I'd be happy to help you out with your question. Sorry for the inconvenience caused.
The settings you've applied to your servers are correct. The "Network security: Minimum session security" settings are meant to be applied differently based on the role of the computer in the network, with domain controllers having a higher level of security requirements compared to regular servers.
The values you're seeing in the registry for your domain controllers, 0x20080030 (537395248), represent the correct setting for "Require NTLMv2 session security" and "Require 128-bit encryption" on domain controllers. On the other hand, the value you're seeing for your host servers, 0x20080000 (537395200), represents the correct setting for those servers.
It's normal for auditing tools to flag domain controllers as being out-of-spec because they have a different security configuration compared to regular servers. However, in this case, the difference in settings is intentional and correct based on the role of the computers in the network.
If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.