Hi, I have 3 2008R2 Domain Controllers in my environment. All 3 are protected by the corporate firewalls from external threats, but their local Windows Firewall is currently disabled. Is it possible to enhance security for these DCs by enabling Windows Firewall? Are exceptions/rules added automatically to the firewall policy based on servers' roles, or do I need to add them manually?

You can enhance security of these DCs by enabling Windows Firewall. You can also make sure that all security updates are installed. FAIK, the exceptions / rules are added automatically. Have a look to this Microsoft article about the needed ports for AD replication. http://technet.microsoft.com/en-us/library/bb727063.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration