How to Set Up Network File System (NFS) Server on Windows Server 2025

How to Set Up Network File System (NFS) Server on Windows Server 2025

Network File System (NFS) is a distributed file system protocol that enables Linux, Unix, and macOS clients to mount and access file shares hosted on Windows Server as though they were local file systems. While SMB is the default file sharing protocol for Windows environments, NFS is essential in mixed-environment deployments where Linux compute nodes, containers, or HPC workloads require POSIX-compliant file access with standard Unix permissions and ownership semantics. Windows Server 2025 ships with NFS Server (version 3, 4.0, and 4.1 support) and NFS Client roles, allowing both serving and consuming NFS shares. This guide walks through a complete NFS server setup, from role installation through Kerberos-authenticated access and performance tuning.

Prerequisites

• Windows Server 2025 Standard or Datacenter edition for the NFS server
• Linux clients with nfs-utils (Red Hat/CentOS/Rocky) or nfs-common (Debian/Ubuntu) installed
• For Kerberos-authenticated NFS (NFS v4.1): Active Directory domain with a KDC, and Linux clients joined to the domain or configured with Kerberos
• User Account for UNIX (IDMU) or a name mapping mechanism if mixing Windows and Linux identities
• Static IP addresses for NFS server and consistent UID/GID mapping for Unix users
• Firewall rules allowing NFS traffic (TCP/UDP ports 111, 2049 and related portmapper ports)

Step 1: Install the NFS Server Role

The NFS Server role is part of the File and Storage Services family in Windows Server 2025. Install it along with the management tools, which provide the Services for NFS snap-in and the NFS PowerShell module. Installing the NFS Client feature is optional but useful for testing NFS connectivity from the server itself.

# Install NFS Server with management tools
Install-WindowsFeature -Name FS-NFS-Service -IncludeManagementTools

# Optionally install the NFS Client for testing
Install-WindowsFeature -Name NFS-Client

# Verify installation
Get-WindowsFeature -Name FS-NFS-Service, NFS-Client | `
    Select-Object DisplayName, Installed

# Import the NFS PowerShell module
Import-Module NFS

# List available NFS cmdlets
Get-Command -Module NFS

Step 2: Configure NFS Server Global Settings

Before creating NFS shares, configure global NFS server settings including the default authentication type and the anonymous user identity. The anonymous UID and GID define which Windows account anonymous (unauthenticated) NFS requests are mapped to. Setting these to -1 disables anonymous access globally, which is recommended in production environments.

# Configure global NFS server settings
Set-NfsServerConfiguration `
    -Authentication "sys","krb5","krb5i","krb5p" `
    -MapiEnabled $true `
    -EnableNFSV2 $false `
    -EnableNFSV3 $true `
    -EnableNFSV4 $true `
    -NlmPort 0 `
    -NsmPort 0

# Disable anonymous access by setting anonymous UID/GID to -1
Set-NfsServerConfiguration `
    -UnmappedUserAccount "nobody" `
    -AnonymousUid -1 `
    -AnonymousGid -1

# View current global NFS server settings
Get-NfsServerConfiguration | Select-Object Authentication, EnableNFSV3, EnableNFSV4, `
    AnonymousUid, AnonymousGid

Step 3: Create an NFS Share

Create the directory that will be exported as an NFS share, then use New-NfsShare to configure it. The -Authentication parameter controls which authentication methods are accepted. Use sys (AUTH_SYS, also called AUTH_UNIX) for simple deployments where Linux clients authenticate with their local UID/GID; use krb5 variants for Kerberos-based security in domain-joined environments.

