We've noticed that on some Server 2008 servers when you enable a feature or role you get a prompt from the Windows Firewall to "Allow" or "Block" access for this service, while at other times we do not get this prompt. I'm not sure what causes this prompt to work or not. Is anyone familiar with this prompt, and do you know how to make sure we're always prompted for any new feature or role that is installed that required special tcp/udp ports?
The reason it's an issue for example is that when we've enabled DNS on some domain controllers we've noticed that a rule gets created for the DNS executable but not necessarily UDP port 53. Seems like the firewall is hit or miss on whether or not it opens the right ports when a new service is installed. A few times we've had issues, so we figured if the prompt works better, then perhaps there will be fewer issues. (Unfortunately, in our environment we have to run the firewall for all zones, and we frequently find it's the culprit of issues until we create additional rules.)