File Share Encryption

Currently, we have two clients using the latest release of Drive Encryption, controlled by our Universal Server which is also on the latest version.  These laptops are typically always in the office apart from going home at night or occasional travel.  This year we will be rolling out encryption to all of our laptops, around 30 total.  A handful of these are rarely, if ever, in the office, and very rarely connect via VPN.

What is the best approach for these laptops?  If at all possible, I'd like them to be in contact with a server instead of on their own.  My server is an ESXi VM, so I can create a DMZ-only Universal Server if needed.

The standard practice is to have the Universal Server inside the DMZ anyway, so its reachable by an FQDN - keys.companyname.com, so just move your current universal server inside the DMZ and you're golden :)

What about Active Directory?  I negelected to mention I have the server contacting LDAP, and it uses that for SSO on the workstations.

One other question - are there any implications if a client goes an extended period of time without server contact?

It can still sync with AD, you can even use LDAPS if you're concerned about privacy.

In terms of "extended period of time" not really no, only policy updates you make it wont get, that's about it.  There's no automatic "cleanup" in the Universal Server

LDAPS is already enabled; however, what I'm really concerned with is contacting a DC.  I'm guessing either a read-only DC or some other form of domain services in the DMZ would be the recommended approach?

you can also have 2 universal servers, one in the DMZ on in internal, and all inter universal server traffic is encrypted and cluster them