diff --git a/README.md b/README.md
index c1b57d1..4dc21bc 100644
--- a/README.md
+++ b/README.md
@@ -158,6 +158,7 @@ VMs only accept traffic from the Proxmox host (for Ansible) and the Nebula overl
 |-------|---------|
 | `admin` | Full access (your devices) |
 | `infrastructure` | Core services |
+| `ad` | Windows AD domain machines |
 | `projects` | Application workloads |
 | `games` | Isolated game servers |
 
diff --git a/ansible/templates/nebula-config.yml.j2 b/ansible/templates/nebula-config.yml.j2
index 0bfe52c..a8a0e78 100644
--- a/ansible/templates/nebula-config.yml.j2
+++ b/ansible/templates/nebula-config.yml.j2
@@ -61,6 +61,11 @@ firewall:
       proto: any
       group: projects
 
+    # AD domain machines can reach infrastructure (DNS forwarding, etc.)
+    - port: any
+      proto: any
+      group: ad
+
     # Allow ICMP from anyone (ping)
     - port: any
       proto: icmp