How to Set Up iSCSI Initiator to Connect to SAN Storage on Windows Server 2025

How to Set Up iSCSI Initiator to Connect to SAN Storage on Windows Server 2025

Internet Small Computer Systems Interface (iSCSI) is a storage networking protocol that encapsulates SCSI commands over TCP/IP, allowing Windows Server 2025 to use block-level storage from a SAN (Storage Area Network) or NAS device over standard Ethernet infrastructure. Unlike Fibre Channel, which requires dedicated HBAs and switches, iSCSI runs on commodity NICs and your existing IP network, making it highly accessible for organizations of all sizes. Windows Server 2025 includes a built-in iSCSI Initiator — the client component that connects to iSCSI targets — which requires no additional software installation. Combined with Microsoft’s Multipath I/O (MPIO) framework, iSCSI can provide redundant paths to the same storage target for both performance and high availability. This tutorial walks through the complete process of discovering iSCSI targets, connecting with MPIO, configuring CHAP authentication, and making the configuration persistent across reboots.

Prerequisites

• Windows Server 2025 (iSCSI Initiator service is built-in)
• An iSCSI target device (hardware SAN, software target such as Windows Server iSCSI Target, FreeNAS/TrueNAS, or Synology)
• Network connectivity from the Windows server to the iSCSI target on port 3260/TCP
• Dedicated NICs for iSCSI traffic (recommended) — separate from management NICs
• Administrative privileges on the Windows Server
• IQN of the iSCSI target (obtainable from the target device’s management interface)

Step 1: Enable and Configure the iSCSI Initiator Service

The iSCSI Initiator service (MSiSCSI) is installed but not started by default on a fresh Windows Server 2025 installation. You must enable and start it before any iSCSI operations are possible.

# Start and configure the iSCSI Initiator service
Start-Service -Name MSiSCSI
Set-Service -Name MSiSCSI -StartupType Automatic

# Verify the service is running
Get-Service -Name MSiSCSI | Select-Object Name, Status, StartType

# View the initiator's IQN (iSCSI Qualified Name) — you will need this on the target side
# to authorize this server to connect
$initiatorIqn = (Get-InitiatorPort | Where-Object { $_.ConnectionType -eq "iSCSI" }).NodeAddress
Write-Host "Initiator IQN: $initiatorIqn"
# Example output: iqn.1991-05.com.microsoft:fileserver01-target1-target

# Alternatively, open the GUI
# iscsicpl.msc → Configuration tab → Initiator Name

Step 2: Install Multipath I/O (MPIO)

MPIO is a Windows framework that allows multiple physical paths to the same storage device to appear as a single logical disk to the operating system. This provides both redundancy (if one NIC or network path fails, I/O continues on the other) and optionally load balancing across paths. Install MPIO before connecting to the iSCSI target.

# Install the MPIO Windows feature
Install-WindowsFeature -Name Multipath-IO -IncludeManagementTools

# A reboot is required after MPIO installation
# Restart-Computer -Force

# After reboot, verify MPIO is installed
Get-WindowsFeature -Name Multipath-IO

# View the MPIO configuration tool
# mpiocpl.msc — or use PowerShell

# Check current MPIO settings
Get-MSDSMGlobalDefaultLoadBalancePolicy

# Add iSCSI device type to MPIO's supported hardware list
# This tells MPIO to manage multiple paths to iSCSI devices
Add-MSDSMSupportedHW -VendorId "MSFT" -ProductId "iSCSIDisk"

# For third-party SANs, use wildcard or your SAN vendor/product ID
# The wildcard approach (use cautiously in production — test first)
Add-MSDSMSupportedHW -VendorId "*" -ProductId "*"

# Verify the supported hardware list
Get-MSDSMSupportedHW

# Enable automatic claiming of iSCSI disks by MPIO
Set-MSDSMAutomaticClaimSettings -Transport iSCSI -BusType iSCSI -Enabled $true

Step 3: Configure Dedicated iSCSI Network Interfaces

For production environments, iSCSI traffic should be isolated to dedicated NICs and a separate VLAN or subnet, separate from management and user traffic. This prevents storage I/O from competing with other network traffic and improves security.

