Genetec Security Center: Architecture, Roles, and Workstation Best Practices

The most expensive problems in Genetec Security Center deployments are almost always architectural. Roles placed on the wrong servers. Database failover configured incorrectly from day one. Media Router settings left over from an upgrade three versions ago. Workstations struggling because nobody tuned them for video. These problems are invisible during installation. Everything works fine when you commission it. They surface six months later when the system is under load, when the client starts using features they were not using during testing, or when you add cameras to a system that was not designed with headroom.

This post covers the architecture decisions that determine how a Genetec Security Center environment performs and scales. The recommendations are based on Genetec’s published enterprise guidance and findings from real system assessments across government, law enforcement, airports, and enterprise environments.

The Server Role Model

Genetec Security Center uses a role-based architecture. Each role is a software component that handles a specific function. Roles are assigned to servers. Multiple roles can run on the same server in smaller deployments. Larger deployments separate roles onto dedicated hardware. Understanding what each role does is the foundation for making good architectural decisions.

Directory

The Directory is the core of Security Center. It hosts the Security Center database (SQL Server), manages licensing, handles authentication and authorization for all users and roles, maintains system configuration, and serves as the communication hub between all other roles. Every role in the system must be able to reach the Directory to function.

In a single-server deployment, everything runs on the server running the Directory. In distributed deployments, the Directory server is the one server that absolutely cannot go down without taking the entire system with it. Failover configuration for the Directory is covered in the high-availability section below.

The SQL Server instance hosting the Genetec database should be sized appropriately. Insufficient SQL memory is one of the most common performance bottlenecks on Directory servers. SQL will consume as much memory as you allow. On servers where SQL shares resources with Genetec roles, you must configure the SQL Server max memory setting explicitly, or SQL will crowd out the Genetec processes.

Archiver

The Archiver manages camera recording. It connects to cameras, pulls their video streams, and writes them to storage. In most deployments, the Archiver is the most resource-intensive role because it is handling continuous video ingestion from multiple cameras simultaneously.

Archiver sizing depends on camera count, resolution, frame rate, codec, and retention period. Genetec publishes sizing guidance that is regularly updated. As a starting point: an Archiver server handling 50 to 80 standard cameras at 1080p H.265 should have a minimum of 16GB RAM and multiple dedicated storage drives for the video archive, separated from the OS drive. The specific numbers depend heavily on bitrate, which is why camera configuration needs to be finalized before server sizing.

Do not mix Archiver roles and Directory roles on the same server in deployments above approximately 50 cameras. The storage and I/O requirements of an Archiver in production conflict with the database I/O requirements of the Directory under load.

Access Manager

The Access Manager handles the Synergis access control integration. It communicates with HID, Mercury, and Axis door controllers, manages cardholder data synchronization, handles access decisions, and processes events from access control hardware. In environments using Genetec Synergis for access control, the Access Manager role must be online for access control to function.

The Access Manager can share a server with the Directory in smaller deployments. In larger deployments with thousands of doors and cardholders, a dedicated server improves responsiveness and simplifies troubleshooting. I/O on the Access Manager is lower than on the Archiver, so dedicated server requirements are less stringent.

Media Router

The Media Router handles live and playback video streams for Security Center clients. When a client opens a live view or plays back recorded video, the stream is routed through the Media Router. This role is particularly important in environments where clients are on different network segments than cameras, where there are firewall traversals involved, or where load balancing of video streams is needed.

Incorrect Media Router configuration is one of the most common causes of video playback problems in Genetec environments. The Media Router needs to be accessible from both the cameras (or Archiver, for playback) and the clients. In environments where the Media Router settings were left from an older configuration or an upgrade that changed the network topology, clients frequently receive degraded video or playback timeouts that are misdiagnosed as storage or camera problems.

Media Router configuration requires specifying the redirect addresses – the IP addresses that cameras and clients use to reach the Media Router. Getting these wrong means video streams get sent to addresses that clients cannot reach. Always verify Media Router redirect addresses after any network topology change or server migration.

Health Monitor

The Health Monitor collects health data from all roles and entities in the system, detects faults and offline conditions, and generates alarms when things stop working correctly. It is a support role that improves operational visibility but is not in the critical path for camera recording or access control operation.

The Health Monitor should be deployed in any production environment. The value of having automated fault detection is immediate the first time a camera goes offline at 2 AM and the operator gets an alert rather than discovering it during the next morning’s review.

Server Sizing Principles

Genetec publishes detailed server sizing guidance in their enterprise best practices documentation (EN.500-BPEN, updated with each major version). The numbers below are starting points for planning conversations, not substitutes for the official sizing guide for the specific version and camera count.

Storage sizing is separate from server sizing. Video storage requirements depend on camera count, resolution, frame rate, codec, scene complexity, and retention period. The storage calculator in Genetec’s documentation gives reasonably accurate estimates when you feed it real bitrate data from the cameras. Scene complexity is the variable that surprises people most: a parking lot camera at night in clear weather generates very different storage requirements than the same camera in a busy urban environment during the day.

