Configure Time
Service Clients

Configure time service clients

CIS126RH | RHEL System Administration 1
Mesa Community College

Accurate system time is essential for log correlation, Kerberos authentication, TLS certificate validation, scheduled jobs, and distributed system coordination. RHEL 9 uses chronyd as its default NTP client — a modern, efficient implementation that handles network latency and clock drift precisely. This module covers configuring chronyd to synchronise with specific NTP servers, verifying synchronisation status, and managing time zones with timedatectl. These skills are tested on the RHCSA exam.

Learning Objectives

Explain why accurate time matters and how NTP works — Describe the role of NTP in distributed systems and the stratum hierarchy that determines time source quality
Configure chronyd to use specific NTP servers — Edit /etc/chrony.conf to add or replace NTP server entries and restart the service to apply changes
Verify time synchronisation status — Use chronyc sources, chronyc tracking, and timedatectl to confirm the system is synchronised
Manage time zones — Use timedatectl to display, list, and set the system time zone

Why Accurate Time Matters

System time affects more services than most administrators realise. Even small clock drift can break critical functionality.

Kerberos authentication — tickets are rejected if the clock difference between client and server exceeds 5 minutes; skewed clocks prevent login
TLS/SSL certificates — validity periods are enforced against current time; a wrong clock causes valid certificates to appear expired or not yet valid
Log correlation — entries from multiple servers must be compared by timestamp; skewed clocks make incident investigation impossible
Cron and systemd timers — jobs scheduled for a specific time run at the wrong real-world moment if the clock is wrong
Databases and distributed systems — transactions, replication, and consistency mechanisms depend on reliable timestamps

NTP (Network Time Protocol) solves clock drift

Without NTP, hardware clocks drift by seconds per day. Over weeks, a server can be minutes off. NTP continuously measures and corrects clock drift by comparing the local clock against trusted time sources on the network.

NTP and the Stratum Hierarchy

NTP organises time sources into strata — layers indicating how many hops from an authoritative clock a source is.

Stratum 0 — atomic clocks, GPS receivers, radio time signals (not directly networked; connected to stratum 1 servers)
Stratum 1 — servers directly connected to a stratum 0 source; national time servers (time.nist.gov, time.google.com)
Stratum 2 — servers synchronised from stratum 1; most pool.ntp.org servers
Stratum 3 and beyond — servers synchronised from stratum 2, etc.; quality degrades slightly with each hop
Stratum 16 — unsynchronised; a stratum 16 source should not be used

Lower stratum = closer to authoritative source

A stratum 2 server is a better time source than a stratum 4 server. In enterprise environments, organisations often run their own internal NTP server (stratum 3 or 4) that all internal clients synchronise with, rather than having every server reach out to the internet.

chronyd: The RHEL 9 Time Service

chronyd is the NTP implementation used on RHEL 9. It is more accurate than the older ntpd and handles intermittent network connectivity better.

# Check if chronyd is installed and running
$ rpm -q chrony
chrony-4.3-1.el9.x86_64

$ systemctl status chronyd
● chronyd.service - NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled)
     Active: active (running) since Mon 2026-05-25 07:00:00 MST

# Install if needed (usually pre-installed)
$ sudo dnf install -y chrony
$ sudo systemctl enable --now chronyd

# chronyd configuration file
$ cat /etc/chrony.conf
pool 2.rhel.pool.ntp.org iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
leapsectz right/UTC
logdir /var/log/chrony

chronyd vs ntpd

chronyd is the RHEL 9 default. The older ntpd is not recommended on RHEL 9. Do not run both simultaneously — they conflict. chronyd handles virtual machine clock jumps and intermittent connectivity better than ntpd.

Configuring NTP Servers in chrony.conf

The primary configuration file is /etc/chrony.conf. Add or replace server entries to point chronyd at specific NTP servers.

# View the current configuration
$ cat /etc/chrony.conf

# Edit the configuration
$ sudo vim /etc/chrony.conf

# Three ways to specify a time source:

# pool — use multiple servers from a named pool (round-robin DNS)
pool 2.rhel.pool.ntp.org iburst

# server — use one specific NTP server
server classroom.example.com iburst

# peer — treat another host as a time peer (bidirectional)
peer timeserver.internal.example.com

# iburst — send multiple packets at startup for faster initial sync
# prefer — prefer this source over others
server time.cloudflare.com iburst prefer

# Restart chronyd after any change to chrony.conf
$ sudo systemctl restart chronyd

RHCSA exam pattern for NTP configuration

The exam task is: add or replace the NTP server entry in /etc/chrony.conf, then restart chronyd, then verify with chronyc sources.

