Most Genetec Security Center systems do not fail the way people expect them to fail. They pass commissioning. They look fine in the demo. Then six months later the playback stutters, an archive gap shows up in an investigation, an upgrade breaks something nobody tested, and everyone stands around the rack wondering what changed. Nothing changed. The problems were there on day one. They were just invisible under light load.
I have audited and remediated dozens of multi-server Security Center deployments across government, law enforcement, airports, healthcare, and enterprise campuses. The same ten problems show up over and over. None of them are exotic. Most are configuration and ownership failures, not software defects. Here they are, in the order I usually find them.
1. Under-spec’d or misconfigured servers
The server looks adequate on paper and falls over in production. Almost every time, the cause is one of three things: the power plan, SQL memory, or roles stacked on hardware that cannot carry them.
The Windows Balanced power plan is the single most common cause of Genetec performance problems on servers that appear correctly sized. It throttles CPU and storage I/O to save power. On a machine ingesting hundreds of continuous video streams, that throttling is poison, and it is almost impossible to attribute without checking for it specifically. Set every Genetec server to High Performance (powercfg /setactive SCHEME_MIN) and confirm it applied.
The second is SQL Server eating the box. SQL takes all the RAM you let it have. On a Directory server sharing resources with Genetec roles, leave the max server memory at default and SQL will expand until the Directory service starves. Set the cap explicitly.
The third is putting the Directory and the Archiver on the same undersized server past about 50 cameras. Works in testing. Degrades under load, because the Archiver’s storage I/O fights the Directory’s database I/O and both fight SQL for memory. Separate the roles. I covered the role model and sizing in detail in Genetec Security Center architecture and roles, and the server tuning in server configuration and performance tuning.
2. Storage designed for capacity, not performance
Someone sized the storage for retention days and stopped there. Big drives, lots of terabytes, and write performance nobody checked. Video archiving is a sustained sequential write workload, and a capacity-first array starves under it.
The usual findings: a single parity RAID 5 array carrying dozens of cameras, so one slow rebuild during a drive failure tanks recording for everything on it. Windows Search indexing left on, generating pointless I/O on a volume that nobody searches through Windows. The default 4 KB NTFS allocation unit on volumes holding multi-gigabyte video files. 8.3 short-name creation still enabled.
Fix the foundation. Size for peak bitrate, not average, and add 20 to 30 percent headroom above the calculated number because bitrate spikes during the exact events you care about. Use RAID 6 on archive volumes, protect the OS drive too, format fresh video volumes with a 64 KB allocation unit, and turn off indexing and 8.3 creation. The commands are in the tuning article. Storage is the one area where buying more of the wrong thing makes the problem worse, not better.
3. Network congestion and streaming mismatches
The cameras record fine. The clients see degraded video, timeouts, and stutter that gets misdiagnosed as a camera or storage fault for weeks. It is the network, and usually it is three things.
NIC buffers left at factory defaults, too small for a server pulling continuous video, so the buffer fills and packets drop and the retransmissions pile on more load. Push receive and transmit buffers to the maximum the driver supports (4096 on most Intel NICs) on every adapter carrying camera or client traffic.
No traffic separation. Cameras, clients, management, and everything else sharing one flat segment with no QoS, so a backup job or a Windows update storm steps on live video. Separate the traffic and mark it. The VLAN segmentation reference covers the scheme.
And the quiet killer: Media Router redirect addresses left wrong. The default redirect points at localhost, which works only when the client is on the same box. After any topology change or server migration, the redirect addresses have to be set to addresses the cameras and clients can actually reach. Get them wrong and streams get sent into the void. Verify them after every network change.
4. Ignoring built-in health monitoring
Genetec ships the tools to tell you when something breaks. Most sites never operationalize them. The Health Monitor role is not deployed, System status is a screen nobody opens, health history goes unreviewed, and the one time a camera drops offline overnight, nobody finds out until the morning review, or until someone asks for footage that does not exist.
This is free visibility that organizations leave on the table. Deploy the Health Monitor role in any production environment. It is not in the critical path for recording or access control, so there is no good reason to skip it. Wire its alarms to a human or a ticketing queue, not a dashboard that lives behind three clicks. Review health history on a schedule. The value lands the first time an operator gets an alert at 2 a.m. instead of discovering a dead camera the next day. Role placement and the monitoring layer are covered in the architecture article.
5. Testing changes directly in production
There is no staging system, so every firmware push, config change, and version upgrade lands straight on the live environment, and the rollback plan is hope. This is how a routine camera firmware update takes down a recording role, or a Windows cumulative update breaks a Genetec service in the middle of a shift.
You do not always need a full duplicate environment, though on critical infrastructure you should have one. What you always need is a documented rollback for every change, a defined maintenance window, and a habit of testing cumulative updates somewhere other than production first. The Genetec Update Service can stage and schedule updates inside maintenance windows. Use it. Change discipline is not bureaucracy. It is the difference between a five-minute revert and a two-day incident.