# Identify your iSCSI NICs (replace names with your actual adapter names)
Get-NetAdapter | Select-Object Name, InterfaceDescription, Status, LinkSpeed | Format-Table -AutoSize

# Assign dedicated IP addresses to iSCSI NICs (no default gateway — storage network is isolated)
New-NetIPAddress -InterfaceAlias "iSCSI NIC 1" -IPAddress "10.10.10.10" -PrefixLength 24
New-NetIPAddress -InterfaceAlias "iSCSI NIC 2" -IPAddress "10.10.11.10" -PrefixLength 24

# Disable DNS registration on iSCSI NICs (they should not appear in DNS)
Set-DnsClient -InterfaceAlias "iSCSI NIC 1" -RegisterThisConnectionsAddress $false
Set-DnsClient -InterfaceAlias "iSCSI NIC 2" -RegisterThisConnectionsAddress $false

# Disable IPv6 on iSCSI NICs (iSCSI typically runs over IPv4)
Disable-NetAdapterBinding -Name "iSCSI NIC 1" -ComponentID ms_tcpip6
Disable-NetAdapterBinding -Name "iSCSI NIC 2" -ComponentID ms_tcpip6

# Set jumbo frames (9000 MTU) for better iSCSI throughput
Set-NetAdapterAdvancedProperty -Name "iSCSI NIC 1" -RegistryKeyword "*JumboPacket" -RegistryValue 9014
Set-NetAdapterAdvancedProperty -Name "iSCSI NIC 2" -RegistryKeyword "*JumboPacket" -RegistryValue 9014

# Verify jumbo frames
Get-NetAdapterAdvancedProperty -Name "iSCSI NIC 1" -RegistryKeyword "*JumboPacket"

Step 4: Discover iSCSI Targets

With the iSCSI Initiator service running and your NICs configured, you can now discover iSCSI targets on your SAN. iSCSI discovery can use SendTargets (direct IP-based discovery) or iSNS (iSCSI Name Service for large environments).

# Add discovery portals — one per iSCSI NIC path for multipath
# Replace the IP addresses with your SAN/target device IPs
New-IscsiTargetPortal -TargetPortalAddress "10.10.10.20" -TargetPortalPortNumber 3260 `
    -InitiatorPortalAddress "10.10.10.10"

New-IscsiTargetPortal -TargetPortalAddress "10.10.11.20" -TargetPortalPortNumber 3260 `
    -InitiatorPortalAddress "10.10.11.10"

# Verify target portals were added
Get-IscsiTargetPortal | Select-Object TargetPortalAddress, TargetPortalPortNumber, InitiatorPortalAddress

# Discover targets available on the portals (SendTargets)
Update-IscsiTarget

# List all discovered iSCSI targets
Get-IscsiTarget | Select-Object NodeAddress, IsConnected | Format-Table -AutoSize

# Example output:
# NodeAddress                                       IsConnected
# -----------                                       -----------
# iqn.2005-10.com.synology:nas01.DataLUN1.abc123    False
# iqn.2005-10.com.synology:nas01.DataLUN2.def456    False

Step 5: Connect to iSCSI Targets with MPIO

Connect to each discovered target, establishing multiple sessions (one per iSCSI NIC path) to enable MPIO. MPIO will then aggregate these sessions into a single logical disk with multiple paths.

# Connect to the first target via the first iSCSI NIC path
$targetIqn = "iqn.2005-10.com.synology:nas01.DataLUN1.abc123"

# First session — path 1
Connect-IscsiTarget -NodeAddress $targetIqn `
    -TargetPortalAddress "10.10.10.20" `
    -InitiatorPortalAddress "10.10.10.10" `
    -IsMultipathEnabled $true `
    -IsPersistent $true

# Second session — path 2 (adds a second MPIO path to the same LUN)
Connect-IscsiTarget -NodeAddress $targetIqn `
    -TargetPortalAddress "10.10.11.20" `
    -InitiatorPortalAddress "10.10.11.10" `
    -IsMultipathEnabled $true `
    -IsPersistent $true

# Verify connections
Get-IscsiSession | Select-Object SessionIdentifier, TargetNodeAddress, IsConnected, NumberOfConnections |
    Format-Table -AutoSize

# Verify MPIO is managing the device (should show multiple paths)
Get-MSDSMGlobalDefaultLoadBalancePolicy
mpclaim -s -d  # Shows MPIO device paths (run in cmd or via cmd /c)

Step 6: Configure CHAP Authentication

CHAP (Challenge-Handshake Authentication Protocol) adds a layer of security to iSCSI by requiring the initiator to authenticate to the target before a session is established. For higher security, mutual CHAP can be configured so both sides authenticate each other.

