Also double check what port is being used, if you only have one AD server then you may be able to communicate on both 3268 and 389.
One way of testing network connectivity is to telnet from the command line on both ports, once you know they work you can start testing on username/password for the BIND procedure(authentication).
You can just enter username and not domain\username.

Apart from that the query string looks fine, it will simply check both attributes for the rcpt-to value.

I discovered I had to use the IP address of the LDAP server instead of the Host name. All is working well now. Thanks for the help.

I'm noticing the following error message in my mail_logs file. Does this just indicate Ironport was not able to find a match for the sender address when querying AD or is it a problem that I need to be concerned about?

Wed Mar 19 13:34:22 2008 Critical: LDAP: query DNS result DNS Hard Error looking up 10.1.255.2.unitedtrust.com (A): NXDomain

OK, so what happens on every connection is that the IronPort performs a forward and reverse lookup.
I'm having a stab in the dark that you are not using your own internal dns server on the IronPort. if this is the case then you probably need to swap it over.
If this continues I would log a support ticket

You are correct. I'm using the Internet's Root DNS Servers and unitedtrust.com is our internal domain name. Our internal DNS is set to forward unresolved DNS queries to the DNS servers of our ISP. If I change IronPort to point to our internal DNS server, can you think of any negative ramifications?