If there is no existing windows domain, this should be fairly straightforward. You can have a single domain and configure the various sites as, well, sites, in active directory. I recommend placing a domain controller at each site so if connectivity goes down, the users can still log in.
Are you already running VPNs connecting the sites? If so, and the private ranges at each site don’t overlap then connectivity shouldn’t be an issue. If you have overlaping IP ranges then either change this or use what linux refers to as “twice NAT”. Even if it is more work, I would recommend numbering the nets for no overlap.
Going to active directory from a win2k or 2k3 server shouldn’t be a problem. Get rid of the NT 4.0 box when you can. Don’t even consider it as a domain controller.
Notice how I am assuming your systems are on private IPs behind NATing firewalls. I strongly recommend against placing windows boxes directly on the internet without firewall protection. I know microsoft likes to say their systems are secure now, but my experience tells me it is only a matter of time before a windows machine with a public IP and no firewall to protect it will be compromised. If your DSL gateways are firewalls with site-site VPN capability, you are set.
If some sites are too small to have a domain controller, then these systems should have local accounts to fall back on if connectivity to the domain controllers goes down.
Has this answered your concerns?