How to Set Up Network File System (NFS) Server on Windows Server 2022
Network File System (NFS) is a distributed file system protocol that allows Linux, Unix, and other POSIX-compatible clients to mount remote file shares over TCP/IP and access them as if they were local filesystems. Windows Server 2022 includes a built-in NFS Server role that enables Windows servers to export shares to non-Windows clients without requiring third-party software. This is commonly used in mixed environments where Linux build servers, development workstations, or scientific computing nodes need access to centralized Windows file storage. Windows Server 2022 supports NFS v2, v3, and v4.1.
Planning NFS Authentication
NFS authentication works differently from SMB authentication. Traditional NFS (AUTH_SYS) relies on UID (User ID) and GID (Group ID) numbers passed by the client without cryptographic verification — the server trusts the client’s claim about the user’s identity. This is acceptable for trusted internal networks but is not suitable for environments with untrusted clients. More secure options include Kerberos-based NFS authentication (krb5, krb5i, krb5p) and RPCSEC_GSS. Windows Server 2022 NFS supports all three Kerberos flavors:
krb5: Identity is verified with Kerberos, but data is not encrypted or integrity-checked. krb5i: Kerberos authentication plus data integrity checking (HMAC). krb5p: Kerberos authentication with full data encryption (most secure, highest CPU overhead).
For AUTH_SYS (unmapped user access), you must configure UID/GID mapping so that Linux UIDs map to Windows accounts. The User Name Mapping service handles this. Without mapping, unmapped users are assigned a default anonymous UID/GID.
Installing the NFS Server Role
The NFS Server feature is part of the File and Storage Services role. Install it along with management tools:
Install-WindowsFeature -Name FS-NFS-Service -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name FS-NFS-Service, FS-NFS-Service-Client | Select DisplayName, InstallState
# Check that the NFS Server service is running
Get-Service -Name NfsService | Select Status, StartType
Start-Service -Name NfsService
Set-Service -Name NfsService -StartupType AutomaticThe FS-NFS-Service feature installs both the NFS Server and NFS Client. The NFS Server exports shares to Linux/Unix clients. The NFS Client allows the Windows server to mount NFS shares from other NFS servers. Management tools include the nfsadmin command-line utility and the Services for NFS snap-in.
Creating an NFS Export
Create the directory you want to export and then use New-NfsShare to create the NFS export. The NFS share has its own access control separate from the SMB share and NTFS permissions:
# Create the directory to export
New-Item -ItemType Directory -Path "D:NFSExportslinuxdata"
# Create a basic NFS share with read-write access for all clients (AUTH_SYS)
New-NfsShare -Name "linuxdata" -Path "D:NFSExportslinuxdata" -AllowRootAccess $true -Authentication "Sys" -Permission "ReadWrite"
# Create an NFS share with restricted access to specific client IP range
New-NfsShare -Name "buildserver" -Path "D:NFSExportsbuildserver" -Authentication "Sys" -Permission "No" -AllowRootAccess $false
# Grant access to a specific client
Grant-NfsSharePermission -Name "buildserver" -ClientName "192.168.10.50" -ClientType "IpAddress" -Permission "ReadWrite" -AllowRootAccess $true
# Grant access to an entire subnet
Grant-NfsSharePermission -Name "buildserver" -ClientName "192.168.10.0" -ClientType "IpAddress" -Permission "ReadWrite" -AllowRootAccess $false
# List all NFS shares
Get-NfsShare | Select Name, Path, Authentication, AllowRootAccess | Format-Table -AutoSizeThe -AllowRootAccess parameter controls whether a Linux client connecting as UID 0 (root) is granted root access on the NFS server. When this is $false (which is the default and recommended), root access from the client is mapped to the anonymous user (UID -2 / nobody). Set this to $true only for trusted administrative clients.
