Hello,
Thank you so much for posting here.
If we want the policy to be scoped to a group of DCs and not All DCs in the organization, the security filtering can be considered.
For example, we can give the authenticated users only Read permission, and add the group (which you want to apply the policy) with Read and Apply permission. Then the policy will be applied to the group.
Assign Security Group Filters to the GPO:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo
Or we could consider about the WMI filtering. To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO.
Create WMI Filters for the GPO:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo
As mentioned, we are going to add another 2016 or 2019 as the second DC. The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL. So before we add 2019 DC to the existing domain, we need to ensure the functional level is at least Windows Server 2008, and the SYSVOL folder replication type is DFSR.
Besides, please kindly check DC health by running Dcdiag /v and check AD replication by running repadmin/showrepl and repadmin /replsum before joining the new DC.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.