active directory + squid planning for a large network with over than 7000 users
You don't want, and likely don't need multiple Active Directory domains to manage. Basically, you always want to avoid multi-domain AD deployments if you can help it. (And you really want to avoid multi-forest deployments...)
In a Windows 2000 or Windows 2003 Active Directory, one used multiple domains when there were different groups of users who needed different password policies. Windows 2008 Active Directory can have granular password policies and eliminates this need.
In Windows 2000 - 2008 Active Directory, using multiple domains to partition the AD database into smaller units of replication is also a valid reason. An Active Directory with under 10,000 users isn't really all that large. You likely don't need to use multiple domains for partitioning of replication.
Having usernames read a certain way (i.e. [email protected] versus [email protected]) can be accomplished in a single domain with alternative User Principal Name (UPN) suffixes and isn't a valid reason for deploying a multi-domain infrastructure.
Using Squid and NTLM authentication is a perfectly valid solution for authenticating Internet access. Sizing of your Squid server computers and Active Directory domain controller computers isn't something that Server Fault can reasonably do with the information you've given above. Microsoft has an Active Directory Sizing Tool, but it hasn't been updated in several years (either for updated versions of Windows or updated server hardware specs).
In a setting like this you really need to think much more about identity management than you need to think about the actual user directory mechanism itself. They all can scale to this size trivially.
You should ask yourself about account life-cycles and business rules around account provisioning and roles in your organization. How are accounts going to be created, modified, and deleted? You're not planning on doing it by hand, are you?
As far as your border goes, I'm a fan of freebsd; I'd probably use a simple pair of pf firewalls with carp to do failover, and a transparent proxy for reducing network utilization as much as possible.