Windows Domains and Firewalls
Implementing a firewall in front of Windows domain
controllers can cause a lot more problems than it solves.
This is especially true in a shared forest where you'd
need to open up most of the Microsoft ports in order to
allow basic forest communication to function. There is an
excellent Microsoft whitepaper which addresses this
topic:
Active Directory in Networks Segmented by
Firewalls
An alternative is to put Windows Domain Controllers in
the UW Project 172 limited access
network.
If you trust UWWI (the Netid domain) or have a UWWI delegated OU,
then you should follow the specific directions for
firewalls with UWWI.