这是一个大家感兴趣的话题,在微软官方论坛,我们可以找到答案,做一个参考

DC<->DC  双向

DC<->Client  单向

以下是参考链接
http://social.technet.microsoft.com/Forums/sk/winserverDS/thread/f67047fe-b13a-4636-a934-30fd083bc1a7

You do need outgoing traffic for DC to DC communication

(refer to http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx for details).

For firewalls separating clients and DCs, allow incoming traffic
Assuming that your firewalls are stateful). Enable logging to catch any blocked communication...