diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index 420e04880..97fbdef2d 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -31,7 +31,7 @@ default:nsSizeLimit: 5000
 default:nsLookThroughLimit: 5000
 
 dn: cn=config
-add:nsslapd-anonlimitsdn:cn=anonymous-limits,cn=etc,$SUFFIX
+only:nsslapd-anonlimitsdn:'cn=anonymous-limits,cn=etc,$SUFFIX'
 
 # Add a defaultNamingContext if one hasn't already been set. This was
 # introduced in 389-ds-base-1.2.10-0.9.a8. Adding this to a server that
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 745bb777e..8703b5e4b 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -540,7 +540,7 @@ class IPAdmin(IPAEntryLDAPObject):
 
         # Some attributes, like those in cn=config, need to be replaced
         # not deleted/added.
-        FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit')
+        FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn')
         modlist = []
 
         old_entry = ipautil.CIDict(old_entry)