Several of these sound familiar? A Genetec Health Check is a focused assessment that finds these issues across your environment and turns them into a prioritized remediation plan. Start a conversation.
6. Cameras left at factory defaults
The system was commissioned by pointing Genetec at cameras that nobody touched first. Default credentials still live on the devices, which is a hardening failure and an audit finding waiting to happen. Every camera runs H.264 when it could run H.265. Single stream, so the operator workstation decodes the full recording stream just to show a live tile. Continuous recording everywhere, including hallways that see nothing for twenty hours a day.
Treat the camera layer as configuration, not plug-and-play. Change default credentials before the device touches the production VLAN. Define standard camera profiles and apply them, rather than tuning one camera and cloning whatever happened to be on it. Move to H.265 where the cameras support it and the Archiver runs 5.9 or later with GPU-accelerated decode, which cuts storage and bandwidth 40 to 50 percent for equivalent quality. Use stream separation, a high-quality stream for recording and a low-quality stream for live monitoring, so workstations and links are not carrying full recording bitrate just to populate a video wall. Details are in the tuning article.
7. Weak security hardening
This is a physical security system sitting wide open on the network it is supposed to protect. Everyone is an administrator because RBAC was never set up. Communications are unencrypted. There is no Active Directory integration, so account management is manual and nobody offboards. Certificates are self-signed and expired, or never configured. No baseline was ever applied.
A camera estate is an enterprise application, and it gets hardened like one or it becomes the soft entry point. Build RBAC on least privilege so operators get operator rights and nobody runs day to day as a full admin. Follow the Genetec Security Center Hardening Guide rather than the install defaults. Integrate with Active Directory for authentication and lifecycle, which I walked through in deploying Active Directory for Genetec. Manage certificates like they matter, because the moment one expires you find out how much depended on it. For a reference baseline, Genetec’s own StreamVault appliances ship hardened to CIS Level 2, which is a reasonable target even on hardware you built yourself. The Windows Hardening for Genetec course covers the workstation and server side.
8. Misdesigned federation and multi-site architecture
A multi-site organization picked the wrong model, and the cost of that decision compounds for years. Federation gets used where a distributed single system was the right answer, or a single system gets stretched across an unreliable WAN where federation belonged. Then cardholders do not sync between sites because Global Cardholder Synchronization was never configured, and operators manage the same person in three places.
Federation is not the same thing as one system with multiple Archivers. In a federated design each site is an independent system and the parent just surfaces their entities to central operators. The choice between distributed and federated comes down to whether sites need independent administration, whether the WAN can carry a unified system, and whether cardholder data has to be unified. If it does, that is Global Cardholder Synchronization, a separate feature you have to plan for. Getting this wrong at the architecture phase is expensive to unwind later, which is exactly why it belongs in a design review before anyone racks a server. The federation tradeoffs are in the architecture article.
9. Poor upgrade discipline
Two failure modes, opposite directions, same root cause. Either the system is frozen three versions back and accruing known issues that were fixed long ago, or it jumped onto a brand new .0 release the week it dropped and inherited every first-release bug.
Neither is discipline. Run a current, stable, patched version, and let new major releases prove themselves before they touch production. I am still telling clients to hold on 5.14.0.0 for exactly this reason, and I wrote up why in the 5.14 outlook and the 5.13.3 release review. Configure the Genetec Update Service to apply updates inside defined maintenance windows, test cumulative Windows updates before they hit Genetec servers, and check that the update combination you are about to apply is actually supported. Upgrade discipline is boring right up until the upgrade that takes the system down, and then it is the only thing anyone wants to talk about.
10. No single owner for end-to-end system health
This is the one that ties the other nine together. The security team owns the cameras. IT owns the network and the servers. The integrator owned the install and left after commissioning. Storage is someone else entirely. Nobody owns the whole stack, so when performance degrades, the default move is to point sideways, and the problem lives in the seams between teams where it never gets fixed.
Genetec health does not respect org charts. A streaming problem can be a NIC buffer, a QoS gap, a Media Router redirect, a saturated archive volume, or a throttled CPU, and those sit across four different teams. Somebody has to own the system end to end: network, server, storage, and the Genetec application as one thing. Assign an accountable owner. Write a RACI so it is clear who fixes what. If you do not have anyone internally who can see across all four layers, that is the gap an outside assessment fills, and it is the entire reason the Health Check exists.
Where to start
If more than a couple of these described your environment, you are not unusual. Most of the systems I walk into have five or six of them running at once, quietly, under a system that technically works. The fastest way to turn that into something actionable is a structured Genetec Health Check: a focused assessment across architecture, storage, network, monitoring, security, and lifecycle that ends in a prioritized remediation plan, not a list of complaints.
You can also work through the Genetec Health Check Checklist yourself first. It covers the same ground and prints cleanly if you want a leave-behind for the team. For an in-depth audit utility with severity weighting and PDF export, the Genetec Health Audit tool walks the same ten areas question by question.