Another option may be to export GPO's, take the failed one off network, seize roles to a healthy domain controller
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds
do clean up
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564
When all is confirmed good you could, then import the GPO's, and build a replacement for the failed one.
--please don't forget to Accept as answer
if the reply is helpful--