You can have a pre-auth ACL to allow certain traffic to the Domain controllers on those ports before the auth is complete. This can get tricky as the AD services use random ports in the high ranges 49152-65535 TCP and UDP for this service.

https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

A suggested ACL on the interface is something like this:

ip access-list extended ACL-DFLT-LESS-RESTRICT
remark DHCP, DNS, ICMP
permit udp any eq bootpc any eq bootps !DHCP
permit udp any any eq domain !DNS
permit icmp any any !ICMP Ping
remark Allow Microsoft Ports (used for better login performance)
permit tcp any host <Domain Controller> eq 88 !Kerberos
permit udp any host <Domain Controller> eq 88 !Kerberos
permit udp any host <Domain Controller> eq 123 !NTP
permit tcp any host <Domain Controller> eq 135 !RPC
permit udp any host <Domain Controller> eq 137 !NetBIOS-Nameservice
permit tcp any host <Domain Controller> eq 139 !NetBIOS-SSN
permit tcp any host <Domain Controller> eq 389 !LDAP
permit udp any host <Domain Controller> eq 389 !LDAP
permit tcp any host <Domain Controller> eq 445 !MS-DC/SMB
permit tcp any host <Domain Controller> eq 636 !LDAP w/ SSL
permit udp any host <Domain Controller> eq 636 !LDAP w/ SSL
permit tcp any host <Domain Controller> range 49152-65535 !non-standard RPC
permit tcp any host <Domain Controller> range 49152-65535 !non-standard RPC
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log