Configuring Export Permissions
NFS export permissions work in conjunction with NTFS permissions. The NFS export permission (ReadWrite, ReadOnly, No) is the first gate. NTFS permissions on the exported folder are the second gate. A user must pass both checks to access the file. In practice, set the NFS export to ReadWrite for trusted clients and use NTFS permissions to control granular access:
# View permissions on an NFS share
Get-NfsSharePermission -Name "linuxdata" | Select ClientName, ClientType, Permission, AllowRootAccess | Format-Table -AutoSize
# Modify permissions for an existing client entry
Set-NfsSharePermission -Name "linuxdata" -ClientName "192.168.10.0" -ClientType "IpAddress" -Permission "ReadOnly"
# Remove a client permission entry
Revoke-NfsSharePermission -Name "linuxdata" -ClientName "192.168.10.0" -ClientType "IpAddress"
# Modify the NFS share authentication mode
Set-NfsShare -Name "linuxdata" -Authentication "Sys","Krb5","Krb5i"User Name Mapping and Anonymous Access
When AUTH_SYS is used, the NFS server receives a UID from the Linux client. To map this to a Windows account, you use the User Name Mapping service or an LDAP-based mapping. For simple deployments, configure anonymous (unmapped user) access with specific UID/GID values:
# Configure the NFS server's anonymous UID/GID mapping
# UID -2 (4294967294) is the standard "nobody" UID on Linux
nfsadmin server config anon-uid=-2 anon-gid=-2
# Configure the NFS server to allow unmapped Windows users
nfsadmin server config maplowercasenames=enabled
# View current NFS server configuration
nfsadmin server config
# Set the default NFS transport protocol to TCP (more reliable than UDP)
nfsadmin server config transport=TCPFor proper UID/GID mapping with Active Directory, install the Identity Management for Unix (IDMU) component or use RFC 2307 attributes (uidNumber, gidNumber) in Active Directory. When these attributes are set on AD user accounts, the NFS server reads them and maps incoming Linux UIDs to the correct Windows accounts without IDMU:
# Set NFS to use AD with RFC 2307 attributes for UID/GID mapping
nfsadmin server config mapsvr=dc01.contoso.com
# Verify NFS server mapping configuration
nfsadmin server config | findstr /i "map"Mounting NFS Share on Linux
On a Linux client, install the NFS client tools and mount the Windows NFS export. The Windows Server NFS share is compatible with standard Linux NFS mount commands:
# On the Linux client — install NFS client utilities
# Ubuntu/Debian:
apt install nfs-common -y
# RHEL/CentOS/Rocky Linux:
dnf install nfs-utils -y
# Mount the NFS share manually (NFSv3)
mount -t nfs -o vers=3,tcp,rw 192.168.10.100:/linuxdata /mnt/windata
# Mount with NFSv4.1 (Windows Server 2022 supports v4.1)
mount -t nfs4 -o vers=4.1,tcp,rw 192.168.10.100:/linuxdata /mnt/windata
# Verify the mount
df -h /mnt/windata
mount | grep windata
# Add persistent mount to /etc/fstab
echo "192.168.10.100:/linuxdata /mnt/windata nfs vers=3,tcp,rw,_netdev 0 0" >> /etc/fstab
# Test fstab entry
mount -aIf the Linux client cannot mount the share, check that the Windows Firewall allows TCP 2049 (NFS), TCP 111 (portmapper/rpcbind), and UDP 111. Use showmount to query the NFS server’s exports:
# From Linux — query NFS exports on the Windows NFS server
showmount -e 192.168.10.100
# Check rpcbind registered services on the Windows server
rpcinfo -p 192.168.10.100Mounting NFS Share on Windows
The Windows NFS Client (installed with FS-NFS-Service) allows Windows machines to mount NFS exports from any NFS server (Linux, NetApp, Windows, etc.). Mount using the Windows NFS client:
# Mount a Linux NFS server's export on Windows (using nfsadmin)
# First, ensure the NFS Client service is running
Start-Service -Name NfsClient
Set-Service -Name NfsClient -StartupType Automatic
# Mount via command line (assigns drive letter N:)
mount -o anon \192.168.10.200exportsdata N:
# Mount with specific UID/GID for AUTH_SYS
mount -o mtype=soft,timeout=5,retry=2,uid=1001,gid=1001 \192.168.10.200exportsdata N:
# List currently mounted NFS shares on Windows
mount
# Unmount
umount N:For scripted or persistent NFS mounts on Windows, use the New-PSDrive cmdlet or add the mount to a logon script. Note that Windows NFS client mounts do not persist across reboots by default unless added to a startup script or scheduled task.
