Structuring our campus subnet we followed the recommendations in 'Configuring NTP and Setting up a NTP Subnet'. Three hosts (the minimum number for robustness) each refer to three different servers in the internet and peer with each other. Some other hosts (used mainly for other services) refer to these three internal NTP reference servers and are peeked by several clients.
There should be two primary servers and one secondary (buddy) server per campus reference server. In Germany, there are some public secondary (stratum 2) servers and only a few primary ones. So we need them all, though they are peering each other and may form disadvantageous loops. Fortunately, as primary servers, they are normally ruled by primary time sources (GPS, DCF77, PTB).
Actually, our GPS and DCF77 receivers should enable us to participate in the world wide NTP network as a primary reference. But these devices are rather primitive and unprecise, even the GPS. Anyway, we use them only as a backup time source, automatically chosen by the NTP daemon when our connection to the Internet is down or congested (what sometimes happens). This is accomplished by forcing down these "clocks" to stratum 1, the same stratum as that of the external servers, or even lower. Our reference servers are therefore at stratum 2.
We found out that our NTP servers usually perform far better when controlled by the external references than when controlled by one of the clock receivers. That's why they are only fallback time sources.
The distribution servers referring to the reference servers are at stratum 3 and still have a decently small clock offset. They are peeked by several clients at boot time and regularly, assigning those clients to stratum 4. NTP broadcast is installed but no multicast.
The three reference servers (time1, time2, time3) are simple "industrial" PCs running Linux. They are connected to the same power supply and network switch. Despite of this, they are still viewed as backing up each other, and in fact they are. There is not much to do for these hosts. Normally servicing NTP, only a few network daemons are held active.
In case of power power failure, all servers are still powered by an uninterruptible power supply (UPS), but are cut off the network since the main switches are down. For several hours the NTP deamon could survive with only the internal hardware clock, but the UPS battery will reach not nearly as long. After a while, the servers will go down too, as already the rest of our net. In practice, there is no problem at all. All works very well and makes a pretty stable and robust NTP network.
All workstations should refer to
time.hs-augsburg.de. It's a fast virtual machine doing nothing but NTP service and this website, and delivering pretty accurate time, despite its virtual character and despite a statement by VMware that virtual machines are not really good timekeepers.
Servers and workstations in need of system time as accurate as possible should refer to
time.rz.hs-augsburg.de. That's an alias of the main campus server, a fast real machine running nearly all network services, just including NTP service. This machine is also the campus NTP broadcast server.
We have a direct Internet connection and a second one as a backup. Our routers connect to the German Research Network G-WiN. Speed is good under normal conditions, and connection is interrupted only rarely for a usually short while. Network congestion sometimes occurs on weekdays when bandwidth is exhausted by many on-campus users at the same time.
The reference servers each have a 100 MBit NIC and are attached to a switch on a 1 GBit line, crossing two switches to the Internet routers. The distribution servers are on 1 GBit lines as well.