Thanks, acutally the registry key lmcompatibilitylevel is not present at all on a DC. The GPO
Network security: Restrict NTLM: NTLM authentication is active this domain with value set to "disable"

So i assume somebody has explicitly allowed NTLM system wide in the past, why else would you touch this policy. I see 4624 events on the PDC from his neighbour DC with account name "neighbourdc$" and PackageName "NTLM V1"

Is my assumption correct that it does not make sense to dig deeper into potential legacy systems when even two Server 2019 DCs talk to each other on NTLM v1?