What the heck is the File Server "role" in Windows Server???

Published Jul 27 2021 11:57 AM 3,054 Views
Microsoft

Heya folks, Ned here again. Today I clear up an old idiosyncrasy of Windows Server: if the SMB Server service is always installed, why is there a role called "File Server" and what does enabling it do? 

 

Let's... role ;)

 

Default SMB firewall behavior

The SMB Server service - "Server", aka "Lanmanserver" - always exists in Windows and isn't something you install; it's just there, as soon as you install the OS. However, since Windows XP and Windows Server 2003, that service can't be contacted from remote machines by default because the built-in firewall blocks it. SMB needs, at a minimum, TCP/445 inbound and without that port opening, there is no remote file serving in SMB2+ on any supported versions of Windows. Even though the C$ and ADMIN$ built-in shares exist by default, no one can access them from a remote machine by default. 

 

But you probably don't remember opening a firewall port on your file server, right? You created a share and it just worked. That's because as soon as you create a custom SMB share, SMB Server automatically enable the various SMB firewall rules for file servers for access, administration, applications, etc. Watch:

 

Brand new machine with no custom shares, viewed via Windows Admin Center

 

2021-07-20_12-30-39.png

 

Firewall on a brand new machine:

 

2021-07-20_12-26-33.jpg

 

I make a custom share:

 

2021-07-20_12-32-17.png

 

The firewall afterwards:

 

2021-07-20_12-34-58.png

 

The File Server role

That works well for dedicated file servers - as soon as you add a share, everything is taken care of. But we also needed a way to just enable file server administration and grant administrators access to the built-in system shares C$ and Admin$ using SMB2+ on all Windows Servers. We didn't want them to have to create a share just to access some existing built-in shares. And we didn't want them to dig around in the firewall looking for the right rules to enable for management. So when you "install" the file server role, we just enable the basic ports needs for file server administration and accessing those built-in SMB shares; no legacy stuff or historical app compat, just the very basic. In fact, it's very possible the server is not a "file server", so much as one you just want to copy a few files to or from as an administrator. 

 

Here I am adding the File Server role:

 

2021-07-20_13-36-16.png

 

And here are the firewall rules enabled:

 

2021-07-20_13-39-56.png

 

So now you know. I'm thinking about changing the default firewall rules opened by creating a share as they are a legacy from older times; we'd do this in the Windows Insider builds first and see how many tens of thousands of applications I can break that were piggybacking on those. It's going to take awhile. >_<

 

You are now ready for File Server trivia night at any bar or restaurant near Microsoft campus. I prefer PostDoc, myself.

 

Until next time,

 

- Ned "the name 'firewall' is very dumb, a real firewall allows nothing through, ever" Pyle

 

 

 

3 Comments
Regular Visitor

Hi @Ned Pyle,

If I recall, the File server role will also install the advanced features regarding reports, shares management, etc. I know that we used to produce many shceduled reports for our servers data analytics (stotage by share, capacity management, etc.).

Well, I'll need to take another look at that! Could I've mixed features?! :p

Microsoft

@PhoenixTK2080 FSRM definitely does a bunch of that stuff, is a separate feature (File Server Resource Manager), maybe that's what you're remembering?

Regular Visitor

Thank you for the precision @Ned Pyle, that's definitively FSRM! :happyface:

