Thank you for putting this information together.  I have a few followup questions, some of which may be addressed in 4.5, others may simply be configuration issues on my end.

I have successfully gotten DNN to recognize and pull basic AD data when a user logs in on my test intranet setup.  My concerns are the following:

1. How do I get the user's AD groups to populate the matching DNN groups?  For example, if the AD user is in the DOMAIN\SECGROUP1 group and I have a DNN group called DOMAIN\SECGROUP1, shouldn't the user automatically be added to the group when they log in?  I did install the AD FIX code that somebody put together that would double-check and sync a user's settings each time they log in, so I can only assume that's all I needed to do.
   

   This should happen automatically in DNN 4.6.X. In DNN 4.5.5 and below it required an installation of the DNN AD Fix available at http://dnn.gmss.org.

2. I am getting the IIS authentication popup login window whenever a user tries to connect to the site; I would like them to either (a) automatically log in if they're already on the network and connect to the DNN url, or (b) use the DNN login box to log in with instead.  The IIS authentication box DOES log the user into DNN as expected, but I'm trying to avoid that pop up.  Ideally, I would like the home page to be available to all users (authenticated or not), with the DNN login box available for those who need to log in.  If this is related to adding intranet.domain.com to my "local/trusted intranet" settings in my browser, then that option didn't work for me and actually caused me to be unable to connect to the site (has to do with the way our firewall is set, I'm guessing, where certain types of traffic gets routed outside and around the elbow and other traffic isn't -- keeping the site out of the local intranet zone allows me to access the site and log in, but via the IIS popup)
   

   Unfortunately you can't have internal users automatically login and external users hit the standard homepage without specialized modification to the code-behind. To have all users go through the standard login options comment out the <add name="Authentication" /> in the web.config. You can still have AD logins they just won't be automatic.

3. How does changing a users' information in DNN work with AD?  Is it a one-way street, where the DNN database is populated once and any changes thereafter in DNN do not get migrated back into AD?  That's fine with me if so, but I'm sure it will come up as a question from others.
   

   It's a one way street (AD->DNN). I would have to really look into the security ramifications of allowing changes in DNN to be written to the AD.

4. Has somebody written an AD-based phone directory/contact list that pulls the AD info instead of the DNN users database?  This would be helpful to list people who haven't yet logged into DNN and had their user account created.  Similarly, has anybody written a sync job that would remove or disable DNN users if their AD user account was deleted or suspended?
   

   Not that I know of yet. With the new provider I don't think it would allow a deleted or suspended account to login but I also haven't tested against it.

5. We have two different ways people can log in on our system.  One is using DOMAIN\USERNAME (my preferred method); the other is USERNAME@DOMAIN.COM.  In both cases, the correct information is pulled from AD into DNN, but it is creating two different user accounts in DNN.  Aside from yelling at people about using the correct username to log in with, does anyone have other suggestions on how to deal with this?
   

   Errrmmmm I'm not sure if I've accounted for that in the initial 4.6.0 release of the provider (not near the code at the moment). If someone could test this and log it as a bug in Gemini (http://support.dotnetnuke.com) I would appreciate it.

Oh, I'm sure I'll have more questions.  TIA.