Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
In that case, check out the Test Lab Guide: Base Configuration documentation:
If you are going to implement a 1-tier Enterprise CA, is it recomended to place the CA on a dedicated server, or just add it on a DC?
In a small environment, is there any need to make it a 2- og 3-tier CA?
First thing you need to consider is what you're protecting and compare that with how much you want to invest in protecting it and what would be the cost of compromise.
I.e. everything is relative to budget - but if at all possible you should try and avoid placing the CA server role on a DC - both because that's making the ADCS role dependant on the ADDS role and also because it makes it difficult to separate the CA manager role from the Domain Administrator role.
From a strictly technical standpoint however there isn't a problem with the two roles co-existing on the same server.
Same applies for how many tiers you go with - consider what you're protecting first. The primary reason for having a 2-tier structure is that with a 1-tier structure you have no way of revoking the CA certificate in case of a compromise (this is also the reason why the Root CA in a 2+ tier structure is typically an Offline Root to safeguard it further).