How to Set Up File and Storage Services on Windows Server 2019

File and Storage Services in Windows Server 2019 provides a comprehensive platform for sharing files across a network using SMB (Server Message Block) and NFS (Network File System). Windows Server 2019 includes SMB 3.1.1 with encryption, pre-authentication integrity, and compression capabilities. This guide covers installing the File Server role, creating SMB shares, configuring NTFS and share permissions, setting up DFS (Distributed File System), configuring File Server Resource Manager (FSRM) for quotas and file screening, and monitoring storage health.

Installing File Server Role Services

Install the File Server role and commonly needed feature modules:

# Install File Server and related features
Install-WindowsFeature `
    -Name FS-FileServer, `
           FS-DFS-Namespace, `
           FS-DFS-Replication, `
           FS-Resource-Manager, `
           FS-VSS-Agent, `
           Storage-Services `
    -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name FS-* | Where-Object {$_.InstallState -eq "Installed"}

Preparing Storage for File Shares

Before creating shares, prepare the underlying storage. Use separate volumes for different share types to enable independent quota management and backup policies:

# View available disks
Get-Disk

# Initialize a new disk
Initialize-Disk -Number 1 -PartitionStyle GPT

# Create a partition using all available space
New-Partition -DiskNumber 1 -UseMaximumSize -AssignDriveLetter

# Format with NTFS, set allocation unit size to 64K for large file workloads
Format-Volume -DriveLetter D -FileSystem NTFS -AllocationUnitSize 65536 -NewFileSystemLabel "FileShares" -Confirm:$false

# Verify the volume
Get-Volume -DriveLetter D

Creating SMB Shares

SMB shares expose directories to network clients. Configure share permissions and NTFS permissions together — the more restrictive of the two always applies when accessing over the network:

# Create directory structure for departments
New-Item -Path "D:SharesHR" -ItemType Directory
New-Item -Path "D:SharesFinance" -ItemType Directory
New-Item -Path "D:SharesIT" -ItemType Directory
New-Item -Path "D:SharesShared" -ItemType Directory

# Create an SMB share with encrypted access
New-SmbShare `
    -Name "HR$" `
    -Path "D:SharesHR" `
    -Description "Human Resources confidential files" `
    -EncryptData $true `
    -FullAccess "CORPHR-Managers" `
    -ChangeAccess "CORPHR-Staff" `
    -ReadAccess "CORPDomain Admins" `
    -FolderEnumerationMode AccessBased

# Create a general-purpose share
New-SmbShare `
    -Name "Shared" `
    -Path "D:SharesShared" `
    -Description "Shared company files" `
    -FullAccess "CORPDomain Admins" `
    -ChangeAccess "CORPDomain Users"

# List all shares
Get-SmbShare

Configuring NTFS Permissions

NTFS permissions provide granular access control at the file system level. They apply both locally and over the network, unlike share permissions which only apply to network access:

# Remove inherited permissions and set explicit permissions on the HR folder
$path = "D:SharesHR"
$acl = Get-Acl $path

# Disable inheritance and convert existing inherited rules to explicit
$acl.SetAccessRuleProtection($true, $true)

# Remove all existing rules
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }

# Add SYSTEM full control
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "NT AUTHORITYSYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.AddAccessRule($rule)

# Add Domain Admins full control
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "CORPDomain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.AddAccessRule($rule)

# Add HR Managers: Modify (read, write, delete)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "CORPHR-Managers", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.AddAccessRule($rule)

# Add HR Staff: ReadAndExecute + Write (no delete)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "CORPHR-Staff", "ReadAndExecute, Write", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.AddAccessRule($rule)

# Apply the ACL
Set-Acl $path $acl

Enabling SMB Encryption and Securing the File Server

SMB encryption, available since SMB 3.0, protects data in transit between client and server. Enable it globally or per-share:

# Enable SMB encryption globally (all shares on this server)
Set-SmbServerConfiguration -EncryptData $true -Confirm:$false

# Disable older, insecure SMB versions
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false
Set-SmbServerConfiguration -EnableSMB2Protocol $true -Confirm:$false

# Enable SMB signing (prevents man-in-the-middle attacks)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Confirm:$false

# View SMB server configuration
Get-SmbServerConfiguration | Select-Object EncryptData, EnableSMB1Protocol, RequireSecuritySignature, AuditSmb1Access

Setting Up DFS Namespaces

DFS Namespaces create a unified, location-transparent namespace for file shares. Users access \corp.example.comsharesHR regardless of which physical file server hosts the data:

