What I said, was that the firewall, sits on your DMZ border, and you know that, i.e. border management, which sits before, Surfcontrol and MailSweeper and Anti-Virus servers, which inturn is before your proxy and exchange servers. Plus a PIX can block any port.....
AD works well with all MS products for remote deployment of patches, updates and policies, via group membership. Also controls deployment of configs..... etc..... you need to use the full potential of AD
If you want a network diagram, would be happy to email one to you, and we haven't had any intrutions, or viruses for around 2 years....