There is no single scheme, as most every customer I've dealt with here has different requirements and constraints.
For more than a handful of systems, Open Directory (once set up) (usually) makes distributed operations easier.
Open Directory with local or served or portable home directories, gigabit wired for the core links (or better, depending on the traffic), 802.11n access points for wireless (preferably non-overlapping 5 GHz), external VPN-capable firewall with additional features as required, and get DNS services stable and working on a registered domain or subdomain of a registered domain (wonky DNS causes all manner of weirdness with network security and with various other services).
Depending on local security requirements and the local network topology, you may want or need to add additional subnets. In general, get out of the 192.168.0.0/24 and 192.168.1.0/24 subnets and preferably entirely out of the 192.168.0.0/16 block to avoid all the "fun" those (common) subnets will cause for remote VPNs. Get to DHCP where you can. (It's easier to change subnets when the network is small, and usually gets uglier as you get bigger, and as you acquire more fixed-address devices.)
And you likely will be adding VPN connections for yourself and then specific folks at the customer site, even if the client doesn't think they will want those for more general access. All protestations to the contrary, many customers will generally make some analog of an "oooh, cool" noise sooner or later, once they see how the VPNs work.
Network security is a whole series of trade-offs and guesses around its value and its costs, and how big a target is painted on your customer from outside, from inside and from the occasional disgruntled associate.
My preference is for the external firewall/gateway/router, and particularly a server-grade device. If your customer has an external presence (web, mail, etc), then consider a DMZ for the remote-accessible services. (Again, the local requirements here vary, and different customers can and usually will have sensitivities to data and data loss, and different values as attack targets, and differing budgets.)
It's easiest to do a wipe-and-install on the clients, to bring those into the Open Directory network. (It's possible to promote existing standalone clients, but that can sometimes get a little weird.) The biggest issue here (in any case) tends to be with getting the file ownerships correct for the new user entries used in the Open Directory environment, as these have different ids and GUIDs.
Apple's Client Management Whitepaper is a reasonable starting point for a condensed list of terms for your future Google searches and for the general concepts you'll be using, and then start reading the Mac OS X Server documentation for Open Directory and networking, and for the security manual. Also have a look at the archives of the Mac Enterprise mailing list.
