How to Set Up iSCSI Target Server on Windows Server 2016

iSCSI (Internet Small Computer Systems Interface) is a protocol that allows SCSI commands to be transmitted over a TCP/IP network, enabling servers and applications to access block-level storage over standard Ethernet connections. Windows Server 2016 includes a built-in iSCSI Target Server role that allows you to create and manage virtual hard disks and expose them as iSCSI LUNs (Logical Unit Numbers) to initiators on the network. This guide walks through the complete setup of an iSCSI Target Server and connecting an iSCSI initiator client.

Use Cases for iSCSI Target Server

iSCSI is commonly used for shared storage in failover clusters, as a low-cost alternative to Fibre Channel SANs, for provisioning storage to virtual machines, and for backup and disaster recovery scenarios where centralised block storage is needed. The Windows Server iSCSI Target Server supports both hardware and software initiators and is suitable for lab environments, branch offices, and small to medium production deployments.

Step 1: Install the iSCSI Target Server Role

Open Server Manager or use PowerShell to install the iSCSI Target Server role service. The feature is part of the File and Storage Services role:

Install-WindowsFeature -Name FS-iSCSITarget-Server -IncludeManagementTools

After installation completes, you can manage iSCSI targets through Server Manager under File and Storage Services, or via PowerShell using the iSCSI cmdlet set.

Step 2: Create a Virtual Disk for the iSCSI Target

An iSCSI virtual disk is a VHD or VHDX file that is presented to initiators as a physical disk. Create a new iSCSI virtual disk using PowerShell. Specify the path where the VHDX file will be stored and the desired size:

New-IscsiVirtualDisk -Path "D:iSCSIVirtualDisksLUN01.vhdx" -Size 100GB

You can also create fixed-size disks for better performance and predictable storage allocation:

New-IscsiVirtualDisk -Path "D:iSCSIVirtualDisksLUN02.vhdx" -Size 200GB -DiskType Fixed

Verify the virtual disks were created successfully:

Get-IscsiVirtualDisk

Step 3: Create an iSCSI Target

An iSCSI target is the server-side endpoint that initiators connect to. Create a new target with a descriptive name. The -InitiatorIds parameter restricts access to specific initiators by IQN (iSCSI Qualified Name). To allow all initiators during initial setup you can use a wildcard, but for production always restrict by IQN:

New-IscsiServerTarget -TargetName "FileServerTarget" -InitiatorIds "IQN:iqn.1991-05.com.microsoft:client01.domain.local"

To find the IQN of a Windows initiator client, run the following command on the initiator server:

(Get-InitiatorPort).NodeAddress

Step 4: Assign Virtual Disks to the Target

Once the target and virtual disk are created, assign the virtual disk to the target to make it available to authorised initiators:

Add-IscsiVirtualDiskTargetMapping -TargetName "FileServerTarget" -Path "D:iSCSIVirtualDisksLUN01.vhdx"

Verify the mapping is in place:

Get-IscsiServerTarget | Select-Object -Property TargetName, LunMappings

Step 5: Configure the Windows Firewall

Enable the iSCSI firewall rules to allow incoming connections from initiators. By default, iSCSI uses TCP port 3260:

Set-NetFirewallRule -Name "iSCSI Service (TCP-In)" -Enabled True
New-NetFirewallRule -DisplayName "iSCSI Target TCP 3260" -Protocol TCP -LocalPort 3260 -Action Allow -Direction Inbound

Step 6: Connect from the iSCSI Initiator (Client Side)

On the client server that will consume the iSCSI storage, open the iSCSI Initiator from Control Panel or run iscsicpl.exe. Alternatively, use PowerShell to connect. First, ensure the Microsoft iSCSI Initiator Service is running:

Start-Service MSiSCSI
Set-Service MSiSCSI -StartupType Automatic

Discover the iSCSI target by specifying the target server’s IP address:

New-IscsiTargetPortal -TargetPortalAddress "192.168.1.50"

List discovered targets:

Get-IscsiTarget

Connect to the target:

Connect-IscsiTarget -NodeAddress "iqn.1991-05.com.microsoft:server01-fileservertarget-target" -IsPersistent $true

Step 7: Initialise the Disk on the Initiator

After connecting, the iSCSI LUN appears as an offline, unformatted disk in Disk Management. Use PowerShell to bring the disk online, initialise it, and create a volume:

Get-Disk | Where-Object {$_.OperationalStatus -eq "Offline"} | Set-Disk -IsOffline $false
Get-Disk | Where-Object {$_.PartitionStyle -eq "RAW"} | Initialize-Disk -PartitionStyle GPT
New-Partition -DiskNumber 2 -UseMaximumSize -AssignDriveLetter | Format-Volume -FileSystem NTFS -NewFileSystemLabel "iSCSI_LUN01" -Confirm:$false

Step 8: Configure CHAP Authentication (Security)

For production deployments, enable CHAP (Challenge Handshake Authentication Protocol) to authenticate initiators. On the target server, set the CHAP secret:

Set-IscsiServerTarget -TargetName "FileServerTarget" -ChapUserName "iscsiuser" -ChapPassword "P@ssw0rd!Secure123"

On the initiator, configure the CHAP credentials before connecting to the target. This ensures only authorised initiators can access the storage, protecting against unauthorised access on shared network segments.

With the iSCSI Target Server configured and initiators connected, your Windows Server 2016 environment can now provide centralised block storage over standard Ethernet, enabling cost-effective SAN-like capabilities without specialised hardware or Fibre Channel infrastructure.