Outside Interface - security level 0
DMZ interface - security level 50
Secure Interface - security level 100
Then put in specific ACLs to permit outside to DMZ and specific ACLs for DMZ to secure. Only permit into the DMZ what is needed. Nothing more. Lock it down by destination IP and port.
Traffic will automatically be permitted from higer security level to lower security level so inside can talk to DMZ and outside, etc...
Think of the DMZ as a network with the potential to be compromised because public traffic is allowed in. No public traffic is allowed into the inside secure network so that's probably where you want your domain control servers.
But like all things, it depends. Hope that helps.