# Configure one-way CHAP (initiator authenticates to target)
# First, set the CHAP secret on the iSCSI Initiator
# The target's CHAP username is typically the initiator IQN
$chapUser = "iqn.1991-05.com.microsoft:fileserver01"
$chapSecret = ConvertTo-SecureString -String "iSCSI@Ch@pSecret2025!" -Force -AsPlainText

# Set CHAP credentials on the initiator
Set-IscsiChapSecret -ChapSecret $chapSecret

# Connect with CHAP authentication enabled
Connect-IscsiTarget -NodeAddress $targetIqn `
    -TargetPortalAddress "10.10.10.20" `
    -InitiatorPortalAddress "10.10.10.10" `
    -AuthenticationType ONEWAYCHAP `
    -ChapUsername $chapUser `
    -ChapSecret $chapSecret `
    -IsMultipathEnabled $true `
    -IsPersistent $true

# For mutual CHAP (both sides authenticate):
Connect-IscsiTarget -NodeAddress $targetIqn `
    -TargetPortalAddress "10.10.10.20" `
    -InitiatorPortalAddress "10.10.10.10" `
    -AuthenticationType MUTUALCHAP `
    -ChapUsername $chapUser `
    -ChapSecret $chapSecret `
    -InitiatorChapUsername "fileserver01-reverse" `
    -InitiatorChapSecret $chapSecret `
    -IsMultipathEnabled $true `
    -IsPersistent $true

Step 7: Format and Use the iSCSI Disk

Once connected, the iSCSI LUN appears as a local disk in Disk Management and can be initialized, formatted, and used like any local disk.

# List all disks — the new iSCSI disk will appear as Offline
Get-Disk | Select-Object Number, FriendlyName, OperationalStatus, Size, BusType | Format-Table -AutoSize

# Bring the disk online and initialize it
$iscsiDisk = Get-Disk | Where-Object { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Offline" }

# Set disk online and read-write
Set-Disk -Number $iscsiDisk.Number -IsOffline $false
Set-Disk -Number $iscsiDisk.Number -IsReadOnly $false

# Initialize with GPT partition style
Initialize-Disk -Number $iscsiDisk.Number -PartitionStyle GPT

# Create a new partition using all available space
$partition = New-Partition -DiskNumber $iscsiDisk.Number -UseMaximumSize -AssignDriveLetter

# Format as NTFS (or ReFS for resilience)
Format-Volume -DriveLetter $partition.DriveLetter -FileSystem NTFS `
    -NewFileSystemLabel "iSCSI_DataLUN1" -Confirm:$false

Write-Host "iSCSI disk formatted and available at $($partition.DriveLetter):"

# Verify MPIO path load balancing policy for the disk
# Round Robin is recommended for active-active SANs
Set-MSDSMGlobalDefaultLoadBalancePolicy -Policy RR

Step 8: Ensure Persistent Connections After Reboot

# Verify all connections are marked as persistent (they should be from -IsPersistent $true)
Get-IscsiSession | Select-Object SessionIdentifier, TargetNodeAddress, IsPersistent | Format-Table -AutoSize

# If any sessions are not persistent, reconnect with IsPersistent flag
Get-IscsiTarget | Where-Object { -not $_.IsConnected } | ForEach-Object {
    Connect-IscsiTarget -NodeAddress $_.NodeAddress -IsMultipathEnabled $true -IsPersistent $true
}

# The MSiSCSI service will automatically reconnect on reboot for persistent sessions
# Verify service startup type
Get-Service -Name MSiSCSI | Select-Object Name, StartType

# Test persistence by simulating a service restart (not a full reboot)
Restart-Service -Name MSiSCSI
Start-Sleep -Seconds 10
Get-IscsiSession | Select-Object SessionIdentifier, TargetNodeAddress, IsConnected | Format-Table -AutoSize

Connecting Windows Server 2025 to iSCSI SAN storage provides enterprise-grade block storage over standard IP networking, making it an excellent choice for organizations that need shared storage for Hyper-V clusters, SQL Server databases, or general file storage without investing in a dedicated Fibre Channel fabric. By combining multiple iSCSI paths with MPIO, you achieve both redundancy and load balancing, ensuring that a single NIC or network link failure does not impact storage availability. CHAP authentication prevents unauthorized initiators from connecting to your SAN LUNs, and persistent connections ensure the storage is available immediately after every reboot. Review the iSCSI Initiator and MPIO event logs regularly to catch path failures or authentication issues before they impact production workloads.