Microsoft Download Center Article Active Directory in Networks Segmented by Firewalls contains the following overview:
Microsoft® Active Directory® service domain controllers are increasingly being deployed on networks segmented by firewalls. Three common scenarios are: (1) domain controllers separated from clients in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet), (2) domain controllers in a perimeter network separated from other domain controllers on the network, and (3) networks divided into segments, each containing clients and domain controllers. This white paper describes best practices for deploying domain controllers in segmented networks in a manner that supports client authentication, secure resource access by clients, and replication traffic between domain controllers on opposite sides of a firewall. This paper also provides detailed procedures for configuring IPSec policies to protect Active Directory traffic between domain controllers on opposite sides of a firewall and recommended practices for managing IPSec policies that are assigned to domain controllers.