A: There is no definite right or wrong here (unless you want to install a major application, such as Exchange, on your DC). Generally, you want a DC to be just a DC, with nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime. Ideally, a DC should be easy to replace, just by standing up another DC. When you put other software and roles on a DC, you make it harder to replace it.

There are certain pieces of software and roles you probably will run on your domain controllers which are normal:

  • Anti-virus software (making sure you have the right exceptions configured to avoid conflict with AD, as detailed on this page)
  • Backup Agents (e.g., System Center Data Protection Manager)
  • Monitoring Agents (e.g., System Center Operations Manager)
  • Patching and Management (e.g., System Center Configuration Manager)
  • Identity Management agent or code (e.g., Forefront Information Lifecycle Management)
  • DNS role (because of the integration possible with Active Directory)
  • File Replication Service and Distributed File System Replication (used for SYSVOL replication)
  • Management scripts

While not recommended necessarily, you may also see the following on DCs, and they shouldn't be huge problems:

  • Security Policy software where Group Policy is not the primary tool
  • DHCP services
  • Network packet capture software for troubleshooting
  • WINS
  • Password filters
  • Event log consolidation programs
  • Key Management Services (KMS)

This isn't exhaustive, but should give you the right ideas about what is common. Just remember to keep your DCs light so they're easy to replace.