%3CLINGO-SUB%20id%3D%22lingo-sub-2418147%22%20slang%3D%22en-US%22%3EWhat%20the%20heck%20is%20the%20File%20Server%20%22role%22%20in%20Windows%20Server%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2418147%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHeya%20folks%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40nerdpyle%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ENed%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bhere%20again.%20Today%20I%20clear%20up%20an%20old%20idiosyncrasy%26nbsp%3Bof%20Windows%26nbsp%3BServer%3A%20if%20the%20SMB%20Server%20service%20is%20always%20installed%2C%20why%20is%20there%20a%20role%20called%20%22File%20Server%22%20and%20what%20does%20enabling%20it%20do%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELet's...%20role%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDefault%20SMB%20firewall%20behavior%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20SMB%20Server%20service%20-%20%22Server%22%2C%20aka%20%22Lanmanserver%22%20-%20always%20exists%20in%20Windows%20and%20isn't%20something%20you%20install%3B%20it's%20just%20there%2C%20as%20soon%20as%20you%20install%20the%20OS.%20However%2C%20since%20Windows%20XP%20and%20Windows%20Server%202003%2C%20that%20service%20can't%20be%20contacted%20from%20remote%20machines%20by%20default%20because%20the%20built-in%20firewall%20blocks%20it.%20SMB%20needs%2C%20at%20a%20minimum%2C%20TCP%2F445%20inbound%20and%20without%20that%20port%20opening%2C%20there%20is%20no%20remote%20file%20serving%20in%20SMB2%2B%20on%20any%20supported%20versions%20of%20Windows.%20Even%20though%20the%20C%24%20and%20ADMIN%24%20built-in%20shares%20exist%20by%20default%2C%20no%20one%20can%20access%20them%20from%20a%20remote%20machine%20by%20default.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBut%20you%20probably%20don't%20remember%20%3CEM%3Eopening%3C%2FEM%3E%20a%20firewall%20port%20on%20your%20file%20server%2C%20right%3F%20You%20created%20a%20share%20and%20it%20just%20worked.%20That's%20because%20as%20soon%20as%20you%20create%20a%20custom%20SMB%20share%2C%20SMB%20Server%20automatically%20enable%20the%20various%20SMB%20firewall%20rules%20for%20file%20servers%20for%20access%2C%20administration%2C%20applications%2C%20etc.%20Watch%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBrand%20new%20machine%20with%20no%20custom%20shares%2C%20viewed%20via%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fmanage%2Fwindows-admin-center%2Foverview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Admin%20Center%3C%2FA%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-20_12-30-39.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297197iD5E37F3601BF2660%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-20_12-30-39.png%22%20alt%3D%222021-07-20_12-30-39.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFirewall%20on%20a%20brand%20new%20machine%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-20_12-26-33.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297200i3746F57FFF85E358%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-20_12-26-33.jpg%22%20alt%3D%222021-07-20_12-26-33.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20make%20a%20custom%20share%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-20_12-32-17.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297198iD0570AFA3307E9CF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-20_12-32-17.png%22%20alt%3D%222021-07-20_12-32-17.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20firewall%20afterwards%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-20_12-34-58.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297199iE10B1CFD8461D1C2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-20_12-34-58.png%22%20alt%3D%222021-07-20_12-34-58.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20File%20Server%20role%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThat%20works%20well%20for%20dedicated%20file%20servers%20-%20as%20soon%20as%20you%20add%20a%20share%2C%20everything%20is%20taken%20care%20of.%20But%20we%20also%20needed%20a%20way%20to%20just%20enable%20file%20server%20administration%20and%20grant%20administrators%20access%20to%20the%20built-in%20system%20shares%20C%24%20and%20Admin%24%20using%20SMB2%2B%20on%20all%20Windows%20Servers.%20We%20didn't%20want%20them%20to%20have%20to%20create%20a%20share%20just%20to%20access%20some%20existing%20built-in%20shares.%20And%20we%20didn't%20want%20them%20to%20dig%20around%20in%20the%20firewall%20looking%20for%20the%20right%20rules%20to%20enable%20for%20management.%20So%20when%20you%20%22install%22%20the%20file%20server%20role%2C%20we%20just%20enable%20the%20basic%20ports%20needs%20for%20file%20server%20administration%20and%20accessing%20those%20built-in%20SMB%20shares%3B%20no%20legacy%20stuff%20or%20historical%20app%20compat%2C%20just%20the%20very%20basic.%20In%20fact%2C%20it's%20very%20possible%20the%20server%20is%20not%20a%20%22file%20server%22%2C%20so%20much%20as%20one%20you%20just%20want%20to%20copy%20a%20few%20files%20to%20or%20from%20as%20an%20administrator.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20I%20am%20adding%20the%20File%20Server%20role%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-20_13-36-16.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297201i27592BEE2E668261%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-20_13-36-16.png%22%20alt%3D%222021-07-20_13-36-16.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20here%20are%20the%20firewall%20rules%20enabled%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-20_13-39-56.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297202iA8BC8617B1F5B4FF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-20_13-39-56.png%22%20alt%3D%222021-07-20_13-39-56.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20now%20you%20know.%20I'm%20thinking%20about%20changing%20the%20default%20firewall%20rules%20opened%20by%20creating%20a%20share%20as%20they%20are%20a%20legacy%20from%20older%20times%3B%20we'd%20do%20this%20in%20the%20Windows%20Insider%20builds%20first%20and%20see%20how%20many%20tens%20of%20thousands%20of%20applications%20I%20can%20break%20that%20were%20piggybacking%20on%20those.%20It's%20going%20to%20take%20awhile.%20%26gt%3B_%26lt%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20are%20now%20ready%20for%20File%20Server%20trivia%20night%20at%20any%20bar%20or%20restaurant%20near%20Microsoft%20campus.%20I%20prefer%20PostDoc%2C%20myself.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUntil%20next%20time%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20Ned%20%22the%20name%20'firewall'%20is%20very%20dumb%2C%20a%20real%20firewall%20allows%20nothing%20through%2C%20ever%22%20Pyle%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2418147%22%20slang%3D%22en-US%22%3E%3CP%3EUnderstanding%20what%20the%20File%20Server%20%22role%22%20in%20Windows%20Server%20does.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2593424%22%20slang%3D%22en-US%22%3ERe%3A%20What%20the%20heck%20is%20the%20File%20Server%20%22role%22%20in%20Windows%20Server%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2593424%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EIf%20I%20recall%2C%20the%20File%20server%20role%20will%20also%20install%20the%20advanced%20features%20regarding%20reports%2C%20shares%20management%2C%20etc.%20I%20know%20that%20we%20used%20to%20produce%20many%20shceduled%20reports%20for%20our%20servers%20data%20analytics%20(stotage%20by%20share%2C%20capacity%20management%2C%20etc.).%3C%2FP%3E%3CP%3EWell%2C%20I'll%20need%20to%20take%20another%20look%20at%20that!%20Could%20I've%20mixed%20features%3F!%20%3Ap%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2593436%22%20slang%3D%22en-US%22%3ERe%3A%20What%20the%20heck%20is%20the%20File%20Server%20%22role%22%20in%20Windows%20Server%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2593436%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F576656%22%20target%3D%22_blank%22%3E%40PhoenixTK2080%3C%2FA%3E%26nbsp%3BFSRM%20definitely%20does%20a%20bunch%20of%20that%20stuff%2C%20is%20a%20separate%20feature%20(File%20Server%20Resource%20Manager)%2C%20maybe%20that's%20what%20you're%20remembering%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jul 20 2021 04:59 PM
Updated by:
www.000webhost.com