# Create the directory to export
New-Item -Path "C:NFSDataAppData" -ItemType Directory -Force

# Set NTFS permissions so the NFS server can read/write the directory
icacls "C:NFSDataAppData" /grant "Everyone:(OI)(CI)M" /T

# Create an NFS share with AUTH_SYS authentication (no Kerberos)
New-NfsShare -Name "appdata" `
    -Path "C:NFSDataAppData" `
    -Authentication sys `
    -AllowRootAccess $true `
    -Permission ReadWrite `
    -NoAllSquash

# Create an NFS share with Kerberos integrity authentication (krb5i)
New-NfsShare -Name "securedata" `
    -Path "C:NFSDataSecureData" `
    -Authentication krb5i `
    -AllowRootAccess $false `
    -Permission ReadWrite

# Verify shares were created
Get-NfsShare | Select-Object Name, Path, Authentication, AllowRootAccess, IsOnline

Step 4: Configure NFS Client Permissions

NFS exports support per-client or per-subnet access control. Use Grant-NfsSharePermission to restrict which hosts can mount the share and with what access level. You can grant access to individual IP addresses, subnets (CIDR notation), or host groups defined in the NFS server configuration.

# Grant read-write access to a specific Linux client by IP
Grant-NfsSharePermission -Name "appdata" `
    -ClientName "10.10.2.50" `
    -ClientType "host" `
    -Permission ReadWrite `
    -AllowRootAccess $true

# Grant read-only access to a subnet (all hosts in 10.10.3.0/24)
Grant-NfsSharePermission -Name "appdata" `
    -ClientName "10.10.3.0" `
    -ClientType "network" `
    -NetworkMask "255.255.255.0" `
    -Permission ReadOnly `
    -AllowRootAccess $false

# Grant access to all hosts in a netgroup (requires NIS or AD)
Grant-NfsSharePermission -Name "appdata" `
    -ClientName "linuxservers" `
    -ClientType "netgroup" `
    -Permission ReadWrite

# View current share permissions
Get-NfsSharePermission -Name "appdata" | `
    Select-Object ClientName, ClientType, Permission, AllowRootAccess

Step 5: Configure Windows Firewall for NFS

NFS requires several ports to be open on the server. NFSv4.1 uses only TCP port 2049, making firewall configuration simpler. NFSv3 additionally requires the portmapper (port 111) and several dynamic RPC ports; locking these to fixed ports simplifies firewall rules.

# Open NFS main port (TCP and UDP 2049) for NFSv3 and v4
New-NetFirewallRule -DisplayName "NFS Server (TCP 2049)" `
    -Direction Inbound -Protocol TCP -LocalPort 2049 `
    -Action Allow -Profile Domain,Private

New-NetFirewallRule -DisplayName "NFS Server (UDP 2049)" `
    -Direction Inbound -Protocol UDP -LocalPort 2049 `
    -Action Allow -Profile Domain,Private

# Open portmapper for NFSv3
New-NetFirewallRule -DisplayName "NFS Portmapper (TCP 111)" `
    -Direction Inbound -Protocol TCP -LocalPort 111 `
    -Action Allow -Profile Domain,Private

New-NetFirewallRule -DisplayName "NFS Portmapper (UDP 111)" `
    -Direction Inbound -Protocol UDP -LocalPort 111 `
    -Action Allow -Profile Domain,Private

# Verify firewall rules
Get-NetFirewallRule -DisplayName "NFS*" | Select-Object DisplayName, Enabled, Direction

Step 6: Mount the NFS Share on a Linux Client

On the Linux client, install the NFS utilities package if not already present, then mount the share. For persistent mounts, add an entry to /etc/fstab. NFSv4.1 is recommended for modern Linux clients as it provides better performance and Kerberos security support.