Database Configuration

Genetec Security Center requires SQL Server. The edition depends on the deployment size and the database features required. SQL Server Express has a 10 GB database size limit, which is exceeded quickly in any environment with significant event history. SQL Server Standard or Enterprise is required for production deployments.

Key SQL Server configuration items for Genetec environments:

• Max Server Memory: Set this explicitly. On a server where SQL shares resources with Genetec roles, leave adequate memory for the Genetec processes. Leaving SQL memory at the default (unlimited) means SQL will expand to fill available RAM, starving Genetec processes under load.
• TempDB location: Move TempDB to a dedicated drive if possible. Genetec generates significant TempDB I/O during queries. Keeping TempDB on the same drive as the system or application databases creates contention.
• Database maintenance: Index fragmentation in the Genetec database degrades query performance over time. Schedule regular index maintenance. Genetec’s GUS tool (Genetec Update Service) performs some automated maintenance, but database-level maintenance is separate.
• Backup: The Security Center database contains all system configuration, cardholder data, and event history. It must be backed up regularly. Test the restore procedure.

Workstation Optimization

Security Center client workstations handle video decoding for the streams displayed in Security Desk. The GPU does most of the heavy lifting for video rendering. An undersized GPU shows up as dropped frames, high CPU usage, and operator complaints about delayed or choppy video.

For Security Desk workstations displaying multiple simultaneous video panes:

• GPU: A dedicated GPU with hardware H.264/H.265 decode support is required for any multi-pane display configuration. Intel integrated graphics is not sufficient for a workstation displaying 16 or more simultaneous streams. Nvidia Quadro or comparable professional GPU for display-intensive operator workstations.
• RAM: 16 GB minimum for a standard operator workstation. 32 GB for workstations handling high-resolution or high-count video panes.
• Display outputs: Verify that the GPU supports the number of display outputs the operator needs. Running a video wall through daisy-chained consumer monitors using USB-to-DisplayPort adapters is a support nightmare.
• Network: The workstation’s network connection needs to handle the aggregate video bandwidth being decoded. A workstation pulling 16 simultaneous 5MP H.264 streams at 8 Mbps each requires 128 Mbps of sustained throughput. A 100 Mbps network connection is undersized for that configuration.

Power plan on workstations should be set to High Performance. The Balanced power plan throttles CPU and GPU clock speeds, which directly affects video decode performance. This is the same setting that causes problems on Archiver servers – and it is equally wrong on operator workstations.

Naming Conventions

A consistent naming convention for Genetec entities makes the system significantly easier to operate, troubleshoot, and hand off. The convention does not need to be elaborate. It needs to be applied consistently from day one.

Camera naming: [Site]-[Floor/Area]-[Camera Type]-[Number]. For example: HQ-B2-CAM-001 for the first camera in the basement of headquarters. The Security Center client sorts entities alphabetically, so a prefix-based convention groups related cameras automatically in the tree view.

Server and role naming: Match the server hostname to what it does. GSC-DIR-01 for the first Directory server. GSC-ARC-01 for the first Archiver. This makes the Diagnostic tool and Health Monitor significantly easier to read when there are multiple servers in the environment.

Archiver naming: If using multiple Archivers, give them names that reflect which cameras they manage (by building, by floor, by area). When a camera drops from an Archiver, knowing which Archiver it is by name immediately tells you which area of the building to investigate.

Federation and Multi-Server Considerations

Genetec Federation allows multiple independent Security Center systems to appear as a single unified view to operators. This is the architecture for organizations with multiple sites that each have their own Security Center deployment and their own local administration, but where central operators need visibility across all sites.

Federation is not the same as a single system with multiple Archivers. In a federated environment, each site is an independent system. The Federation Server on the parent system connects to the child systems and makes their cameras, events, and entities visible to the parent operators. Cardholder data does not automatically synchronize across federated systems – that requires Global Cardholder Synchronization, a separate feature.

The decision between a distributed single-system architecture and a federated multi-system architecture depends on whether the sites need independent administration, whether WAN connectivity between sites is reliable enough to support a unified system, and whether cardholder data needs to be unified. Getting this decision wrong at the architecture phase is expensive to fix later.

Common Architectural Mistakes

Directory and Archiver on the same undersized server. Works during testing. Degrades under load. The Archiver’s storage I/O competes with the Directory’s database I/O, and both compete for RAM with SQL Server.

Media Router not configured for the actual network topology. The default Media Router redirect addresses point to localhost. This works when clients are on the same server. It does not work when clients are on a different subnet. Always explicitly configure the redirect addresses to match the actual network.

SQL Server memory unconfigured. SQL will consume all available RAM on the server if not explicitly limited. Genetec processes on the same server will eventually get memory-constrained and degrade.

No storage redundancy on the Archiver. A single drive failure on an Archiver with no RAID takes down recording for every camera on that Archiver. At minimum, the media storage volumes should be RAID 5 or RAID 6. The system drive should also be protected – losing the OS drive on an Archiver takes down all cameras on that server just as completely.

Power plan not set to High Performance. The Balanced power plan throttles performance in ways that are difficult to diagnose. On a server with a CPU that looks adequate on paper but cannot keep up in production, the first thing to check is the power plan. It is almost always the cause when a system runs well under light load and degrades under production load.