Upgrades
This document covers how to roll forward (and back) between IdentityMesh releases without losing data or breaking running connectors.
What changes between releases
| Component | Carries state? | How it’s upgraded |
|---|---|---|
| SQL schema | Yes — the source of truth. | EF Core migrations applied automatically by the installer’s database setup step. |
| Service / API binaries | No — stateless. | MSI version. |
| Relay agent binaries | No — stateless. | MSI version (separate installer). |
| Connector DLLs | Implicitly — connector configs reference connector type names. Renaming a connector type breaks existing schedules. | Shipped in the Connectors\ folder of each host (service + each relay). |
| License file | Yes — separate from binaries. | Re-issued out-of-band by sales. RSA-4096 signed. |
| DPAPI secrets | Yes — see secrets-and-dpapi.md. | Encrypted blob in the IdentityMesh database. |
Pre-upgrade checklist
- Take a SQL backup. See
backup-and-restore.md. This is the only thing that lets you roll back if the upgrade goes sideways. - Snapshot the
Connectors\folder on every host (service + each relay) so you can roll a connector DLL back independently of the service version. - Note the running version by checking the file properties on
%ProgramFiles%\IdentityMesh\*.exeor the Admin UI’s About page. - Stop active sync runs. Either pause schedules in the Admin UI
or wait for in-progress runs to complete. Any sync running when the
service is stopped is marked
Interrupted; the next service start reconciles the bookkeeping automatically.
Upgrade procedure
Same-version connector upgrade only
Drop replacement DLLs into the Connectors\ folder and restart the
service (or relay agent). Connectors are loaded on startup.
Service / API version upgrade
- Pre-upgrade checklist above.
- Stop services:
sc stop IdentityMeshEngine sc stop IdentityMeshAdmin - Run the new MSI. It upgrades binaries in-place and preserves
appsettings.json— file-copy rules are documented ininstaller.md. - Schema migrations are applied automatically by the installer’s database-setup step. The migration system is idempotent — running it on an already-current database is a no-op.
- Start services:
sc start IdentityMeshAdmin sc start IdentityMeshEngine - Smoke test: dashboard loads, license shows valid, run history queryable, kick off one sync.
Relay agent upgrade
Each relay agent is independently upgradeable. Order:
- Upgrade the central API/service first (or at least confirm the API is at a version that still accepts the relay’s old protocol — see “Version skew” below).
- For each relay host: stop the service, install the new MSI, start the service. The agent re-registers with the API on next connection.
Version skew
The relay protocol is conservative — older relays against newer APIs generally work, and newer relays against older APIs generally work, as long as no hub method has been removed or changed in incompatible ways.
For deployments with many relays that can’t be upgraded simultaneously: a staged rollout (one canary relay first) catches incompatibilities cheaply during the upgrade window.
Connector DLL versioning
Connectors are loaded by name from the Connectors\ folder.
IM_ConnectorSchedules references each connector by type name.
- Adding a new connector: drop the DLL in
Connectors\, restart. The new type registers as soon as the agent re-registers. - Updating an existing connector: replace the DLL in place; type names must remain stable. Restart picks up the new code.
- Renaming a connector type: do not. It breaks every existing schedule that referenced the old name. If unavoidable, the release notes will call out the SQL migration that updates the affected rows.
Rollback
Binary rollback
- Stop services.
- Run the previous version’s MSI:
msiexec /i previous.msi REINSTALL=ALL REINSTALLMODE=vomus - Roll back the schema if the upgrade applied any. The release notes for each version document whether down-migration is supported and what data, if any, is lost in the down direction. Test rollbacks in a staging copy of production data first.
- Start services.
Schema-only rollback (binary stays at new version)
Don’t. Migrations are designed to be applied in order. A binary that expects a column the schema doesn’t have will throw at runtime. If the new binary version is broken in a way that requires reverting just the schema, the right move is to roll back the binary too.
Data-only rollback (revert to backup)
Upgrade frequency considerations
- Schema migrations are additive whenever possible (new nullable columns, new tables) so the previous binary version still runs against the new schema. This makes rolling deployments and partial rollback safe.
- Avoid renaming columns or tables. Renames mean every customer’s upgrade pays the migration cost; the release process prefers add-and-deprecate over rename.
Related
installer.md— MSI build and install procedure.backup-and-restore.md— what to back up before upgrading.secrets-and-dpapi.md— secret re-provisioning if the upgrade involves a host migration.