[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol

[Rowland Penny]

On Wed, 19 Mar 2025 16:32:16 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:

> Rowland,
> 
> I took your advice and spun up a Debian bookworm VM and provisioned a 
> new dummy DOMAIN.COM with Samba 4.17.12.
> 
> And yes, the sysvol Policies folder was created with the two GUIDs.
> 
> I zipped up and copied the Policies folders to my active FSMO Samba
> DC.
> 
> I must still be missing something.
> 
> Do I need to do something besides copy the Policies folder to
> /var/lib?
> 

You should now have something like this in sysvol:

samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE
samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER
samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI

'samdom.example.com' should be your dns domain, 'MACHINE' & 'USER' are
empty directories and 'GPT.INI' are files containing:

[General]
Version=0

Which must be DOS formatted.

That is what you get on a new DC

However, I said that the GPOs are not synced automatically when a Samba
DC is joined, well that isn't entirely true, the contents of the sysvol
directory aren't synced or created, but the GPOs are also stored in AD
and they are replicated. The question is, did your Windows DCs use any
GPOs other than the empty default ones ?
If there are extra GPOs in AD, then you need to either delete them from
AD or create them in sysvol on your Samba DCs.


> Is this wiki page still relevant?
> https://wiki.samba.org/index.php/Sysvolreset

Do you mean the one that has (right at the top):

This page was initially created in 2018 and is now outdated and should
be ignored

Rowland