Complete Configuration: Replacing the Default Server

The exam scenario: replace the default pool with a specific internal NTP server at classroom.example.com.

# Step 1: Edit /etc/chrony.conf
$ sudo vim /etc/chrony.conf

# Comment out or delete the existing pool line:
# pool 2.rhel.pool.ntp.org iburst

# Add the new server line:
server classroom.example.com iburst

# Step 2: Restart chronyd to apply the change
$ sudo systemctl restart chronyd

# Step 3: Verify — check that the new server appears in sources
$ chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* classroom.example.com         2   6    37    23   +125us[+234us] +/-  876us

# Step 4: Confirm chronyd is still running after restart
$ systemctl is-active chronyd
active

Verifying Synchronisation: chronyc sources

chronyc sources shows all configured NTP sources and their synchronisation status — the primary verification command.

$ chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* classroom.example.com         2   6    77    45   -123us[-456us] +/-  987us
^+ time.google.com               1   7    77    31   +234us[+234us] +/-    5ms
^- 192.168.1.1                   3   8    77   122   +5ms[+5ms]     +/-   10ms

# Verbose output — includes more detail per source
$ chronyc sources -v
  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined.
| / .- Stratum   'x' = may be in error, '~' = too variable.
MS Name/IP address         Stratum Poll Reach LastRx Last sample

Column / Symbol	Meaning
`^` (mode)	Server (source type)
`*` (state)	Currently selected synchronisation source — best source in use
`+` (state)	Acceptable source, combined with the selected source
`-` (state)	Acceptable but not currently used
`?` (state)	Lost contact with this source
Reach	Octal bitmask of last 8 polls — 377 = all 8 successful
Last sample	Clock offset between local clock and this source

chronyc tracking: Detailed Status

chronyc tracking shows detailed statistics about how well the local clock is synchronised — the quantitative companion to sources.

$ chronyc tracking
Reference ID    : C0A80101 (classroom.example.com)
Stratum         : 3
Ref time (UTC)  : Mon May 25 14:00:00 2026
System time     : 0.000123456 seconds fast of NTP time
Last offset     : +0.000123456 seconds
RMS offset      : 0.000234567 seconds
Frequency       : 2.345 ppm fast
Residual freq   : +0.012 ppm
Skew            : 0.456 ppm
Root delay      : 0.001234567 seconds
Root dispersion : 0.000456789 seconds
Update interval : 64.2 seconds
Leap status     : Normal

Field	Meaning
Reference ID	The NTP server the system is synchronised to
Stratum	The local system's stratum level (one more than the reference)
System time	Current offset from NTP time — ideally microseconds
Leap status	Normal = all good; Unsynchronised = not synced

timedatectl: The System Time Interface

timedatectl is the systemd tool for viewing and setting system time, time zone, and NTP synchronisation status.

# Show current time, date, time zone, and NTP status
$ timedatectl
               Local time: Mon 2026-05-25 14:00:00 MST
           Universal time: Mon 2026-05-25 21:00:00 UTC
                 RTC time: Mon 2026-05-25 21:00:00
                Time zone: America/Phoenix (MST, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

# Check NTP synchronisation status specifically
$ timedatectl | grep "synchronized"
System clock synchronized: yes

# Set the system time manually (only when NTP is disabled)
$ sudo timedatectl set-time "2026-05-25 14:30:00"

# Enable or disable NTP synchronisation
$ sudo timedatectl set-ntp true
$ sudo timedatectl set-ntp false

timedatectl shows both synchronisation and time zone

System clock synchronized: yes confirms NTP is working. The Time zone line shows the current setting. Both are commonly tested on the RHCSA exam.

Managing Time Zones

timedatectl manages the system time zone — the mapping between UTC (always used internally) and the local time displayed to users.

# Show the current time zone
$ timedatectl | grep "Time zone"
                Time zone: America/Phoenix (MST, -0700)

# List all available time zones
$ timedatectl list-timezones
Africa/Abidjan
Africa/Accra
...
America/Chicago
America/Denver
America/Los_Angeles
America/New_York
America/Phoenix
...

