Microsoft
@Florian, the short answer is "everywhere". Exchange has the capability of reaching outside of its own AD site and its own domain to contact resources if necessary and you don't want things that normally work suddenly go *boom* when it hits a situation requiring out-of-site or out-of-domain resources. I'm making some assumption in my next sentence that may not apply to everyone. If you can, the best thing you can do is create an "Exchange Servers" resource group and a "Domain Controllers" (which includes GCs) resource group in your firewall central management software. Once the groups are created push out a rule so those resource groups can ANY/ANY each other. As you add new servers to the environment you include a step in your server provisioning process to add them to the appropriate FW resource group. I know some of you will read this and try to be tricky and do something like create rules for the local AD site and AD sites once removed via AD site link, but do me a favor and don't. :)
