I have an online meeting I need to join shortly, so I’m keeping my eye on the current time displayed in the little digital clock in the right-hand corner of the taskbar on my workstation. My meeting is important for our business, so I sure hope that clock is accurate! Since I also manage our network, I know that my workstation gets its time from a domain controller somewhere on the network. And the domain controller gets its time from a network time protocol (NTP) server somewhere out there on the Internet. But the Internet is a strange and unpredictable beast — what if I need a more reliable source of accurate time for our network? And just how important is it for our servers and workstations to have millisecond accuracy, anyway?
Why accurate NTP time is important
Several years ago, I discussed this matter with one of my colleagues in the IT profession and wrote up some of his thoughts in this article here on TechGenix. Since then, I’ve had a few more conversations with colleagues who manage, host, or co-locate in datacenter facilities or manage large enterprise networks. These conversations have helped me identify some more reasons why having accurate NTP time is important for your IT environment. And these additional reasons apply regardless of whether your organization maintains its own datacenter or utilizes the services of a colocation center or “carrier hotel,” as some like to refer to them.
You may need to use a more accurate time source than something like pool.ntp.org because of compliance purposes. If your organization requires regulatory compliance and is under regular audits for verification purposes, you should check whether the terms of your audit include statements like “time settings are received from industry-accepted time sources” or “verify that the time server(s) accept time updates from specific, industry-accepted external sources (to prevent a malicious individual from changing the clock)” or some similar wording. If this is a requirement for audit purposes, then running your own NTP appliance with a built-in GPS-based receiver can be offered up as traceable evidence of compliance when the audit is performed. What you don’t want to say to your auditors is, “I really don’t know which time server in the pool out there is actually my current time source.”
Another important reason why having accurate time is a good idea is so you can trust the accuracy of timestamps in log files to within a couple of milliseconds. This becomes important when a problem occurs on your network interrupting services or when you experience loss of connectivity due to an outage. By being able to trust the time accuracy of your log files, you will be better positioned to determine the cause or sequence of events that led up to the interruption or outage. If you are relying only upon Internet NTP time servers and you lose connectivity with them, you may see time drift happening with certain equipment especially when they experience unexpected hard resets or reboots, or when large temperature changes such as overheating occur due to A/C system failures. The resulting time offset of a couple of seconds for a key piece of hardware can make troubleshooting and resolving the problem much more difficult. And even if the GPS-based NTP appliance itself ends up restarting, at least when it returns, you know you’ll have truly accurate time. As an aside, receiving your network time from NTP servers on the Internet by passing NTP traffic through your perimeter firewall could lead to security problems, see this article from the SEI Blog for more details.
If your infrastructure is distributed across more than a single datacenter and your business or organization relies upon accurate synchronization between systems at different locations to ensure distributed application or control processes function properly, then you definitely don’t want to skimp on making sure you have accurate NTP time from the same types of sources at each location.
If your systems are air-gapped for reasons of high security and have no Internet connectivity, then using a GPS-based NTP time appliance can be essential.
The problem of where to put your antenna
If you decide you need accurate time and purchase an appliance like the TM 1000A from Time Machines or something similar, you may not be able to simply plug it into your network and go home happy. Because although such devices usually include a highly sensitive built-in GPS antenna, that built-in antenna may not work as expected inside a datacenter building. This is because of the radio frequency (RF) noise being generated by the CPUs and other stuff inside all the servers hosted in the datacenter. This RF noise generally covers some of the same frequency bands used by GPS, so it’s possible that the built-in antenna of your GPS-based NTP appliance may not be able to lock on to a GPS satellite if it’s located somewhere inside your datacenter. A simple way to verify this ahead of time is to walk around your datacenter with your cellphone open and running a GPS app.
The solution, of course, is to install a suitable antenna on the roof of the datacenter and then run a cable from there down into the building and connect it to the external antenna connector on your appliance. And by a “suitable” antenna, I mean one that is designed for outdoor use, one that’s weatherproof, sturdily mounted, and properly grounded, includes a low noise amplifier that can allow you to run the necessary length of coaxial cable down into your building and is powered via the cabling. Make sure also that you use proper coax cabling and not the thinner stuff which is more lossy over the same distance.
Of course, this can also pose a different problem, namely that the datacenter facility management may disallow the whole idea of allowing you to install a GPS antenna on the roof of their building. This may not be simple unfriendliness on their part but instead can be a result of various fire and safety regulations the facility management company needs to adhere to.
As an aside, it’s probably best if you run your NTP appliance on a separate VLAN that includes only your domain controllers or other time-sensitive servers. Otherwise, should a network interruption occur, such as an unplanned power outage, it’s possible that the deluge of network traffic that typically occurs when everything suddenly comes back online could swamp the ability of the appliance to communicate time accurately to the servers.
And finally, it’s always worth checking first, even before you starting looking into purchasing a GPS-based NTP server, to see whether the datacenter you use or rent space in already has a GPS-based reference clock available for use by their tenants!
Featured image: Pixabay