Import-Module DFSN

# Create a domain-based DFS namespace
New-DfsnRoot `
    -Path "\corp.example.comfiles" `
    -Type DomainV2 `
    -TargetPath "\fs01.corp.example.comfiles-root" `
    -Description "Company-wide file namespace"

# Create a DFS folder (virtual folder in the namespace)
New-DfsnFolder `
    -Path "\corp.example.comfilesHR" `
    -TargetPath "\fs01.corp.example.comHR$" `
    -Description "Human Resources"

New-DfsnFolder `
    -Path "\corp.example.comfilesFinance" `
    -TargetPath "\fs01.corp.example.comFinance$" `
    -Description "Finance Department"

# Add a second target for redundancy (DFS Replication required for consistency)
New-DfsnFolderTarget `
    -Path "\corp.example.comfilesFinance" `
    -TargetPath "\fs02.corp.example.comFinance$"

# View the namespace
Get-DfsnRoot
Get-DfsnFolder -Path "\corp.example.comfiles*"

Configuring DFS Replication

DFS Replication (DFSR) keeps folders synchronized between multiple servers using a compressed, differential replication algorithm. It is also used to replicate SYSVOL between domain controllers:

Import-Module DFSR

# Create a replication group
New-DfsReplicationGroup -GroupName "Finance-RG"

# Add members (servers to replicate between)
Add-DfsrMember -GroupName "Finance-RG" -ComputerName "fs01", "fs02"

# Add a replicated folder
Add-DfsrReplicatedFolder `
    -GroupName "Finance-RG" `
    -FolderName "Finance" `
    -DfsnPath "\corp.example.comfilesFinance"

# Set memberships: primary member and content path
Set-DfsrMembership `
    -GroupName "Finance-RG" `
    -FolderName "Finance" `
    -ComputerName "fs01" `
    -ContentPath "D:SharesFinance" `
    -PrimaryMember $true

Set-DfsrMembership `
    -GroupName "Finance-RG" `
    -FolderName "Finance" `
    -ComputerName "fs02" `
    -ContentPath "D:SharesFinance" `
    -PrimaryMember $false

# Create a connection between members
Add-DfsrConnection -GroupName "Finance-RG" -SourceComputerName "fs01" -DestinationComputerName "fs02"

# Monitor replication state
Get-DfsrState -ComputerName fs01 -Verbose

Configuring File Server Resource Manager (FSRM)

FSRM provides quota management, file screening, and storage reports. Use it to control disk usage and prevent unauthorized file types from being stored on file servers:

# Create a quota template (100 GB hard quota with email alert at 85%)
New-FsrmQuotaTemplate `
    -Name "100GB-DeptShare" `
    -Size 107374182400 `
    -SoftLimit $false `
    -ThresholdAction @(
        New-FsrmAction Email -MailTo "[Admin Email]" -Subject "Quota Warning" -Body "Share at [Quota Percent Used]%",
        New-FsrmAction Event -EventType Warning -Body "Storage quota threshold reached"
    )

# Apply quota to a directory
New-FsrmQuota `
    -Path "D:SharesHR" `
    -Template "100GB-DeptShare"

# Create a file screen to block executable files
New-FsrmFileGroup `
    -Name "Blocked Executables" `
    -IncludePattern @("*.exe", "*.bat", "*.cmd", "*.vbs", "*.ps1", "*.msi")

New-FsrmFileScreenTemplate `
    -Name "Block Executables" `
    -Active $true `
    -IncludeGroup "Blocked Executables"

New-FsrmFileScreen `
    -Path "D:SharesShared" `
    -Template "Block Executables"

Monitoring File Server Activity

# View current open files and user sessions
Get-SmbOpenFile
Get-SmbSession

# Close a specific open file
Close-SmbOpenFile -FileId 12345 -Confirm:$false

# View share access statistics
Get-SmbShareAccess -Name "Shared"

# Generate a storage report
New-FsrmStorageReport `
    -Name "Weekly-LargeFiles" `
    -Namespace "D:Shares" `
    -ReportType LargeFiles `
    -Schedule (New-FsrmScheduledTask -Weekly -Day Sunday -Time "02:00")

File and Storage Services on Windows Server 2019 provides a robust, enterprise-grade platform for centralized file storage. Combine SMB encryption with regular access reviews using the Access-Based Enumeration feature to ensure users only see content they have permission to access, reducing the risk of accidental data exposure.