I had kind of a weird setup today where I wanted to enable Windows Firewall on a Windows 2003 R2 SP2 computer that would act as an Active Directory Domain Controller.

I didn't see one resource on the Internet that listed what would be required to do this, so I thought I'd list them here and see if anyone has anything to add/sees something that isn't necessary.

Ports to Open with "subnet" scope:

• 42 | TCP | WINS (if you use it)
• 53 | TCP | DNS
• 53 | UDP | DNS
• 88 | TCP | Kerberos
• 88 | UDP | Kerberos
• 123 | UDP | NTP
• 135 | TCP | RPC
• 135 | UDP | RPC
• 137 | UDP | NetBIOS
• 138 | UDP | NetBIOS
• 139 | TCP | NetBIOS
• 389 | TCP | LDAP
• 389 | UDP | LDAP
• 445 | TCP | SMB
• 445 | UDP | SMB
• 636 | TCP | LDAPS
• 3268 | TCP | GC LDAP
• 3269 | TCP | GC LDAP

Ports to Open with "Any" Scope (for DHCP)

• 67 | UDP | DHCP
• 2535 | UDP | DHCP

ALSO You need to restrict RPC to use fixed ports instead of everything > 1024. For that, you need to add two registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data:  <-- pick a port like 1600 and put it here

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: <-- pick another port like 1650 and put it here

...don't forget to add entries in the firewall to allow those in (TCP, Subnet scope).

After doing all that, I was able to add a client computer to the AD domain (behind Windows Firewall) and log in successfully.