Have you checked to see if your ISE nodes are joined to the domain? It has happened in the past that after an upgrade the nodes need re-joined to AD.
Go to Administration -> External Identity Services and click on the domain you're setup to connect to.
Edit: Just checked the 2.2 upgrade guide and find the following:
Join all Cisco ISE nodes with Active Directory again, if you use Active Directory as your external identity source and the connection to Active Directory is lost. After rejoining, perform the external identity source call flows to ensure the connection
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/upgrade_guide/b_ise_upgrade_guide_22/b_ise_upgrade_guide_22_chapter_0100.html