# Filter the list
$ timedatectl list-timezones | grep America
$ timedatectl list-timezones | grep UTC

# Set the time zone
$ sudo timedatectl set-timezone America/New_York
$ sudo timedatectl set-timezone UTC
$ sudo timedatectl set-timezone Europe/London

# Verify
$ timedatectl | grep "Time zone"
                Time zone: America/New_York (EDT, -0400)

Hardware Clock (RTC) and UTC

The Real-Time Clock (RTC) is the battery-backed hardware clock that keeps time when the system is powered off. It should always be set to UTC on Linux systems.

# View hardware clock status
$ timedatectl | grep RTC
                 RTC time: Mon 2026-05-25 21:00:00
              RTC in local TZ: no
# RTC in local TZ: no = RTC stores UTC (correct)
# RTC in local TZ: yes = RTC stores local time (problematic on multi-boot)

# Sync the hardware clock from the system clock
$ sudo hwclock --systohc

# Sync the system clock from the hardware clock
$ sudo hwclock --hctosys

# Show hardware clock time directly
$ sudo hwclock --show
2026-05-25 21:00:00.456789+00:00

# View the /etc/localtime symlink (shows current timezone file)
$ ls -la /etc/localtime
lrwxrwxrwx. 1 root root 38 May 25 07:00 /etc/localtime
    → ../usr/share/zoneinfo/America/Phoenix

Forcing Immediate Synchronisation

After changing NTP servers or when the clock is significantly wrong, force an immediate synchronisation rather than waiting for chronyd's normal interval.

# Force chronyd to step the clock immediately (requires root)
$ sudo chronyc makestep
200 OK

# Force chronyd to check all sources immediately
$ sudo chronyc burst 4/4
200 OK

# Alternatively: restart chronyd to trigger fast initial sync (iburst)
$ sudo systemctl restart chronyd

# Check synchronisation status immediately after
$ chronyc tracking
...
System time     : 0.000001234 seconds fast of NTP time
...
Leap status     : Normal

# View chronyd activity log
$ sudo journalctl -u chronyd --since "5 minutes ago"
May 25 14:00 chronyd[872]: Selected source 192.168.1.254
May 25 14:00 chronyd[872]: System clock was stepped by -0.5 seconds

Time Management Quick Reference

Task	Command
Show current date, time, zone, NTP status	`timedatectl`
Check if system clock is synchronised	`timedatectl \| grep synchronized`
List available time zones	`timedatectl list-timezones`
Set time zone	`sudo timedatectl set-timezone REGION/CITY`
Enable NTP synchronisation	`sudo timedatectl set-ntp true`
Edit NTP server configuration	`sudo vim /etc/chrony.conf`
Restart chronyd after config change	`sudo systemctl restart chronyd`
Check chronyd service status	`systemctl status chronyd`
Show NTP sources and sync state	`chronyc sources`
Show NTP sources verbosely	`chronyc sources -v`
Show detailed sync statistics	`chronyc tracking`
Force immediate clock step	`sudo chronyc makestep`
View chronyd log	`sudo journalctl -u chronyd`

chrony.conf Key Directives

Directive	Purpose	Example
`pool`	Use multiple servers from a DNS pool name	`pool 2.rhel.pool.ntp.org iburst`
`server`	Use a single specific NTP server	`server 192.168.1.254 iburst`
`peer`	Bidirectional time exchange with another host	`peer timeserver.lan`
`iburst`	Send burst of packets at startup for fast initial sync	(option on pool/server lines)
`prefer`	Prefer this source over others when both are available	`server ntp1.lan iburst prefer`
`driftfile`	Store clock drift data persistently	`driftfile /var/lib/chrony/drift`
`makestep`	Allow large one-time clock step at startup	`makestep 1.0 3`
`rtcsync`	Keep hardware clock in sync with system clock	`rtcsync`
`allow`	Allow other hosts to sync from this server	`allow 192.168.1.0/24`
`local stratum`	Serve time from local clock when no NTP available	`local stratum 10`

Common Mistakes

Mistake	What goes wrong	Correct approach
Editing chrony.conf but not restarting chronyd	chronyd keeps using the old server in memory — changes have no effect	Always run `sudo systemctl restart chronyd` after any change to chrony.conf
Not verifying synchronisation after changing servers	Task appears complete but chronyd may not be reaching the new server	Run `chronyc sources` and confirm `*` appears next to the new server
Confusing "NTP service: active" with "System clock synchronized: yes"	chronyd may be running but not yet synchronised — service active ≠ clock synced	Check both lines in `timedatectl` output; `synchronized: yes` is what matters
Setting the time zone to an offset (e.g. UTC+5) instead of a region name	UTC+5 does not exist in the IANA timezone database — command fails	Use region/city names: `Asia/Karachi`, not `UTC+5`
Running both ntpd and chronyd simultaneously	Two NTP daemons conflict — clock becomes unstable or one fails to start	Use only chronyd on RHEL 9 — stop and disable ntpd if present
Forgetting iburst when adding a server entry	Initial synchronisation is slow — takes many minutes instead of seconds	Always append `iburst`: `server classroom.example.com iburst`

Knowledge Check

Answer these before moving to the next slide.

