Use of Microsoft stand-alone root CA for VPN, Simple Certificate Enrollment Protocol (SCEP)

I currently have a Windows 2003 native Active Directory Domain located
behind a Netscreen-50 firewall. One of my domain controllers is set up as a
stand-alone root CA. The Windows AD computers have no routable IPs; they
are all NAT mapped behind the firewall. A DHCP server runs behind the
firewall to assign static IPS to each computer which joins the domain. I
plan to use a Netscreen 5GT at the client end to establish the VPN tunnel.
Some questions:

1. Can I keep the domain controller NAT-mapped or will I have to assign
it a routable static IP?

2. Is it possible to use SCEP to automate enrolling a PKCS10 cert
request?

3. Will I need to install the certificate on the 5GT prior to
establishing the tunnel?

4. Can a VPN connected computer join a Windows 2003 native AD domain?

5. Can I join the remote computer to the Windows 2003 AD through the VPN
tunnel, or will I have to join it prior to establishing the VPN tunnel?

I already have a Netscreen doc to guide me through the VPN connection. If
there are some corresponding Microsoft docs which address my questions,
please provide the link.

Thanks in advance!

Edward W. Ray