Introduction to iSCSI Target Server on Windows Server 2019

The iSCSI Target Server role in Windows Server 2019 allows you to present disk storage over a standard TCP/IP network to iSCSI initiators on other servers or workstations. This eliminates the need for dedicated Fibre Channel infrastructure, making shared block storage accessible over your existing Ethernet network. iSCSI Target Server is included as a role service under the File and Storage Services role and is fully supported for use with Hyper-V, SQL Server, and general file serving workloads.

An iSCSI target exposes virtual hard disk (VHD or VHDX) files as logical unit numbers (LUNs) to iSCSI initiators. These initiators connect to the target and see the LUNs as local physical disks. iSCSI Target Server on Windows Server 2019 supports hardware offload via iSCSI offload-capable adapters, CHAP authentication, jumbo frames, and multiple network interfaces for path redundancy.

Installing the iSCSI Target Server Role

Install the iSCSI Target Server role service using Server Manager or PowerShell. Using PowerShell:

Install-WindowsFeature -Name FS-iSCSITarget-Server -IncludeManagementTools

This installs both the iSCSI Target Server service and the iSCSI Target Server management tools, including the iSCSI Initiator snap-in extensions. After installation, the service starts automatically. Verify it is running:

Get-Service -Name WinTarget

Creating an iSCSI Virtual Disk

An iSCSI virtual disk is a VHD or VHDX file stored on the server that will be presented as a LUN. Use the New-IscsiVirtualDisk cmdlet to create one. First, decide on a path where the virtual disks will be stored — ideally on a dedicated fast volume:

New-IscsiVirtualDisk -Path "D:iSCSIVDisksLUN01.vhdx" -Size 500GB

For a dynamically expanding disk (saves space but slightly lower performance):

New-IscsiVirtualDisk -Path "D:iSCSIVDisksLUN02.vhdx" -Size 1TB -DiskType Dynamic

Fixed-size disks offer better performance because Windows pre-allocates all the space at creation time, avoiding on-demand expansion overhead:

New-IscsiVirtualDisk -Path "D:iSCSIVDisksLUN03.vhdx" -Size 200GB -DiskType Fixed

Creating an iSCSI Target

An iSCSI target is the access point that initiators connect to. Each target is identified by an IQN (iSCSI Qualified Name). Create a target with a descriptive name:

New-IscsiServerTarget -TargetName "SQLServerStorage" -InitiatorIds "IQN:iqn.1991-05.com.microsoft:sql-server-01"

The InitiatorIds parameter restricts which initiators can connect to this target. You can find the IQN of an initiator by running the following on the initiator machine:

Get-InitiatorPort | Select NodeAddress

To allow multiple initiators, specify them as an array:

New-IscsiServerTarget -TargetName "HyperVCluster" -InitiatorIds @("IQN:iqn.1991-05.com.microsoft:hv-node1","IQN:iqn.1991-05.com.microsoft:hv-node2")

Assigning Virtual Disks to Targets

Once the target and virtual disks are created, assign the virtual disks to the target as LUNs:

Add-IscsiVirtualDiskTargetMapping -TargetName "SQLServerStorage" -Path "D:iSCSIVDisksLUN01.vhdx"

To assign multiple LUNs to a single target:

Add-IscsiVirtualDiskTargetMapping -TargetName "SQLServerStorage" -Path "D:iSCSIVDisksLUN02.vhdx" -Lun 1
Add-IscsiVirtualDiskTargetMapping -TargetName "SQLServerStorage" -Path "D:iSCSIVDisksLUN03.vhdx" -Lun 2

Configuring CHAP Authentication

CHAP (Challenge Handshake Authentication Protocol) secures iSCSI connections by requiring the initiator to authenticate with a secret. Configure one-way CHAP on the target:

Set-IscsiServerTarget -TargetName "SQLServerStorage" -ChapUserName "iscsi_user" -ChapPassword "SuperSecretP@ssw0rd123"

For mutual CHAP (both sides authenticate), configure both the initiator and target secrets:

Set-IscsiServerTarget -TargetName "SQLServerStorage" -ChapUserName "iscsi_user" -ChapPassword "SuperSecretP@ssw0rd123" -ReverseChapUserName "target_user" -ReverseChapPassword "AnotherSecret456!"

On the initiator side, open iSCSI Initiator Properties, go to the Discovery tab and add the target portal, then on the Targets tab click Connect and configure CHAP credentials matching what was set on the server.

Configuring the Firewall

iSCSI uses TCP port 3260. Ensure Windows Firewall allows inbound traffic on this port:

New-NetFirewallRule -DisplayName "iSCSI Target" -Direction Inbound -Protocol TCP -LocalPort 3260 -Action Allow

If your iSCSI traffic traverses a dedicated storage network (recommended), bind the iSCSI Target Server service to only that network interface:

Set-IscsiTargetServerSetting -IP "10.10.1.10"

Connecting an iSCSI Initiator

On the initiator server, start the Microsoft iSCSI Initiator service:

Start-Service -Name MSiSCSI
Set-Service -Name MSiSCSI -StartupType Automatic

Discover the target portal and connect:

New-IscsiTargetPortal -TargetPortalAddress "10.10.1.10" -TargetPortalPortNumber 3260
Get-IscsiTarget

Connect to the target:

Connect-IscsiTarget -NodeAddress "iqn.1991-05.com.microsoft:win-target-sqlserverstorage" -IsPersistent $true

After connecting, open Disk Management (diskmgmt.msc) on the initiator to initialise, partition, and format the newly connected iSCSI disk. Once formatted, it appears as a standard local drive ready for use by SQL Server, Hyper-V, or any other application. Monitor active iSCSI sessions from the target server:

Get-IscsiSession | Select InitiatorNodeAddress, TargetNodeAddress, ConnectionIdentifier, IsConnected