--- title: After you upgrade in place description: The DS server upgrade process preserves the existing configuration as much as possible. This maintains compatibility, but there are more steps you must take. component: pingds version: 8.1 page_id: pingds:upgrade-guide:after-you-upgrade-in-place canonical_url: https://docs.pingidentity.com/pingds/8.1/upgrade-guide/after-you-upgrade-in-place.html revdate: 2025-10-22T14:42:39Z keywords: ["Compatibility", "LDAP", "Migration", "Replication", "Setup & Configuration", "Troubleshooting", "Upgrade"] section_ids: checklist: Checklist upgrade-tuning-in-place: Tune settings upgrade-in-place-new-features: Activate new features upgrade_complete: Upgrade complete --- # After you upgrade in place The DS server upgrade process preserves the existing configuration as much as possible. This maintains compatibility, but there are more steps you must take. ## Checklist Use this checklist to make sure you don't miss these important post-upgrade tasks: * [icon: square-o, set=fa]Back up your directory data.1 * [icon: square-o, set=fa]Update your scripts to account for [Incompatible changes](https://docs.pingidentity.com/pingds/release-notes/changes.html). * [icon: square-o, set=fa]Plan your move away from [deprecated](https://docs.pingidentity.com/pingds/release-notes/deprecation.html) features. * [icon: square-o, set=fa]Move to dedicated service accounts for your directory applications.2 * [icon: square-o, set=fa]Manually review and purge the DS server configurations for stale references to old servers.3 * [icon: square-o, set=fa]Review [what's new and changed](https://docs.pingidentity.com/pingds/release-notes/index.html) and adopt useful improvements. * [icon: square-o, set=fa][Tune settings](#upgrade-tuning-in-place). * [icon: square-o, set=fa]Optionally [activate new features](#upgrade-in-place-new-features). 1 Backup files are *not* compatible between versions. 2 You would not run all your applications as the Linux root user or the Windows Administrator. Stop using superuser accounts like `cn=Directory Manager` or `uid=admin` as service accounts. Many DS setup profiles create service accounts for applications to use when authenticating to DS. For examples of AM service accounts, refer to the `base-entries.ldif` files in setup profiles under the `opendj/template/setup-profiles/AM` directory. 3 You can read the `opendj/config/config.ldif` file to find stale references, but always use the [dsconfig](../tools-reference/dsconfig.html) command to make changes to the configuration. ## Tune settings Major software releases include significant changes that can render existing tuning settings obsolete. When upgrading to a new major release of DS or Java software, revisit the system configuration, server configuration, and Java settings. As part of the upgrade process, adjust the settings appropriately to align your deployment with the new software version. Learn more in the [release notes](https://docs.pingidentity.com/pingds/release-notes/requirements.html) and [Performance tuning](../config-guide/tuning.html). ## Activate new features The DS `upgrade` command configures the following new features but doesn't enable them. Optionally enable the new features for use in your deployment: * Enable the [HDAP](../rest-guide/preface.html) endpoint: ```console $ /path/to/opendj/bin/dsconfig \ set-http-endpoint-prop \ --endpoint-name "/hdap" \ --set enabled:true \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --no-prompt \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin ``` * Enable the [`ds-pwp-state-json` virtual attribute](../ldap-guide/passwords-and-accounts.html#ldap-read-pwp-state): ```console $ /path/to/opendj/bin/dsconfig \ set-virtual-attribute-prop \ --name "Password Policy State" \ --set enabled:true \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --no-prompt \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin ``` * Enable the `PBKDF2-HMAC-SHA512T256` password storage scheme if needed for interoperability with Microsoft Entra ID: ```console $ /path/to/opendj/bin/dsconfig \ set-password-storage-scheme-prop \ --scheme-name "PBKDF2-HMAC-SHA512T256" \ --set enabled:true \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --no-prompt \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin ``` ## Upgrade complete * [icon: check-square-o, set=fa]Perform [these steps](before-you-upgrade-in-place.html) before you upgrade * [icon: check-square-o, set=fa]Upgrade each: * [icon: check-square-o, set=fa][Directory server](upgrade-ds.html) * [icon: check-square-o, set=fa][Directory proxy](upgrade-proxy.html) * [icon: check-square-o, set=fa][Replication server](upgrade-rs.html) * [icon: check-square-o, set=fa][HDAP gateway](upgrade-rest.html) * [icon: check-square-o, set=fa]Perform [these steps](after-you-upgrade-in-place.html) after you upgrade