As already said everything is very individual and depends on available resources, objectives, future plans and other things.
If we assume a small office, strong boundedness for the money and other resources, I would do something like this:
(1) External router -> (2) Managed switch -> (3) Computers
(4) AD + DHCP + ...
A server with two network ports to expose to the Internet one of the ports is bad, because the potential attacker has access to many internal resources, having only one server that apparently on Windows.
External router let him do what he does best - mesrutiyet. That is, balancing two providers, for example, dynamic routing, etc are Configured at least wide simple rules firewall (ACL).
On the switch configured multiple VLANs and preferably also the ACL. Distribution-based vlan functions. Server separately, of course.
Functions of the internal services it is better to split into multiple servers. For example, if you need a proxy server, and if possible, it is best to use a separate server. To put it in a separate vlan, clear the ACL, you get a kind of DMZ.
Well then buy a good firewall...