 192.168.20.99 offset -0.008508 sec

I read somewhere that ntpdate will use an unprivileged port (which can work around firewall rules), working around an issue with ntpd using the privileged port only. I see in the man page that you can configure ntpdate to use an unprivileged port, but I did not set that flag so I’m not sure what to assume, and as far as a firewall I am not aware of one existing on our network. Other than this factor, I am unsure why ntpdate would work while ntpd does not.

Any guidance would be greatly appreciated.

If you’re relying on your ISP as a NTP server, that might be part of the problem. Some ISPs block port 123 by default due to DDOS attacks in the past using NTP resources.

If that’s the case, I suggest looking into the ntp200 and like clocks from centerclick. They simply work, and they work really well. A very good investment, light on power, and uses a TCXO when GPS, GLONASS, and Galileo quit. Easy to set up and use - I put my antennas under the roof and still get 25+ worth of tracking satellites.

Thanks for responding. As I mentioned, I am trying to sync with our Active Directory domain controllers via NTP (without being joined to the domain). I am less concerned about the accuracy of the time, versus keeping all times in sync across our network, especially given the amount of drift this server has. ntpd appears to be set up with valid peers, but it does not keep the time correct.

Apologies, I missed the air gapped part above.

My recommendation stands however. The NTP200 works great for an air gapped system and allows all of your devices to be running on the basis of one clock. No Active Directory, etc needed.

I’m not deeply familiar with the intricacies of getting ntp on a TrueNAS Core to work with AD, etc. but I can confirm that it works great with the centerclick hardware I listed. Good luck!!!

I was never able to determine why ntpd appears to be correctly configured but does not adjust the clock. Ultimately, I set up a cron job for ntpdate to run every five minutes. While this is less than ideal (~20ms adjustments via “slew” every 5 minutes, rather than continuous correction), it will suffice for the purpose the server is intended for. I wish I was able to determine what the issue was.