diff --git a/libexec/rc/rc.d/gssd.vnet b/libexec/rc/rc.d/gssd
--- a/libexec/rc/rc.d/gssd.vnet
+++ b/libexec/rc/rc.d/gssd
@@ -6,7 +6,7 @@
 # PROVIDE: gssd
 # REQUIRE: root mountcritlocal NETWORKING kdc
 # BEFORE: mountcritremote
-# KEYWORD: nojail shutdown
+# KEYWORD: shutdown
 
 . /etc/rc.subr
 
@@ -15,4 +15,14 @@
 rcvar=gssd_enable
 
 load_rc_config $name
+start_precmd="gssd_precmd"
+
+gssd_precmd()
+{
+	if check_jail jailed && ! check_jail vnet; then
+		err 1 "gssd: must be a vnet prison"
+	fi
+	return 0
+}
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/mountd.vnet b/libexec/rc/rc.d/mountd
--- a/libexec/rc/rc.d/mountd.vnet
+++ b/libexec/rc/rc.d/mountd
@@ -5,7 +5,7 @@
 
 # PROVIDE: mountd
 # REQUIRE: NETWORKING rpcbind quota mountlate
-# KEYWORD: nojail shutdown
+# KEYWORD: shutdown
 
 . /etc/rc.subr
 
@@ -24,6 +24,10 @@
 	# Load the modules now, so that the vfs.nfsd sysctl
 	# oids are available.
 	load_kld nfsd || return 1
+
+	if check_jail jailed && ! check_jail vnet; then
+		err 1 "mountd: must be a vnet prison"
+	fi
 
 	# Do not force rpcbind to be running for an NFSv4 only server.
 	#
diff --git a/libexec/rc/rc.d/nfsd.vnet b/libexec/rc/rc.d/nfsd
--- a/libexec/rc/rc.d/nfsd.vnet
+++ b/libexec/rc/rc.d/nfsd
@@ -5,7 +5,7 @@
 
 # PROVIDE: nfsd
 # REQUIRE: mountcritremote mountd hostname gssd nfsuserd
-# KEYWORD: nojail shutdown
+# KEYWORD: shutdown
 
 . /etc/rc.subr
 
@@ -28,7 +28,11 @@
 	# oids are available.
 	load_kld nfsd || return 1
 
-	if [ -n "${nfs_server_maxio}" ]; then
+	if check_jail jailed && ! check_jail vnet; then
+		err 1 "nfsd: must be a vnet prison"
+	fi
+
+	if [ -n "${nfs_server_maxio}" ] && ! check_jail jailed; then
 		if ! sysctl vfs.nfsd.srvmaxio=${nfs_server_maxio} >/dev/null; then
 			warn "Failed to set server max I/O"
 		fi
diff --git a/libexec/rc/rc.d/nfsuserd.vnet b/libexec/rc/rc.d/nfsuserd
--- a/libexec/rc/rc.d/nfsuserd.vnet
+++ b/libexec/rc/rc.d/nfsuserd
@@ -5,7 +5,7 @@
 
 # PROVIDE: nfsuserd
 # REQUIRE: NETWORKING
-# KEYWORD: nojail shutdown
+# KEYWORD: shutdown
 
 . /etc/rc.subr
 
@@ -20,6 +20,10 @@
 
 nfsuserd_precmd()
 {
+	if check_jail jailed && ! check_jail vnet; then
+		err 1 "nfsuserd: must be a vnet prison"
+	fi
+
 	if checkyesno nfs_server_managegids; then
 		rc_flags="-manage-gids ${nfsuserd_flags}"
 	fi
diff --git a/libexec/rc/rc.d/tlsservd.vnet b/libexec/rc/rc.d/tlsservd
--- a/libexec/rc/rc.d/tlsservd.vnet
+++ b/libexec/rc/rc.d/tlsservd
@@ -6,7 +6,7 @@
 # PROVIDE: tlsservd
 # REQUIRE: NETWORKING root mountcritlocal sysctl
 # BEFORE: nfsd
-# KEYWORD: nojail shutdown
+# KEYWORD: shutdown
 
 . /etc/rc.subr
 
@@ -21,5 +21,15 @@
 
 
 load_rc_config $name
+start_precmd="tlsservd_precmd"
+
+tlsservd_precmd()
+{
+	if check_jail jailed && ! check_jail vnet; then
+		err 1 "tlsservd: must be a vnet prison"
+	fi
+	return 0
+}
+
 
 run_rc_command "$1"