Most of the Macs I support are mobile & it seems that around the with the release of the “Unibody MacBook Pro” Apple stopped shipping Macs with a battery that would keep the Macs time even when the Macs main battery had died.
This means that if a Macs battery dies during travelling to another office, they’d not be able to login once there as the time would be more than 5 minutes out. Also, we heavily use SSL to secure things like our Wireless & many websites (JSS distribution points included).
So the solution was for me to setup my own NTP, that would both sync with my domains NTP & be externally accessible for those mobile users on the road.
I’ve posted How To: Set a Macs Time Server, How To: Sync Time With NTP via Script & How To: Check Your Active Directory Domains Time. They all came about when 1st looking at this issue, this last post in the series with use all those posts.
- Before we start, we need UDP port 123 open from clients to server.
- Now we need to figure out our domains primary NTP by using: How To: Check Your Active Directory Domains Time. (We’re using the domains primary NTP as we’ll be sharing it with clients & whilst we could use the same external source as our domains primary NTP, we could have an issue if we drift due to some communication issues).
- So with the domains primary NTP discovered, set this as the NTP on the OSX Server you’ll be using as an NTP server via How To: Set a Macs Time Server or just manually type it into the time server field in the Date & Time preference pane in System Preferences.
- Once set, unload the ntp plist;
sudo launchctl unload /System/Library/LaunchDaemons/org.ntp.ntpd.plist
- Now we need to edit the file /etc/ntp-restrict.conf.. I normally use nano for this sort of thing:
sudo nano /etc/ntp-restrict.conf
The file should look like the below:
We’re looking at removing the “noquery” from the 1st two restrict lines as shown below:
This will allow clients to query the NTP server. But, there is much much more you can do with this file. For me I just wanted my Macs from anywhere to be able to use my Mac server as an NTP.
- Now restart ntp:
sudo launchctl load /System/Library/LaunchDaemons/org.ntp.ntpd.plist
- Now, patience.. give it time (pun intended). The service can take a few minutes to start serving time. To verify use the method outlined in: How To: Sync Time With NTP via Script.
sudo ntpdate -u $NTPServer
If you try the above to early, you get a response like:
15 Dec 22:35:10 ntpdate: no server suitable for synchronization found
But after 3-4 minutes you should get a response like the below, this is the client updating it’s time with the NTP & showing the offset:
15 Dec 22:35:42 ntpdate: adjust time server 10.1.1.2 offset -0.000133 sec