# These commands are run on the Linux client (shown for context)
# Install NFS client utilities (RHEL/Rocky/AlmaLinux)
# sudo dnf install -y nfs-utils

# Install NFS client utilities (Debian/Ubuntu)
# sudo apt-get install -y nfs-common

# Mount the NFS share using NFSv4.1
# sudo mount -t nfs -o vers=4.1,rw,hard,intr 10.10.1.10:/appdata /mnt/appdata

# For AUTH_SYS (simple UID/GID mapping):
# sudo mount -t nfs -o vers=4.1,sec=sys 10.10.1.10:/appdata /mnt/appdata

# For Kerberos integrity mode:
# sudo mount -t nfs -o vers=4.1,sec=krb5i 10.10.1.10:/securedata /mnt/securedata

# Persistent mount in /etc/fstab:
# 10.10.1.10:/appdata /mnt/appdata nfs vers=4.1,sec=sys,hard,intr,_netdev 0 0

# Test that the mount works and check available space
# df -hT /mnt/appdata

Step 7: Configure Kerberos-Authenticated NFS (NFSv4.1)

Kerberos-authenticated NFS (krb5, krb5i, krb5p) provides cryptographically secure identity verification. In a Windows domain environment, Windows Server 2025 NFS integrates with Active Directory Kerberos. You must create a service account and register its SPN for the NFS service on the server.

# Create a dedicated service account for NFS Kerberos in Active Directory
New-ADUser -Name "nfs-server-svc" `
    -SamAccountName "nfs-server-svc" `
    -UserPrincipalName "[email protected]" `
    -AccountPassword (ConvertTo-SecureString "Nfs$3rvic3P@ss!" -AsPlainText -Force) `
    -PasswordNeverExpires $true `
    -Enabled $true

# Register the SPN for the NFS service (run on a domain controller or with AD tools)
setspn -A nfs/fileserver01.corp.example.com corpnfs-server-svc
setspn -A nfs/fileserver01 corpnfs-server-svc

# Configure the NFS server to use Kerberos with the service account
Set-NfsServerConfiguration -KerberosRealm "CORP.EXAMPLE.COM" `
    -Authentication "sys","krb5","krb5i","krb5p"

# Export the NFS keytab for Linux clients (if needed)
# ktpass -princ nfs/[email protected] `
#     -mapuser corpnfs-server-svc -pass Nfs$3rvic3P@ss! `
#     -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL `
#     -out C:nfs.keytab

Step 8: NFS Performance Tuning

NFS throughput on Windows Server 2025 can be optimised by adjusting read-ahead (prefetch) depth and write-back caching settings. For read-heavy workloads, increasing read-ahead depth allows the server to prefetch data ahead of sequential read operations, reducing client wait times significantly.

# Check current NFS performance settings
Get-NfsServerConfiguration | Select-Object *Buffer*, *Cache*, *ReadAhead*

# Increase read-ahead cache depth (units: 512-byte blocks; default is 64)
# Set to 512 blocks (256 KB) for sequential read workloads
Set-NfsServerConfiguration -ReadAheadBlocks 512

# View NFS statistics to identify bottlenecks
Get-NfsStatistics -Server localhost

# Reset statistics for a clean baseline reading
Clear-NfsStatistics -Server localhost

# Monitor share-level I/O with Performance Monitor counters
# NFS Server Shares: Total Requests/sec, Bytes Total/sec, Read Bytes/sec, Write Bytes/sec
Add-Counter -Counter "NFS Server Shares(*)Total Requests/sec" -SampleInterval 5

Conclusion

Windows Server 2025 NFS Server provides a robust, standards-compliant file sharing solution for heterogeneous environments where Linux, Unix, and macOS clients require transparent access to centrally managed file storage. By following this guide, you have installed the NFS Server role, created exports with appropriate authentication modes, configured granular per-host and per-subnet access controls, opened the necessary firewall ports, and connected Linux clients. For production deployments, prioritise NFSv4.1 over the older NFSv3 — it reduces firewall complexity (single port 2049), delivers better Kerberos integration, and provides server-side file locking that prevents data corruption in concurrent-write scenarios. When storage performance is critical, consider hosting NFS exports on an S2D-backed volume or an NVMe-backed storage pool to ensure the underlying I/O subsystem is not the bottleneck. Combining Windows Server 2025 NFS with SMB in the same namespace using DFS Namespaces allows a single logical path to serve both Windows and Linux clients simultaneously, greatly simplifying file management in mixed-OS enterprise environments.