Chrony is the recommended NTP implementation on RHEL 8, replacing the older ntpd daemon. In most deployments, each server simply synchronizes time from an upstream source, but promoting one server to act as a local NTP authority reduces external traffic and ensures that isolated hosts without internet access can still keep accurate time. This guide walks through transforming an existing RHEL 8 Chrony installation into a fully functional NTP server that other hosts on your network can synchronize against.

Prerequisites

  • RHEL 8 server with a static IP address (example: 192.168.1.10)
  • Root or sudo access
  • Chrony already installed (dnf install -y chrony)
  • Basic familiarity with firewall-cmd and systemctl
  • Client hosts on the 192.168.1.0/24 subnet that need to sync time

Step 1 — Install and Enable Chrony

Ensure Chrony is installed and the service is enabled to start at boot.

dnf install -y chrony
systemctl enable --now chronyd
chronyc tracking

The chronyc tracking command confirms the local clock is synchronized before you promote this host to serve other clients. Note the System time and Reference ID fields — both should reflect a reachable upstream source.

Step 2 — Configure /etc/chrony.conf to Serve Clients

Open /etc/chrony.conf and add the directives that allow client hosts to query this server. The key additions are an allow line for your subnet and, for networks isolated from the internet, a local stratum declaration so Chrony announces itself as authoritative even without an upstream reference.

# /etc/chrony.conf

# Upstream sources (keep defaults or set your own)
pool 2.rhel.pool.ntp.org iburst

# Allow clients on the local subnet to query this server
allow 192.168.1.0/24

# For isolated networks: act as a stratum-10 reference even with no upstream
# Remove or comment this out if the server has internet access
local stratum 10

driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony
systemctl restart chronyd

A lower stratum number means higher accuracy. Using local stratum 10 signals to clients that this is a fallback source, not a GPS-backed stratum-1 server. If your NTP server itself synchronizes to the internet pool, omit this directive so the accurate stratum value propagates to clients automatically.

Step 3 — Open the Firewall for NTP

NTP uses UDP port 123. Add the predefined ntp service to your active firewall zone and make the rule permanent.

firewall-cmd --add-service=ntp --permanent
firewall-cmd --reload
firewall-cmd --list-services

Confirm that ntp appears in the listed services. If you use a non-default zone, append --zone=<zone> to both commands.

Step 4 — Configure Clients to Use This Server

On each client RHEL 8 machine, edit /etc/chrony.conf to replace or supplement the default pool with the IP of your NTP server.

# On each client — /etc/chrony.conf
server 192.168.1.10 iburst prefer

# Comment out or remove the default pool lines for isolated networks
# pool 2.rhel.pool.ntp.org iburst
systemctl restart chronyd
chronyc sources -v

The * symbol in the chronyc sources -v output marks the currently selected source. After a minute or two the client should display your server’s IP with * indicating a successful sync.

Step 5 — Verify Clients Are Syncing from the Server

Back on the NTP server, use chronyc clients to confirm that client requests are arriving.

chronyc clients

The output lists each client IP alongside the number of NTP requests processed and the last time a request was received. If no clients appear after a few minutes, verify that the firewall rule is active on the server and that the client’s Chrony configuration points to the correct IP.

Step 6 — Monitor and Troubleshoot

Use the following commands on the server to inspect synchronization quality and diagnose any drift issues.

# Overall synchronization status
chronyc tracking

# List all configured sources with reachability and offset
chronyc sources -v

# Detailed statistics per source
chronyc sourcestats -v

# Tail the Chrony log for errors
tail -f /var/log/chrony/measurements.log

# Force a manual step if the clock is badly off (use sparingly)
chronyc makestep

The System time offset reported by chronyc tracking should settle to single-digit milliseconds on a LAN. A persistently large offset suggests poor connectivity to upstream sources or a misconfigured local stratum directive competing with a reachable pool.

Conclusion

You now have a RHEL 8 Chrony server acting as a local NTP authority for your network. By adding a single allow directive and optionally a local stratum 10 fallback, any host on the 192.168.1.0/24 subnet can keep accurate, consistent time without reaching the public internet directly. The chronyc clients and chronyc tracking commands give you ongoing visibility into synchronization health across your environment.

Next steps: How to Configure LDAP Authentication on RHEL 8, How to Set Up a PXE Boot Server on RHEL 8, and How to Harden SSH on RHEL 8 with Two-Factor Authentication.