Users normally need to sit in the same domain with AD. You can place the AD and end-users together in your internal network, but put them under separate/different Vlans.
With firewall, it will break the domain, but I think you can still try and test it by allowing TCP 445 (open in ACL) from AD to end-users (and vice-versa).
There might be other ports needed as well, like netbios-ns (tcp/udp 137), netbios-dgm (tcp/udp 138) and netbios-ssn (tcp/udp 139)
Cheers!
AK