Implementing a firewall in front of Windows domain controllers can cause a lot more problems than it solves. This is especially true in a shared forest where you’d need to open up most of the Microsoft ports in order to allow basic forest communication to function. There is an excellent Microsoft whitepaper which addresses this topic: Active Directory in Networks Segmented by Firewalls
An alternative is to put Windows Domain Controllers in the UW Project 172 limited access network.
If you trust the NETID domain or have a delegated OU, then you should follow the specific directions for firewalls with the NETID domain.