You should join the machine with a LAN connection and then move it to the
DMZ. There are RPC protocols used for joining to the domain, and this is
not so simple to just "open up". Since you only need to do this once, it isn't
worth all the effort.
You can then open the TCP ports for whatever communication you need
from that machine.
If you do have to do it through the firewall, these KB articles will give you a
good overview of what to do
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
http://support.microsoft.com/default.aspx?scid=kb;en-us;179442
If at all possible you should find some other way to enable your DMZ-to-LAN
communication other than opening NetBIOS ports. Even if it means using
a software VPN tunnel to do it which itself is not ideal. Opening
difficult-to-audit ports such as 137-139 really defeats the purpose of
having a DMZ in the first place.
Steve Duff, MVP, MCSE
Ergodic Systems, Inc.
