Trust issue is not specific ISE software. We also had major issues with ASA firewall versions that erased configuration, FTD firewall that restarts LACP port-channel members or panics firewall due to SNMP monitoring, WLAN controller that looses ARP, and the rest I erased from memory.

Building a new environment alongside existing one is also my preferred method, especially we have ISE in a virtual environment. Unfortunately ISE is lacking exporting/importing all the configuration policy elements. Backup/restore works only if hostname does not change and not for cloning one environment to another. Changing the radius servers on switches and firewalls is the simplest task among all these. We did that for migration from ISE 2.x to 3.1. From my experience new stuff always works in test environments and once it goes into production, then are usually funny surprises.

  - @Network Diver   Well the methodology advised , is to contain those funny surprises in the beginning, but that requires the
                                manager to observe , scrutinize and analyze the new (small) environment properly
                                                  (otherwise the whole endeavor makes no sense)

                                So keep with this preferred method  too , for this project. And also write and enter the policies from
                                scratch again on the new deployment (no restores needed)

 M.

Seems Cisco UCS-X blade system and Netapp AFF A400 SSD storage array is too weak for ISE upgrades. On what type of hardware is Cisco using that software? Quantum computers from Starship Enterprise?  

  - @Network Diver    An issue that could well be outside of ISE, while those boxes look good; issue for instance
                                  ise-admin # show tech | begin "disk IO perf"

                                 Also checkout : https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_2.html#hardware-virtual-appliance-req

  M.

Disk I/O seems okay. The whole ISE startup and upgrade process is just so slow. Upgrade of other software with similar complexity (e.g. Cisco Firewall Management Center) is done within minutes. We used ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova for deployment.

Measuring disk IO performance
*****************************************
Average I/O bandwidth writing to disk device: 292 MB/second
Average I/O bandwidth reading from disk device: 384 MB/second
I/O bandwidth performance within supported guidelines

What about the backup/restore upgrade procedure Cisco recommends here?
https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/upgrade_guide/Upgrade_Journey/Cisco_ISE_3-4_Upgrade_Journey.html

We really don't want to re-create all the policies from scratch. ISE is used for wired and wireless 802.1x EAP/TLS authentication and AnyConnect VPN with different tunnel groups and different locations.

I see the restore option has an option (don't tick restore ADE-OS) not to overwrite such things like hostname, IP address, deployment and I could restore all policies and endpoint data from ISE 3.1 to a ISE 3.4 test environment.