NTP is built into all recent versions of OS X and OS X Server (and OS X with Server.app)

If you’re running a server, the other clients on the network can receive time updates from the server – but only if the server is able to update it’s time to an authoritative time server on the internet or other network.

If, as I was confronted with recently, you have a server and UDP Port 123 is blocked, then the server is unable to sync it’s time with any more authoritative time servers. If the server is unable to sync it’s clock, by default it refuses to give out time updates to network clients. How annoying.

With OpenDirectory, and it’s use of Kerberos, if workstations drift more than a few minutes from the server, bad things happen.

In this case, it is desirable to have all workstations sync their time to the server. Even if the time on the server isn’t completely accurate, it’s still better that all computers on the network at least agree what they think the time is, rather than having them all showing different times.

In order to do this, the NTP service running on the server must be told it’s a stratum time server. With stratum time servers, they’re authoritative with respect to what time it is. Normally, they’re connected to a highly accurate atomic clock or get an accurate time from GPS signals.

To tell our OS X server that it’s a stratum time server, edit /etc/ntp.conf and put in the following two lines. Note that 127.127.1.1 is not a typo, it’s not meant to be 127.0.0.1

server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

This then tells the ntpd service on the server that it’s a Stratum 10 time server. Lower stratum numbers are higher priority and higher accuracy servers, so saying we’re at Stratum 10 means that if we do end up talking to real ntp server, it will be a lower stratum (and therefore higher priority) to our local clock.

Restart the ntp service with sudo killall -HUP ntpd

Point the network clients to the server and in very short order, they should have their clocks synchronised.