If I try to capture network traffic dump with Wireshark, I notice a strange error related to LDAP (I am translating from italian original message):
Users group: "MYCOMPANY\VPN" Authentication type: PAP (as stated in FW's documentation)
besides of this, it seems that the two DCs are fine: if I create a test user on DC 2008, it is visible even in windows 2019 and viceversa. So I don't figure the reason of "read only controller" issue.
CN: object not authorized replica password read only controller