NFS v4.1 on Windows Server 2022
Windows Server 2022 adds NFS v4.1 server support (previous versions supported up to v3). NFSv4.1 provides several improvements over v3: stateful protocol (the server maintains session state for better consistency), integrated locking (no separate NLM protocol needed), improved security with mandatory Kerberos support, and pNFS (parallel NFS) for distributed I/O. Enable and configure NFS v4.1:
# Check which NFS versions the server currently supports
nfsadmin server config | findstr -i version
# Enable NFS v4.1 support
Set-NfsServerConfiguration -EnableNFSV4 $true
# Configure the grace period for NFSv4 lock recovery after server restart
Set-NfsServerConfiguration -NfsV4GracePeriodSec 45
# Set the NFS lease time for NFSv4 clients
Set-NfsServerConfiguration -NfsV4LeaseSec 30
# Verify NFS server configuration including v4.1 settings
Get-NfsServerConfiguration | Select EnableNFSV4, NfsV4GracePeriodSec, NfsV4LeaseSec, OnlineMigrationEnabledFor NFSv4.1 with Kerberos, both the Windows NFS server and the Linux client must be members of the same Kerberos realm (or have cross-realm trust). The NFS server must have an NFS service principal name (SPN) registered in Active Directory. Configure the NFS server’s Kerberos settings:
# Register NFS SPN for the server (run as Domain Admin)
setspn -A nfs/nfsserver01.contoso.com contosonfsserver01$
setspn -A nfs/nfsserver01 contosonfsserver01$
# Create an NFS share with Kerberos authentication required
New-NfsShare -Name "secure-data" -Path "D:NFSExportssecure" -Authentication "Krb5","Krb5i","Krb5p" -Permission "ReadWrite"NFS Performance Tuning
NFS performance on Windows Server 2022 can be tuned through several parameters. The most impactful settings are the number of NFS threads, read-ahead size, and transport protocol:
# Set the number of NFS server threads (default is 8; increase for high concurrency)
nfsadmin server config threads=16
# Set the maximum read-ahead buffer size (in KB)
nfsadmin server config ReadBufSize=65536
# Set the preferred transport (TCP for reliability, UDP for low-latency LAN)
nfsadmin server config transport=TCP
# Set the maximum number of TCP connections
nfsadmin server config maxtcpconn=256
# Apply configuration changes
nfsadmin server startOn the Linux client side, increase the rsize and wsize mount options for better throughput over fast networks:
# Mount with large read/write sizes (128 KB) for high-throughput workloads
mount -t nfs -o vers=3,tcp,rsize=131072,wsize=131072,rw 192.168.10.100:/linuxdata /mnt/windata
# For NFSv4 with async writes (higher performance, less durable)
mount -t nfs4 -o vers=4.1,rsize=131072,wsize=131072,async,rw 192.168.10.100:/linuxdata /mnt/windataMonitoring NFS Server Activity
Monitor NFS server activity, connected clients, and share statistics using nfsadmin and PowerShell:
# List all currently connected NFS clients
nfsadmin server listconnections
# View NFS server statistics (read/write ops, cache hits)
nfsadmin server stats
# Reset statistics counters
nfsadmin server stats -zero
# Get all NFS shares and their current state
Get-NfsShare | Select Name, Path, Authentication, AllowRootAccess, IsOnline | Format-Table -AutoSize
# Get NFS share permissions for all shares
Get-NfsShare | ForEach-Object { Get-NfsSharePermission -Name $_.Name } | Format-Table -AutoSize
# Check the NFS server service event log
Get-WinEvent -LogName "Microsoft-Windows-ServicesForNFS-Server/Diagnostic" -MaxEvents 50 | Select TimeCreated, Id, Message | Format-Table -AutoSize -WrapThe Windows Server 2022 NFS Server is a practical solution for mixed Windows-Linux environments. By combining AUTH_SYS for internal trusted networks with Kerberos for secure environments, and leveraging NFSv4.1’s improved protocol semantics, you can provide reliable, high-performance file sharing to Linux clients from Windows-based storage infrastructure.
