are you using ansible to manage domain joined Windows servers?
If so, what authentication protocol are you using, kerberos or ntlm?
ntlm is a bad thing, kerberos across several forests, also windows behind Linux jump hosts we use SOCKS5/psrp to connect.
Does your ansible server need to auth to the domain controllers to run plays on MS member servers if using kerberos?
Yes, ansible has to do a kinit first against the DC before the play can execute.
Do you know if its just port 88 that needs to be open on the FW
at least 88 tcp/udp, you may need 53 tcp/udp for DNS also