If you have managed to get away with a hot clone of your AD and it seems fine you can continue on with that, however when you clone a DC a cold clone is always recommended / usally less problems because AD is a sequential database that has no way to turn it off. A cold clone allows you to boot into a linux boot CD enviroment to clone the box, meaning no services are running, which means you get all the data.
As far as your DMZ question goes you have 2 options.
Option 1 (Keeping it simple)
You can dedicate 1-2 psyhical nics on the ESX host to a DMZ vSwitch, this however can been seen as a "waste of nics" however it keeps it the simplest and allows you to plug everything the same way as if it where psyhical. For isntance:
vSwitch0
Service Console VMnic0
VM Network Vmnic1
vSwitch1
DMZ Network Vmnic2, Vmnic3
You would then just plug vmnic2, and vmnic3 on the host into your DMZ ports on your switch. When you create your VM you would create 1 virtual nic and bind it to the VM Network and create a 2nd virtual nic to bind to the DMZ network.
Option 2
VLANS
A VLAN allows you to tag traffic so you can route different traffic to different places. It also allows you to seperate networks so they can't communicate with each other AKA DMZ or test lab.
In VMware you are able to tag VLAN's on your Port groups and then based off the taging you put on your switch ports your switch will route traffice to the proper location. For instance if you have your DMZ Network with a VLAN 10 any traffice leaving that virtual switch when it hits your psyhical switch will have a VLAN tag of 10. So when your psyhical switch see's this traffice (If it is setup correctly) it will see ohh this traffice has VLAN 10 I route this to port 2 on my firewall which is your dmz ect.
I hope this makes sence or has helped shed some light on the topic.