Thanks @ahollifield ,

I think it would be better to have all the primary roles on the primary PAN, before de-registering the second node, hence I have to modify the roles.

Then I can proceed by unregistering the second node.

Thanks, Gio

Correct, move all roles to primary on the Primary PAN.  Then deregister.

Also, why do you have only one pxGrid node?  Why is Profiling also enabled only on one node?  Do you have Advantage Licensing for profiling and pxGrid?

Hi @ahollifield ,

thanks for confirming my next step.
As to your question, I wouldn't know. I have inherited this setup and hence I assumed it was a stable baseline. If you say that's not normal, I would really appreciate to know why. Cisco ISE is complex and so far I have only worked on configuring policies, I haven't had the opportunity to touch the pillars of a new deployment.

Moreover I found this guidelines, I made comments to better tailor them for a two-nodes setup like the one I have.
If you could quickly review it and let mew know if ther eare any mistake, I would appreciate very much.

Upgrade Secondary PAN and MnT Nodes to Cisco ISE, Release 3.2
Procedure

v Step 0 Make just one node Primary for PAN and MnT
v Step 1 Take a backup of Cisco ISE conguration settings and operational logs.
v Step 2 De-register THE secondary PAN node (there can be just two PANs, hence there is only one secondary)
v Step 3 Re-image the deregistered secondary PAN node to Cisco ISE, Release 3.2.
v Step 4 Restore ISE conguration from the backup data and make this node as the Primary Node for your new deployment (being Primary is automatic, isn't it?)
v Step 5 Import ise-https-admin CA certicates from the backup for this node unless you are using wild card certicates (OK)
? Step 6 De-register Secondary MnT node. (in a two-nodes setup this step isn't possible, is it? I can just proceed ontp the next one, right?)
v Step 7 Re-Image the deregistered Secondary MnT node to Cisco ISE, Release 3.2.
- Step 8 Restore your current ISE operational backup and join node as Primary MnT for new deployment. This is an optional step and needs to performed only if you need to report of the older logs.

Also, when restoring the configuration backup, are IP addresses taken from the backup, meaning that I may loose connectivity if doing the restore from the Web GUI?

TIA, Gio

So if you only have essentials licensing, you should disable Profiler and pxGrid on your nodes as you are not entitled to those features.  If you do have the licensing and are using the Profiler and pxGrid you should enable those on both nodes for redundancy purposes.

Do you need the operational data?  Otherwise I wouldn't bother backup/restoring that.  It will add significant time to your upgrade to restore the logging/reporting data.   You also do not need to import the backup twice.  When you join the the second node to the deployment the configuration database will be downloaded.  There are also multiple upgrade specific webinars on the ISE YouTube channel here: https://www.youtube.com/@CiscoISE

Network settings are not restored as part of a backup restore unless you use the "include-adeos" keyword when restoring the backup.