The exam task says: "Configure the system to use classroom.example.com as its NTP time source." Write the three steps to complete this task.
After completing the NTP configuration, what command do you run to verify the system is actually synchronising from the new server? What symbol in the output confirms the selected source?
Write the command to check whether the system clock is currently synchronised, and identify which field in the output confirms synchronisation.
What does NTP service: active in timedatectl output mean, and is it sufficient to confirm time synchronisation?
Write the commands to: (a) list all available time zones for the Americas, and (b) set the system time zone to America/Chicago.
A student adds a server line to /etc/chrony.conf but chronyc sources still shows the old pool server with a *. What did the student forget, and what is the fix?

Knowledge Check — Answers

1. sudo vim /etc/chrony.conf — comment out any existing pool/server lines and add: server classroom.example.com iburst
2. sudo systemctl restart chronyd — apply the configuration change
3. chronyc sources — verify the new server appears with a *
chronyc sources — the * symbol in the second column confirms the selected (currently active) synchronisation source. A source with no * or showing ? means synchronisation has not been established.
timedatectl — look for the line System clock synchronized: yes. The "yes" value confirms the clock is synchronised. Also accept timedatectl | grep synchronized.
NTP service: active means the chronyd daemon is running. It does not confirm that the clock is synchronised — the service may be running but unable to reach any NTP server. The confirming field is System clock synchronized: yes.
(a) timedatectl list-timezones | grep America
(b) sudo timedatectl set-timezone America/Chicago
The student forgot to restart chronyd after editing the config file. chronyd reads /etc/chrony.conf only at startup — it continues using the configuration loaded in memory. Fix: sudo systemctl restart chronyd, then verify with chronyc sources.

Key Takeaways

chronyd is the RHEL 9 NTP client — configured in /etc/chrony.conf. Use the server NAME iburst directive for a specific NTP server. Use pool NAME iburst for a pool of servers. Always restart chronyd after editing the config: sudo systemctl restart chronyd.
Verify with chronyc sources — look for the * symbol. The * in the second column indicates the active synchronisation source. No * means not synchronised. Use chronyc tracking for quantitative offset and drift statistics.
timedatectl shows both NTP status and the time zone. System clock synchronized: yes confirms NTP is working. NTP service: active only confirms chronyd is running — not that it is synchronised. Use timedatectl set-timezone REGION/CITY to change the time zone.
Time zone names use IANA Region/City format. List available zones with timedatectl list-timezones. Set with sudo timedatectl set-timezone America/New_York. The system always stores time internally as UTC — the time zone affects only display.

Graded Lab

Run timedatectl to record the current time zone, NTP service status, and synchronisation state. Run chronyc sources to identify the current NTP source and note whether the * symbol is present.
Edit /etc/chrony.conf: comment out the existing pool line and add server classroom.example.com iburst (or the NTP server provided by your instructor). Save the file.
Restart chronyd with sudo systemctl restart chronyd. Immediately run chronyc sources and observe the output — the new server should appear. Wait 30 seconds and run it again to see the * appear as synchronisation is established.
Run chronyc tracking and record the System time offset and Leap status. Run timedatectl and confirm System clock synchronized: yes.
Run timedatectl list-timezones | grep America to find a time zone different from your current one. Set it with sudo timedatectl set-timezone ZONE. Verify with timedatectl. Then restore your original time zone.
Run sudo chronyc makestep to force an immediate clock correction. Check sudo journalctl -u chronyd --since "2 minutes ago" to see the log entry recording any clock step that was applied.

RHCSA Objective

"Configure time service clients." Edit /etc/chrony.conf to add the NTP server. Restart chronyd. Verify with chronyc sources (* symbol) and timedatectl (synchronized: yes).

Next: Getting Help from Local Documentation

Configure TimeService Clients