I have a script that sets two time servers on our Macs so they can reach one while they are in the office and one while they are out of the office as we do not allow access to the apple time server while in the office. It worked fine on Sierra but stoped working on High Sierra. I think it is not letting the ntp.conf file be written to in High Sierra.
Anyone know of another way to do it in High Sierra?
Here is the script.
/usr/sbin/systemsetup -setnetworktimeserver $TimeServer1
echo "server $TimeServer2" >> /etc/ntp.conf
/usr/sbin/systemsetup -setusingnetworktime On
This will still work in high sierra
#!/bin/bash NTPSERVER="ntp.internaldomain.com"; if [ "$4" != "" ]; then NTPSERVER=$4; fi /usr/sbin/systemsetup -setusingnetworktime off #Set specific time server /usr/sbin/systemsetup -setnetworktimeserver "$NTPSERVER" sleep 5 echo "server time.asia.apple.com" >> /etc/ntp.conf echo "server time.euro.apple.com" >> /etc/ntp.conf echo "server pool.ntp.org" >> /etc/ntp.conf sleep 5 /usr/sbin/systemsetup -setusingnetworktime on
Can anyone post confirmation if this script still works as of 10.13.6? We have a local office NTP server set as the primary and the secondary server being time.apple.com. However even after running this script on remote computers if the battery drains on said computers they are not checking time.apple.com for the time.
I have a computer up and running that I'm testing this with and was able to reproduce this issue. If anyone has any ideas it would be much appreciated. What's odd is the argument -getnetworktimeserver only shows 1 server in the response, but ntp.conf does show the additional server entry for time.apple.com.
I haven't tried on a Sierra computer for reference yet. But from what I gather with my research, there's no reason it won't work because it used ntpd as opposed to timed. I'll see if I can find one to test with for comparison. But I'm really looking for a solution geared for High Sierra.
OK, so I updated the Sierra computer that I just tested on to High Sierra. And the script no longer works.
So I just confirmed that timed fails to check for additional time servers if the primary server cannot be reached. I've submitted this bug to Apple on the dev site, hopefully they get it resolved with Mojave.
On that note, anyone have any ideas for a work around? I know I can either manually edit the hosts file or change the DNS record on the router, however that will then cause other security issues with the setup here (it's complicated to explain, but in short I'm not in complete control over here).
I just confirmed what @cdegaeta reported, High Sierra only uses a primary server. In a previous organization, I had the internal DNS redirect time.apple.com to an internal time server so no modification to the server list was necessary. That might not fly with your network group, but it is an effective solution, and I would argue the simplest since it's a change on just your DNS rather than on every Mac.
@rdagel Can you confirm your Macs are using the secondary time server if the primary isn't accessible? I did a manual edit and kicked the network time service but it did not try my internal server when time.apple.com didn't respond. I know the manual edit worked as making my internal time server the primary did result in time being synchronized.
Okay I too, was able to confirm the findings with 10.13.6. So I read the link and did a bit of digging on the interwebs. I was able to get a hint here.
" With SIP enabled you can just copy the file: sudo cp /System/Library/LaunchDaemons/org.ntp.ntpd-legacy.plist /Library/LaunchDaemons/ and modify it to be 'Enabled' then run it: sudo launchctl load -w /Library/LaunchDaemons/org.ntp.ntpd-legacy.plist – Pierz Jun 21 at 21:25"
I ran ntpq -p and saw all timeservers listed, with "usqas2-ntp-001(time.apple.us)". I waited a few minutes and ran ntpq -p again, but this time only "usqas2-ntp-001(time.apple.us)" was shown and my system had synced. lastly if I ran systemsetup -getnetworktimeserver it still returned my 1st internal time server, which the system is initially set for. Still grinding
Thanks for your help @Nix4Life! So I've actually decided to submit this as a bug to Apple. I'm sure they just brought over timed from iOS as is and since you cannot specify a time server in iOS they probably didn't think to add support for multiple servers. I'm hoping I'm right about this hunch but we'll see.
@marklamont While that quick fix may work some some, it won't work for my situation. Per organization security, the local time server has to be set as the primary server. I can adjust the DNS records for remote offices to re-direct to time.apple.com, but this will not help me for telecommuters.
I think you have may my idea the wrong way round, you redirect the apple time server names to your local time servers. Then if internal you get time internal and if external from apple.
Then create host records in the domain pointing to your time servers. That way the local server is the primary server, assuming your clients dns queries your local dns servers.
You can even block ntp on the firewall then.
FYI, Apple closed off the bug report with this response:
We don’t plan on supporting multiple NTP servers. If the network admin for your network wants to dns hijack time-*.apple.com on your network, you can (it’ll even cover phones on your network), but timed is single-DNS. If you’re using a DNS address that is also possible outside of your network, then you can expose it externally, and resolve a different list of IPs inside and outside.