How to Configure Windows Server 2022 DCB

Introduction to Nexus Repository Manager on Windows Server 2022

Nexus Repository Manager OSS is a widely used open-source artifact repository that supports package formats including Maven, npm, NuGet, Docker, PyPI, and Chocolatey. Running Nexus on Windows Server 2022 gives development teams a central place to store, proxy, and distribute dependencies without relying entirely on public registries. This guide walks through every step from downloading the installer to configuring SSL with an IIS reverse proxy.

Downloading Nexus Repository Manager OSS

Sonatype distributes Nexus Repository Manager as a ZIP archive for Windows. Navigate to https://help.sonatype.com/repomanager3/product-information/download and download the latest Windows ZIP. At the time of writing the current OSS release is 3.x. Extract the archive to a permanent location such as C:nexus. The extracted structure contains two folders: the versioned application folder (e.g., nexus-3.x.x-xx) and a sonatype-work data directory.

Expand-Archive -Path "$env:USERPROFILEDownloadsnexus-3.x.x-xx-win64.zip" -DestinationPath "C:nexus"

Rename the versioned application directory for convenience:

Rename-Item "C:nexusnexus-3.x.x-xx" "C:nexusnexus"

The data directory C:nexussonatype-work holds blobs, configuration, and database files. Keep this directory on a volume with sufficient space — plan for at least 50 GB for a team environment.

Installing Nexus as a Windows Service

Nexus ships with a wrapper executable that registers itself as a Windows service using the NSSM-compatible nexus.exe binary located in C:nexusnexusbin. Open an elevated command prompt and run:

cd C:nexusnexusbin
nexus.exe /install

This registers the service under the name nexus. By default the service runs as the Local System account. For production it is better to create a dedicated service account:

New-LocalUser -Name "svc_nexus" -Password (ConvertTo-SecureString "Str0ngP@ss!" -AsPlainText -Force) -PasswordNeverExpires $true -UserMayNotChangePassword $true

Grant the service account full control over the Nexus directories:

icacls "C:nexus" /grant "svc_nexus:(OI)(CI)F" /T

Then reconfigure the service to use this account via the Services console or via PowerShell:

$svc = Get-WmiObject Win32_Service -Filter "Name='nexus'"
$svc.Change($null,$null,$null,$null,$null,$null,".svc_nexus","Str0ngP@ss!")

Start the service and verify it is running:

Start-Service nexus
Get-Service nexus

Nexus Configuration File (nexus.properties)

The primary runtime configuration file is located at C:nexussonatype-worknexus3etcnexus.properties. This file does not exist by default until first run — Nexus creates it on startup. Common properties to set:

# HTTP port (default 8081)
application-port=8081
# Bind to a specific interface (0.0.0.0 = all)
application-host=0.0.0.0
# Enable request logging
nexus.log.requestlog.enabled=true
# Data directory (keep on large volume)
nexus-work=${karaf.data}

The JVM memory settings are configured in the wrapper file at C:nexusnexusbinnexus.vmoptions. For a server with 8 GB RAM, use:

-Xms2703m
-Xmx2703m
-XX:MaxDirectMemorySize=2703m

Sonatype recommends setting Xms and Xmx to the same value to prevent heap resizing. After editing, restart the service:

Restart-Service nexus

Retrieving the Initial Admin Password

When Nexus starts for the first time it generates a random admin password and writes it to a file. Navigate to http://localhost:8081 in a browser and sign in as admin. The UI prompts you to locate the password file. The file is at:

C:nexussonatype-worknexus3admin.password

Read it from PowerShell:

Get-Content "C:nexussonatype-worknexus3admin.password"

After signing in, the setup wizard prompts you to change the password and configure anonymous access. Disable anonymous access in production environments.

Creating Hosted, Proxy, and Group Repositories

Nexus supports three repository types: hosted (stores your own artifacts), proxy (caches upstream registries), and group (combines hosted and proxy into a single URL). The following sections cover the major package formats.

Maven Repositories

In the Nexus admin UI navigate to Administration > Repository > Repositories > Create repository. For Maven:

# Create hosted Maven release repo via Nexus REST API
$headers = @{
    Authorization = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("admin:your_password"))
    "Content-Type" = "application/json"
}
$body = @{
    name = "maven-releases"
    format = "maven2"
    type = "hosted"
    maven = @{ versionPolicy = "RELEASE"; layoutPolicy = "STRICT" }
    storage = @{ blobStoreName = "default"; strictContentTypeValidation = $true; writePolicy = "ALLOW_ONCE" }
} | ConvertTo-Json -Depth 5

Invoke-RestMethod -Uri "http://localhost:8081/service/rest/v1/repositories/maven/hosted" `
    -Method POST -Headers $headers -Body $body

Create a proxy repository pointing to Maven Central:

$body = @{
    name = "maven-central-proxy"
    format = "maven2"
    type = "proxy"
    proxy = @{ remoteUrl = "https://repo1.maven.org/maven2/"; contentMaxAge = 1440; metadataMaxAge = 1440 }
    storage = @{ blobStoreName = "default" }
} | ConvertTo-Json -Depth 5

