Firewall is an important tool of creating acceptable level of security. Under normal circumstances, it must be turned on with 'whitelist' approach (everything not allowed explicitly is blocked). However, one should be careful when enabling firewall on domain controllers, since they can be efficiently rendered broken if firewall is improperly configured (e.g. preventing workstations from connecting).
Below are instructions on what should be done to enable firewall on a domain controller.
Enable the Fire And Print exception in firewall settings.
Add program exceptions for lsass.exe and ntfrs.exe locate usually in %WINDIR%\SYSTEM32
Allow the following port exceptions: 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).
The above is the minimal exception set to allow normal domain controller functioning.
Below are instructions on what should be done to enable firewall on a domain controller.
Enable the Fire And Print exception in firewall settings.
Add program exceptions for lsass.exe and ntfrs.exe locate usually in %WINDIR%\SYSTEM32
Allow the following port exceptions: 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).
The above is the minimal exception set to allow normal domain controller functioning.
