Basic NTP configuration

The NTP basics are indeed quite simple, but the problem is that its on-line documentation is so verbose on its flexibility and features that a simple setup task can turn out to be quite complex or almost a mystery.

So, let's try to dis-mystify this once and for all and for the sake of simplicity, assume a Client/Server setup on a private network operating in a so-called Orphan Mode, that is, when a subnet becomes isolated from all UTC sources.

The following figure provides the big picture of the scenario I assume, but I'll just exemplify the configuration of a single orphan server and a single "general" client:

In Solaris 11, the service (svc:/network/ntp:default) is already installed by default; just configure and enable it (as shown below). In Solaris 10, depending of the software cluster selected upon system installation, you may need to install the additional packages SUNWntp4u and SUNWntp4r to get the service (svc:/network/ntp4:default). Anyway, on both Solaris versions the configuration file resides on /etc/inet/ntp.conf and make use of /var/ntp accordingly, but Solaris 11 automatically creates the /var/ntp/ntpstats subdirectory.

The 1^st Solaris 11 server (192.168.1.10) configuration is:

server-A $ cat /etc/inet/ntp.conf
tos orphan 5
restrict default ignore
restrict 192.168.1.200 nopeer nomodify

server-A # svcadm enable ntp

The general Solaris 11 client (192.168.1.200) configuration is:

client $ cat /etc/inet/ntp.conf
server 192.168.1.10 iburst
driftfile /var/ntp/ntp.drift

client # svcadm enable ntp 

Now putting some management on perspective, it may not be a good idea to declare every single client one by one on each server's configuration nor to use IP addresses instead of DNS names. Thus, a probably better approach would be something such as specifying subnets of clients and DNS names where possible:

server-A $ cat /etc/inet/ntp.conf
tos orphan 5
restrict default ignore
restrict 192.168.1.0 mask 255.255.255.0 nopeer nomodify
# The following DNS name could be a CNAME.
restrict ntp-management nopeer

client $ cat /etc/inet/ntp.conf
server server-A iburst
driftfile /var/ntp/ntp.drift

By the way, this NTP configuration uses UDP 123 (just in case you have to consider proxies and firewalls in a large intranet with many subnets).
  
And that's all the basics!
 
Now, if you'd like some central servers to sync to official time, than in their configuration it will be necessary to set the server entries to trusted external servers like:
(XX is to be replaced by the country code, assuming it's a valid DNS name)

server 0.XX.pool.ntp.org iburst
server 1.XX.pool.ntp.org iburst
server 2.XX.pool.ntp.org iburst

Then, on these central servers, it shall be possible get something like:

$ ntpq -p
 remote refid st t when poll reach   delay  offset  jitter
==========================================================
 0.xx... ...   2 u    -   64     1 240.804  24.294   1.276
*1.xx... ...   2 u    1   64     1  18.877  19.514   2.229
 2.xx... ...   2 u    -   64     1  19.167  19.276   2.177