Invoke-RestMethod -Uri "http://localhost:8081/service/rest/v1/repositories/maven/proxy" `
    -Method POST -Headers $headers -Body $body

npm Repositories

Create a hosted npm repo, a proxy to the public registry, and a group. Then configure npm on developer machines to use the group URL:

npm config set registry http://nexus-server:8081/repository/npm-group/

For authenticated publishing to the hosted repo, create a base64-encoded auth token:

$token = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("admin:your_password"))
npm config set //nexus-server:8081/repository/npm-hosted/:_authToken $token
npm publish --registry http://nexus-server:8081/repository/npm-hosted/

NuGet Repositories and Visual Studio Integration

Create a NuGet hosted repository and proxy to nuget.org. In Visual Studio, navigate to Tools > NuGet Package Manager > Package Manager Settings > Package Sources and add:

Name: Nexus NuGet Group
Source: http://nexus-server:8081/repository/nuget-group/index.json

From the command line using nuget.exe or dotnet CLI:

dotnet nuget add source http://nexus-server:8081/repository/nuget-group/index.json `
    --name NexusGroup --username admin --password your_password --store-password-in-clear-text

dotnet restore --source NexusGroup

To push a package to the hosted repo:

dotnet nuget push MyPackage.1.0.0.nupkg `
    --source http://nexus-server:8081/repository/nuget-hosted/ `
    --api-key your_nexus_api_key

Chocolatey Repository

Nexus supports Chocolatey via a NuGet-format repository. Create a hosted NuGet repo named choco-hosted, then configure Chocolatey on clients:

choco source add --name="NexusChoco" `
    --source="http://nexus-server:8081/repository/choco-hosted/" `
    --user="admin" --password="your_password"

choco source disable --name="chocolatey"  # disable public registry
choco install googlechrome --source NexusChoco

Docker Repository

Create a Docker hosted repository with HTTP connector on port 5000. Then allow the insecure registry on client machines (or configure TLS as shown in the SSL section):

# On Docker client - add insecure registry
# Edit C:ProgramDataDockerconfigdaemon.json
{
  "insecure-registries" : ["nexus-server:5000"]
}

docker login nexus-server:5000 -u admin -p your_password
docker tag myimage:latest nexus-server:5000/myimage:latest
docker push nexus-server:5000/myimage:latest

LDAP Integration

Navigate to Administration > Security > LDAP and create a new LDAP connection. Key settings for Active Directory:

Protocol: ldap (or ldaps for TLS)
Hostname: dc1.yourdomain.local
Port: 389
Search base: DC=yourdomain,DC=local
Authentication method: Simple
Username: CN=svc_nexus_ldap,OU=ServiceAccounts,DC=yourdomain,DC=local
Password: ldap_service_account_password

User subtree: checked
Object class: user
User filter: (sAMAccountName={login})
Username attribute: sAMAccountName
Full name attribute: displayName
Email attribute: mail

Group type: Dynamic groups
Group member format: CN=${username},OU=Users,DC=yourdomain,DC=local

After saving, use the Verify user mapping and Verify login buttons to test the connection before assigning roles.

Backing Up Nexus

Nexus 3 provides a built-in backup task. Navigate to Administration > System > Tasks > Create task > Admin – Export databases for backup. Configure it to run nightly and point to a backup location such as C:nexus-backup. The task exports the OrientDB configuration database. To back up blob stores separately, use robocopy during a maintenance window:

robocopy "C:nexussonatype-worknexus3blobs" "\fileservernexus-blobs" /MIR /R:3 /W:10 /LOG:C:logsnexus-blob-backup.log

For a consistent backup, stop the service first:

Stop-Service nexus
robocopy "C:nexussonatype-work" "\fileservernexus-backup" /MIR /R:3 /W:10
Start-Service nexus

SSL with IIS as a Reverse Proxy

Placing IIS in front of Nexus allows you to use Windows Certificate Store for TLS termination. Install the required IIS features and ARR module:

Install-WindowsFeature Web-Server, Web-WebServer -IncludeManagementTools
# Download and install Application Request Routing from Microsoft
# https://www.iis.net/downloads/microsoft/application-request-routing

In IIS Manager enable proxy in ARR settings, then create a new site bound to port 443 with your TLS certificate. Add the following to the site’s web.config to reverse-proxy to Nexus on port 8081:

Set the nexus-args in nexus.properties to add the base URL so Nexus generates correct links:

nexus.base.url=https://nexus.yourdomain.com

Restart IIS and the Nexus service. Clients can now reach Nexus at https://nexus.yourdomain.com with a trusted certificate, while Nexus itself listens on unencrypted HTTP internally. Docker repository connectors will need their own port handling — either configure additional IIS sites per port or enable HTTPS directly in Nexus for Docker endpoints.

Summary

Nexus Repository Manager on Windows Server 2022 provides a unified artifact store for all package formats used by modern development teams. By running Nexus as a Windows service under a dedicated account, configuring LDAP authentication against Active Directory, exposing it via an IIS reverse proxy with TLS, and setting up automated backups, you get a production-ready repository that reduces dependency on external registries and enforces artifact governance policies across your entire software supply chain.