You can enable Windows Firewall on your domain controllers for enhanced security, but you need to do it right, otherwise problems can arise such as not being able to join client machines to your domain. Here's how you need to configure Windows Firewall on a domain controller:
Enable the File And Print Sharing exception.
Enable program exceptions for lsass.exe and ntfrs.exe.exe which are found under %windir%\system32.
Enable port exceptions for ports 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).
Mitch Tulloch is lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch is also the author of Introducing Windows Server 2008, the first book from Microsoft Press about the exciting new server platform. For more information on these and other books written by Mitch, see www.mtit.com.