What are the pros and cons between these two ways to synchronize your server?
It seems to me that your server would probably not drift more than 1 second every day, so ntpdate on a crontab would be ok. But I heard you could use redundant NTP servers here
in order to maintain synchronized time in case of failure.
Do you have any suggestions?
The NTP algorithm includes information to allow you to calculate and fix the drift in your server’s clock. NTPD includes the ability to use this to keep your clock in sync and will run more accurately than a clock on a computer not running NTPD. NTPD will also use several servers to improve accuracy.
ntpdate does not keep any state to perform this service for you so will not provide the same kind of accuracy. It will allow you to provide it with a list of servers which it will use to attempt to provide you with a better result but this is no substitute for the sophisticated algorithms provided in NTPD that track your drift from each of the servers over time.
Unfortunately if your clock is a lot out of sync, when started NTPD can get confused and take a long time to drift back to correct time. You can add the -g switch when starting NTPD to allow NTPD to make the first time update a big one which is more or less equivalent to running ntpdate once before starting NTPD, which at one time was recommended practice.
As for security concerns, ntp servers do not connect back on uninitiated connections, which means your firewall should be able to tell that you initiated the ntp request and allow return traffic. There should be no need to leave ports open for arbitrary connections in order to get NTPD to work.
From the ntpdate(8) man page:
ntpdate can be run manually as necessary to set the host clock, or it
can be run from the host startup script to set the clock at boot time.
This is useful in some cases to set the clock initially before starting
the NTP daemon ntpd. It is also possible to run ntpdate from a cron
script. However, it is important to note that ntpdate with contrived
cron scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing
resource use. Finally, since ntpdate does not discipline the host clock
frequency as does ntpd, the accuracy using ntpdate is limited.