A: There is no definite right or wrong here (unless you want to install a major application, such as Exchange, on your DC). Generally, you want a DC to be just a DC, with nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime. Ideally, a DC should be easy to replace, just by standing up another DC. When you put other software and roles on a DC, you make it harder to replace it.
There are certain pieces of software and roles you probably will run on your domain controllers which are normal:
- Anti-virus software (making sure you have the right exceptions configured to avoid conflict with AD, as detailed on this page)
- Backup Agents (e.g., System Center Data Protection Manager)
- Monitoring Agents (e.g., System Center Operations Manager)
- Patching and Management (e.g., System Center Configuration Manager)
- Identity Management agent or code (e.g., Forefront Information Lifecycle Management)
- DNS role (because of the integration possible with Active Directory)
- File Replication Service and Distributed File System Replication (used for SYSVOL replication)
- Management scripts
While not recommended necessarily, you may also see the following on DCs, and they shouldn't be huge problems:
- Security Policy software where Group Policy is not the primary tool
- DHCP services
- Network packet capture software for troubleshooting
- WINS
- Password filters
- Event log consolidation programs
- Key Management Services (KMS)
This isn't exhaustive, but should give you the right ideas about what is common. Just remember to keep your DCs light so they're easy to replace.