How to Set Up Windows Server 2019 Network File System
Network File System (NFS) on Windows Server 2019 enables interoperability between Windows and Unix/Linux systems by providing NFS server and client roles. The Server for NFS role allows Windows Server 2019 to export shared directories that Linux, macOS, and other Unix-based systems can mount natively. The Client for NFS role allows Windows Server 2019 to mount NFS shares exported by Unix servers. This guide covers installing both roles, configuring NFS shares, setting permissions, and tuning performance.
Installing NFS Components
# Install Server for NFS (to share files to Unix/Linux clients)
Install-WindowsFeature -Name FS-NFS-Service -IncludeManagementTools
# Install Client for NFS (to mount Unix/Linux NFS shares from Windows)
Install-WindowsFeature -Name NFS-Client
# Install both roles
Install-WindowsFeature -Name FS-NFS-Service, NFS-Client -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name FS-NFS-Service, NFS-Client | Select-Object Name, InstallState
# Import the NFS management module
Import-Module NFSCreating an NFS Share on Windows Server 2019
# Create a directory to share
New-Item -Path "D:NFSSharesLinuxData" -ItemType Directory -Force
# Create NFS share with basic settings
New-NfsShare -Name "LinuxData" `
-Path "D:NFSSharesLinuxData" `
-AllowRootAccess $false `
-Authentication "Sys" `
-EnableNfsV3 $true `
-EnableUnmappedAccess $false
# Create NFS share accessible by specific subnet
New-NfsShare -Name "DevData" `
-Path "D:NFSSharesDevData" `
-AllowRootAccess $false `
-Authentication "Sys"
# Grant read-write access to specific Linux server IP
Grant-NfsSharePermission -Name "DevData" `
-ClientName "192.168.1.150" `
-ClientType "host" `
-Permission "readwrite" `
-AllowRootAccess $false
# Grant access to an entire subnet
Grant-NfsSharePermission -Name "DevData" `
-ClientName "192.168.2.0" `
-ClientType "network" `
-NetworkMask "255.255.255.0" `
-Permission "readwrite"Configuring NFS Identity Mapping
NFS identity mapping translates between Unix UIDs/GIDs and Windows user accounts. Configure the NFS server to handle anonymous (unmapped) requests or use AD-based mapping:
# Configure anonymous UID/GID mapping (simplest for compatibility)
Set-NfsServerConfiguration `
-EnableNFSV2 $false `
-EnableNFSV3 $true `
-EnableNFSV4 $true `
-UnmappedUserAccount "nobody" `
-MappingMode "ADsBySid"
# Set the anonymous access UID and GID
Set-NfsServerConfiguration -AnonymousUID 65534 -AnonymousGID 65534
# View current NFS server configuration
Get-NfsServerConfiguration | Select-Object *
# Configure User Name Mapping for domain environments
# In Active Directory environments, enable Services for NFS (Identity Management)
Install-WindowsFeature -Name "RSAT-NFS-Admin"Managing Windows File Permissions for NFS
# Set NTFS permissions on the shared directory
# NFS clients authenticate as the anonymous account (unless Kerberos is used)
$sharePath = "D:NFSSharesLinuxData"
$acl = Get-Acl -Path $sharePath
# Grant the "Everyone" group full control for testing (restrict in production)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.SetAccessRule($rule)
Set-Acl -Path $sharePath -AclObject $acl
# For more secure setup, grant only authenticated NFS users (mapped accounts)
# Create a dedicated service account for NFS access
New-ADUser -Name "nfs-service" -SamAccountName "nfs-service" `
-UserPrincipalName "[email protected]" `
-Enabled $true `
-PasswordNeverExpires $true `
-AccountPassword (ConvertTo-SecureString "NfsP@ss123!" -AsPlainText -Force)Configuring Windows Firewall for NFS
# Enable NFS server firewall rules
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"
# Allow NFS ports explicitly
New-NetFirewallRule -Name "NFS-Server-TCP" `
-DisplayName "NFS Server (TCP)" `
-Direction Inbound -Protocol TCP `
-LocalPort 2049 -Action Allow
New-NetFirewallRule -Name "NFS-Server-UDP" `
-DisplayName "NFS Server (UDP)" `
-Direction Inbound -Protocol UDP `
-LocalPort 2049 -Action Allow
# Allow portmapper (rpcbind) for NFS v3
New-NetFirewallRule -Name "NFS-RPCBind" `
-DisplayName "NFS RPC Bind" `
-Direction Inbound -Protocol TCP `
-LocalPort 111 -Action AllowMounting an NFS Share from Linux
# On a Linux client, mount the Windows NFS share
sudo mkdir -p /mnt/windata
sudo mount -t nfs -o vers=3,nolock,rw 192.168.1.200:/LinuxData /mnt/windata
# Add to /etc/fstab for persistent mounting
echo "192.168.1.200:/LinuxData /mnt/windata nfs vers=3,nolock,rw 0 0" | sudo tee -a /etc/fstab
# Verify mount
df -h /mnt/windata
ls -la /mnt/windataMounting an NFS Share on Windows Server 2019 Client
# Mount an NFS share from a Linux server onto Windows Server 2019
# Create mount point directory
New-Item -Path "C:NFSMount" -ItemType Directory -Force
# Mount NFS share
New-PSDrive -Name "N" `
-PSProvider FileSystem `
-Root "\192.168.1.100exportsdata" `
-Persist
# Or use the mount command
mount -o anon \192.168.1.100exportsdata N:
# Verify mount
Get-PSDrive -Name NViewing and Removing NFS Shares
# List all NFS shares
Get-NfsShare | Select-Object Name, Path, AllowRootAccess, Authentication
# View permissions on a share
Get-NfsSharePermission -Name "LinuxData"
# Remove a permission
Revoke-NfsSharePermission -Name "LinuxData" -ClientName "192.168.1.150" -ClientType host
# Remove an NFS share
Remove-NfsShare -Name "LinuxData" -Confirm:$falseNFS on Windows Server 2019 is most commonly used in mixed environments where Windows servers provide file storage to Linux application servers. For new deployments, use NFS v4.1 with Kerberos authentication where possible, as it provides strong identity verification and eliminates the security limitations of NFS v3’s IP-based access control. Always apply the principle of least privilege when configuring NFS share permissions.
