OS X Server as NTP server

Ok I finally managed to solve this. First a summary of the issue.

OS X - both client and server include the standard ntpd software which can act as an NTP time server. It is common practice on larger networks i.e. anything bigger than a home network to nominate an internal server as your internal NTP server and then have that NTP server sync itself to two or more external higher stratum NTP servers. As a reminder directory services like Open Directory and Active Directory or more specifically Kerberos require that all the clocks of the computers on the network be within five minutes accuracy of each other.

A lot of people will either just leave their client Macs pointing directly to Apple's free NTP servers, or may have gotten as far as setting up a Mac as an NTP server and then pointing their clients to it. I had been able to setup a Mac server as an NTP server internally on our main network and it in turn was syncing to Apple's NTP server. An example guide on how to setup a Mac as an internal NTP server is here https://macmule.com/2013/12/15/how-to-use-osx-server-as-a-time-server/

The problem arose when I tried to do this on our other ultra-secure network which does not have an Internet connection at all. With no Internet connection the Mac server itself had no source to which it could sync, without a source to sync to it would not allow any clients to sync to it. This is as far as I got before I posted this original query. The above article does not cope with this situation.

I have now managed to find the solution. In a similar situation some larger organisations solve this by connecting a GPS clock to the server and configuring that as the the NTP source for their server. The ntpd server by having this as a valid time source is then happy to itself serve to client computers. I could have done this but it would have involved buying a GPS clock and all the hassle of trying to get that working with a Mac. I did however find that there is a way to define a local computer clock - literally something referred to as a LCL. See http://www.ntp.org/ntpfaq/NTP-s-refclk.htm

To cut a long story short, one needs to define a special local address for the Mac server to use its own clock as its own local clock source. This is done by adding the following two lines to /etc/ntp.conf on your server.

server 127.127.1.1

fudge 127.127.1.1 stratum 10

You then need to reload the ntpd process on the Mac server so it is forced to reread this preference file. I did this by force-quitting via Activity Monitor the ntpd process(es) but using the kill command or using launchctl are other methods.

Then all you need to do is point your client computers to your own internal NTP server.

My original purpose of doing this was to have an NTP server on Macs that had no Internet access. Therefore the Stratum level is irrelevant since the only available NTP servers are the Macs.

I point the Mac clients to one of the two Mac NTP servers in System Preferences and then on the Mac clients I can use the command

ntpd -q

to force them to sync to the Mac NTP server. I typically do this using Apple Remote Desktop Admin and sending the command to all the client Macs at the same time.

Note: Using ntpd -q is only done to force an immediate sync, they will otherwise as normal sync when booted etc. I use ntpd -q when I adjust the clocks on the two Mac NTP servers. Because they themselves cannot sync to a real clock they drift and if anything drift a lot faster than normal because each amplifies the others drift. Since they are the OD servers as long as they and all the clients are in sync the fact they are inaccurate is a lesser issue.

I have looked at similar articles to the one you link to and this is my source for the need to modify /etc/ntp-restrict.conf however /etc/hostconfig no longer exists with Yosemite and Server 4.1 Apple now exclusively use launchctl and I believe the appropriate one in this case is /System/Library/LaunchDaemons/org.ntp.ntpd.plist if I try loading it it says it is already loaded and running Activity Monitor shows an ntpd process already running.

My suspicion is that if the ntpd process cannot communicate with a parent ntp server then it will not accept requests from ntp clients. Remember my server is not connected to the Internet.

Hmm, /dev/cu.usbserial looks like an entry for a USB serial port to me. I know that ntpd can be configured to use an external GPS device connected via a serial and hence USB to serial connection but I did not think my two lines would have triggered that.

I have not yet upgraded my OD server to El Capitan so I have not yet seen this myself.

Apple want apps to run in a 'sandbox' whereby an individual app cannot interfere with another app or the operating system, this prevents an app contain malware from being able to spread. See https://developer.apple.com/library/mac/documentation/Security/Conceptual/AppSan dboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html

I presume you created a hard symbolic link rather than a soft one?

The fact you have an entry of /dev/cu.usbserial suggests you have a USB to serial adapter connected, what make and model? We can check it has an El Capitan compatible driver. You could also try using a serial port program to talk to it to see if it can communicate with the GPS device.

See https://www.decisivetactics.com/products/serial/

http://www.emtec.com/zoc/features.html

there is even a builtin program you can run via Terminal.app called screen

e.g.

screen /dev/cu.usbserial 9600