NTP Design Stratum Numbers

I already posted about NTP in a Windows domain. I want to briefly talk about stratum numbers. I’ve been in environments where applications were picky when it came to those numbers. So what is the stratum number?

NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source. It’s like a routing protocol. Just because the hop count is lower than another, doesn’t always mean it will use the lower one. The algorithm will also use latency to help determine the best time server.

Why is this important?

1. Security – time-stamps in logs will be inaccurate. This is very bad especially if there’s a breach.
2. Troubleshooting – time-stamps in logs will be inaccurate. Good luck troubleshooting issues when the times are all different.
3. HIPAA and SOX Compliance – require accurate time-stamping
4. 3rd party Applications/Services can stop working and/or not work efficiently
5. Windows Domain Services can stop working and/or not work efficiently – If a domain goes out out sync, problems can occur like when Kerberos is failing because of authentication and access issues. If a member server is more than 5 minutes off from the DC, Kerberos will fail to authenticate requests.
6. Network devices will have HA Sync Failures

There’s more to these but I won’t list everything. NTP and time in your environment is something you need to pay attention to. The goal it to make sure your time is all synced up properly and check the stratum numbers. You want the most reliable setup possible.

Below is an example of a design. You can see that NTP is not something you just ignore. It should be something that’s planned and designed out. At previous companies I’ve worked, we always used GPS Timer servers internally. In the example below, I have one NTP server in the Primary DC because we own it and we have no issues mounting the GPS Antenna outside. But let’s say that your DR site is in a Colo where you can’t put up a GPS antenna. So you can pick another site you have that’s safe to put your second GPS NTP Server.

ntp stratum

I just want to finish with, you’ll be surprised how many environments don’t have this correctly configured. Not too long ago I ran into it. Servers, Network Equipment, DMZ’s, all running different times with different time zones. This just comes from a lack of understanding how NTP works and the importance of it.

More Stories
Palo Alto Cheat Sheet – User-ID