Implementing a firewall in front of Windows domain controllers can cause a lot more problems than it solves, but you should not run your domain controllers on the internet.
An alternative is to put Windows Domain Controllers in the UW Project 172 limited access network.
If you trust the NETID domain or have a delegated OU, then you should follow the specific directions for firewalls with the NETID domain.