Hello
First of all i understand the problem of being stuck with old operating system and that replacing them can be a difficult and costly process, just want to add a disclaimer (that you are probably already aware of) but having them in your environment can also be a security risk that can cost you even more than replacing them.
The issue i think is that Microsoft is constantly improving security and they most likely suffer from something like Smbv1, netlogon, kerberos, etc being "tightened". It could be a number of things and i don't have the specific solution, for instance if its Smbv1 there is no real solution since 95 and 2000 does not support any other version.
So it might actually be impossible for you to domain join them into such a new environment again.
However, if there aren't to many of them and you really cant get rid of them at this time you might need to consider having them not domain joined and deploy policies manually/locally (having local accounts to logon), or maybe set up their own domain with older domain controllers?
How does these machine need to be accessed? Is it trough RDP? Is it a file share?
Hope this is helpful and remember shared knowledge is the best knowledge 😊
Best Regards,
Timmy Malmgren
If the Answer is helpful, please click "Accept Answer" and upvote it as it helps others to find what they are looking for faster!