Active Directory · Time Sync

Chrony

A practical introduction to Chrony, the Linux time synchronization service used to keep servers accurate, stable, and reliable in environments where Kerberos, logs, certificates, and authentication depend on correct time.

By K Shankar R Karanth Active Directory Concept Guide

Quick idea: Chrony keeps Linux system time accurate by continuously comparing the local clock against trusted NTP sources and correcting drift before it becomes a problem.

chronyd

The background daemon that keeps the system clock synchronized.

chronyc

The command-line tool used to check status, sources, tracking, and health.

Kerberos

AD authentication depends on time accuracy. Large clock skew can break logins.

What Is Chrony?

Chrony is a modern implementation of the Network Time Protocol for Linux systems. It is commonly used on RHEL-family systems, including Red Hat Enterprise Linux, Oracle Linux, Rocky Linux, AlmaLinux, CentOS, and Fedora.

Think of Chrony as the service running quietly in the background, checking reliable upstream time sources and making small corrections to keep the local server clock accurate.

Chrony has two main components: chronyd, the daemon that performs the actual synchronization, and chronyc, the command-line tool used to query and control it.

Ubuntu note: On Ubuntu, the default time service depends on the version. Older Ubuntu releases may use systemd-timesyncd unless Chrony is installed separately.

Why Chrony Instead of Older ntpd?

Chrony is preferred on many modern Linux servers because it handles real-world clock problems better than older time synchronization tools.

Fast Sync

Synchronizes quickly after boot, network reconnection, or VM resume.

VM Friendly

Handles clock drift caused by VM pauses, snapshots, and migrations.

Reliable

Works well even with intermittent networks by tracking clock drift over time.

This matters especially in virtual environments. A VM can drift when it is paused, snapshotted, migrated, or resumed. Chrony is designed to recover cleanly from these situations.

Why Active Directory Cares About Time

Time synchronization is not just a Linux administration topic. It matters directly in Active Directory environments because Kerberos depends on closely synchronized clocks.

If a Linux server joins an AD domain, authenticates against AD, uses Kerberos, mounts SMB shares, or talks to domain services, time drift can cause authentication failures even when the username, password, DNS, and network are all correct.

Important: Kerberos is time-sensitive. If the Linux host and Domain Controller drift too far apart, authentication can fail.

Chrony Configuration

On RHEL-family systems, the main Chrony configuration file is usually /etc/chrony.conf. On Debian and Ubuntu-based systems, it may be /etc/chrony/chrony.conf.

# /etc/chrony.conf

server ntp1.company.internal iburst
server ntp2.company.internal iburst
server ntp3.company.internal iburst

driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync

logdir /var/log/chrony

# Only use this if the server is also providing NTP to clients
# allow 10.10.0.0/16

Line	Purpose
`server ... iburst`	Defines upstream NTP sources. The `iburst` option helps Chrony sync faster after startup.
`driftfile`	Stores the system clock drift rate so Chrony can compensate more accurately over time.
`makestep 1.0 3`	Allows Chrony to step the clock during the first few updates if the offset is large.
`rtcsync`	Synchronizes the hardware clock from the system clock periodically.
`allow`	Permits clients from a network range to query this server for time. Use only if this server should serve NTP.

Scripts / Commands

Use the commands below to start Chrony, check synchronization health, inspect NTP sources, and troubleshoot common time-sync issues.

# Enable Chrony at boot and start it immediately
systemctl enable --now chronyd

# Restart Chrony after configuration changes
systemctl restart chronyd

# Check Chrony service status
systemctl status chronyd

# Force an immediate time correction
chronyc makestep

# Check overall synchronization status
chronyc tracking

# List configured NTP sources
chronyc sources -v

# Show statistics for each NTP source
chronyc sourcestats -v

# Check how many NTP sources are online/offline
chronyc activity

# Watch Chrony tracking in real time
watch -n 1 chronyc tracking

# Verify UDP port 123 is open/listening
ss -ulnp | grep ':123'

# Test reachability of an NTP server manually
ntpdate -q ntp1.company.internal

# Check if firewalld has NTP enabled
firewall-cmd --list-all | grep ntp

# If this server provides time, show clients querying it
chronyc clients

# One-line Chrony health check
chronyc tracking && chronyc sources -v

Healthy output: Run chronyc tracking && chronyc sources -v. If you see Leap status: Normal and at least one source marked with *, Chrony is synchronized.

Chrony Symbols Cheat Sheet

The symbols in chronyc sources -v tell you which source Chrony is using and whether any NTP source is unreachable or unreliable.

Symbol	Meaning	Status
`*`	Current best source used for synchronization.	Good
`+`	Good source combined with the selected source.	Good
`-`	Selectable source, but not currently selected.	Usually acceptable
`?`	Unreachable, not synchronized, or not enough measurements.	Problem
`x`	Falseticker. Chrony considers this source untrustworthy.	Investigate
`~`	Source has too much variability.	Investigate
`Reach 377`	All of the last 8 polls succeeded.	Good
`Reach 000`	No recent successful polls.	Check DNS, network, firewall, or NTP source

Troubleshooting Cheat Sheet

Symptom	Likely Cause	Fix
All sources show `?`	NTP sources unreachable, DNS failure, or UDP 123 blocked.	Check DNS, routing, firewall rules, and upstream NTP availability.
`Leap status: Not synchronised`	No valid source selected yet, or service recently started.	Wait briefly, check `chronyc sources -v`, then run `chronyc makestep` if needed.
Large offset > 1 second	Clock drifted badly, often after VM pause, snapshot, or resume.	Run `chronyc makestep` during a safe maintenance window.
`Reach 000` for all sources	No successful NTP replies.	Check firewall, DNS, route to NTP servers, and whether upstream NTP is alive.
Only one source available	Other NTP servers are unreachable or missing from config.	Add multiple `server` lines and verify connectivity.
`chronyd` will not start	Configuration syntax error.	Run `journalctl -u chronyd` and fix the reported line.
AD Kerberos failures from Linux host	Clock skew between Linux host and Domain Controller.	Run `chronyc tracking`, compare with the AD time source, and sync from the approved time hierarchy.

Final Thoughts

Chrony is one of those services that only gets noticed when something breaks. But in enterprise environments, accurate time is not optional. Logs, certificates, Kerberos, scheduled jobs, monitoring, and authentication all depend on it.

For Linux servers that interact with Active Directory, Chrony should be treated as part of the identity infrastructure. If time is wrong, authentication becomes unreliable.

Key takeaway: If chronyc tracking shows Leap status: Normal and chronyc sources -v shows a selected * source with good reachability, Chrony is doing its job.

Next in this series

Next, we can cover NTP itself: how time servers work, why UDP 123 matters, and how enterprise time hierarchy should be designed.