A Global Discovery Server (GDS) provides a scalable alternative to local multicast discovery, which is typically restricted to a single subnet. It maintains a dynamic directory of registered OPC UA Servers, including their application descriptions and discovery Endpoints, enabling a Client to query a single, well-known address to find all available automation assets.
Glossary
Global Discovery Server

What is Global Discovery Server?
A Global Discovery Server (GDS) is a centralized OPC UA Server that functions as a network-wide registry, allowing clients to locate available servers and their connection endpoints across segmented or large-scale industrial networks without requiring prior manual configuration.
The GDS also acts as a central authority for certificate management, automating the distribution and trust list updates for X.509 Certificates. By integrating with a Certificate Authority, it provisions security credentials to newly registered servers, ensuring that all participants in the OPC UA network can establish mutually authenticated and encrypted Secure Channels.
Key Features of a Global Discovery Server
A Global Discovery Server (GDS) provides a centralized registry that enables OPC UA clients to locate servers across segmented networks without requiring prior knowledge of individual endpoint addresses.
Centralized Certificate Management
The GDS functions as the trust anchor for an entire OPC UA deployment. It manages the lifecycle of X.509 Certificates through the Certificate Management Service, handling issuance, renewal, and revocation. This eliminates the need to manually distribute and trust individual application instance certificates across hundreds of machines.
Pull-Based Discovery
A client queries the GDS using the FindServers service to retrieve a filtered list of registered servers. The GDS returns connection information including Discovery URLs and supported Security Policies. This allows a client to dynamically discover servers without broadcasting on the local subnet, which is essential in routed or firewalled factory networks.
Push-Based Registration
Servers actively register themselves with the GDS using the RegisterServer service. During registration, a server provides its ApplicationDescription, capabilities, and discovery endpoints. This push model ensures the GDS registry remains current without requiring periodic network scans, which are often blocked by industrial firewalls.
Semaphore File Alternative
For environments where a GDS is temporarily unavailable, OPC UA defines a semaphore file mechanism. A server writes its discovery information to a well-known file path. Clients can read this file to bootstrap discovery. The GDS can consume these files to populate its registry, providing a bridge between local and global discovery.
Multicast DNS Extension
The GDS can integrate with mDNS (Multicast DNS) to support zero-configuration discovery on the local link. Servers announce themselves via mDNS, and a Local Discovery Server (LDS) aggregates these announcements. The GDS can federate multiple LDS instances, creating a hierarchical discovery topology that scales from a single cell to the entire enterprise.
Role-Based Access Control Integration
The GDS enforces strict authorization on discovery operations. Only authenticated clients with appropriate Roles can query for specific server types or retrieve sensitive endpoint information. This prevents unauthorized reconnaissance of the automation network and ensures that only approved clients can locate critical control system servers.
Frequently Asked Questions
Clear answers to the most common technical questions about the architecture, deployment, and operation of OPC UA Global Discovery Servers in industrial automation networks.
A Global Discovery Server (GDS) is a centralized OPC UA Server that maintains a registry of available systems and their discovery endpoints, enabling clients to find servers across a large, segmented network. It functions as a directory service, similar to DNS in IT networks, but specifically designed for industrial automation. The GDS implements the IDiscoveryServer interface and provides two core capabilities: Server Registration, where OPC UA Servers push their connection information (endpoints, security policies, and capabilities) to the GDS, and Client Query, where OPC UA Clients pull this information to locate target servers without needing pre-configured connection strings. This decouples the client from hard-coded server addresses, enabling dynamic reconfiguration and scalability in large-scale Industry 4.0 deployments.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Master the ecosystem surrounding the Global Discovery Server (GDS) to architect scalable, secure OPC UA networks.
Certificate Management
The GDS functions as a Certificate Authority (CA) and certificate lifecycle manager for the entire OPC UA ecosystem. It can issue, renew, and revoke X.509 Certificates for applications, enabling automatic trust establishment. Key capabilities include:
- Push model: The GDS actively pushes new certificates and trust lists to managed applications.
- Pull model: Applications periodically poll the GDS for updated trust lists.
- Certificate Revocation Lists (CRLs): Distributed to all managed entities to invalidate compromised certificates.
Well-Known Discovery Endpoint
Every OPC UA Client must know a bootstrapping endpoint to initially find the GDS. This is typically a static, well-known URL such as opc.tcp://gds.example.com:4840 that is manually configured during commissioning. The GDS exposes the IDiscoveryServer interface at this endpoint, allowing Clients to call FindServers or GetEndpoints without prior knowledge of the network topology. This single point of entry eliminates the need to hardcode individual Server addresses.
Application Registration
Before a Server can be discovered, it must register its ApplicationInstanceCertificate with the GDS. This process establishes a trust relationship and provides the GDS with the Server's capabilities, supported security policies, and discovery endpoints. The registration record includes:
- ApplicationUri: A globally unique identifier for the application instance.
- ProductUri: Identifies the software product and version.
- ServerCapabilities: Flags indicating supported profiles like Data Access or Historical Access.
- DiscoveryUrls: The network addresses Clients use to connect.
Pull-Based Discovery
Clients query the GDS using the FindServers service, specifying filter criteria such as ServerCapabilities or ApplicationName patterns. The GDS returns a list of matching application records with their DiscoveryUrls. This is the primary runtime discovery mechanism. Clients can also call GetEndpoints on the GDS to retrieve the full set of supported security configurations for a specific Server, enabling automated connection establishment without manual endpoint configuration.
Trust List Distribution
The GDS maintains a centralized Trust List that defines which application certificates are trusted across the entire network. It distributes this list to all managed Servers and Clients, ensuring consistent security posture. When a new Server is commissioned, the GDS automatically updates the Trust List, and all Clients receive the update without manual intervention. This eliminates the N x N certificate exchange problem where every application would otherwise need to manually trust every other application.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us