Hi,
To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers (RODC).
If a non-compliant DC cannot support secure RPC with Netlogon secure channel before the DCs are in enforcement mode, we have to add the DC using the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
Allowing DCs to use vulnerable connections by the group policy will make the forest vulnerable to attack. The end goal should be to address and remove all accounts from the group policy.
So it would be a better idea to upgrade the old DC which can't cannot support secure RPC with Netlogon secure channel.
For your reference:https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e
Best Regards,