I've tested the DomainController of Synology® but honestly this is not wat we want. The Windows Remoteserver-Administrationtools (RSAT) do through some errors on connection and I didn't want to search for the reason if univention runs out of the box!
Before we start we need the concept. To have a structure makes the domain server much more human readable. A good base would be a network plan but who has one if it all starts with one domain server and 2 clients? But starting with a small concept helps a lot.
Never ever use a domain name like example.com or any existing like "google.com". Find a domain name which is not booked and buy it (ie. morak.xyz). For sure it is very easy to have a sub domain as "main domain" but this makes all in sum more complicated. As example we try to use a domain name called z3r0.at
Small network or big network I do remember ips and so for numbers well but most of us don't. Take device names which are understandable and easy to remember.
ows101 = office workstation, first floor, computer nr 01
ows1101 / ows1b1f01 = office workstation, branch office nr 1, first floor, computer nr 01
Remember a domain server does not only provide the active directory service, it is obligatory that the DNS server is also running on this server. For sure it is possible to split or replicate directories and services to multiple machines but there is always a MASTER which runs the essential services. BTW active directory replication is standard nowadays in a company with 10+ clients it should be a must have!
A lot of admins do not care or overtake the work of predecessor. In my opinion there is no intelligent answer why your email address shouldn't be email@example.com. And is in my taste z3r0\secondnamef should be your account name. Imagine you are administrating a family business in center of Austria and all of the workers are relatives? Would a business partner understand who hubers[at]z3r0.at or huberm[at]z3r0.at is?
Tell your users how easy it is to find their password - show them https://haveibeenpwned.com and let them write their private password. The easiest way to find a secure password would be - a sentence!
advantages = Easy to remember, and I no that this password is from 2019
[ 20 Could I have free today to fish on SOCA ? 19 ] = 20CIhfttfoS?19
[ 20 The problem sits between keyboard and chair ! 19] = 20Tpsbkac!19
If it comes to Firewall the best policy is "DROP ALL IN- DROP ALL OUT". The domain policies that strict would end up in a mess. It is easier to turn some tricky services off than turning all must haves on. Password policies is a contentious topic - I can't help on this - 8 letters containing 2 numbers, 2 special chars, min. 2 capitalized and the rest [a-z].