Option 1 is used by the very brave, the very... unintelligent, or the Microsoft fans who believe unshakably in the power of the MS firewall. If this is about you - your choice.
Option 2 is used by those who like to constantly treat users' computers from miners and complain that mail is blocked for spam. Well, or someone who has absolutely nothing to hide :) If this is about you - your choice.
Option 3 is already more like a typical construction scheme.
DHCP should not be on the router. The router should do what it is intended for - routing. Well, another firewall and VPN, if necessary. DHCP refers to the basic roles of the internal network and IMHO you need to keep it on the AD server - the load is cheap, but if you fill out the snap-in data in time, you can use it as an IP distribution table - not the entire segment you have dynamics, servers usually have static addresses.
Eksch is strongly recommended to separate from AD. Proxies, if any, also separate. With current virtualization technologies, this is much easier to do. File-washing - also separate.

Tasks are very different.
Let's say you need to make a VPN on a router or gateway.
If you have 1-2 users, then Mikrotik will pull this business easily.
If you have 50 users - you need a real computer for this.
I would separate the roles.
DHCP is quite a small load.
Why push it to the server?
Let it be on the router.
DHCP needs to be pushed to the server if there is some good reason.
Let's say I have it on the server, since I need integration with DHCP + BOOTP (or PXE - I don't remember already, I set it up 100 years ago)
And for servers, I wish you to study virtualization technology. ESX, Xen, KVM.
Allows great to simplify the revival of the server in which case.
It is quite possible to distribute DHCP directly from the router from the outside world that gives the connection.
They are now pretty perfect in this regard.
But on the other hand, if you go to limit someone, cut them off from the Internet,
then perhaps this option will not suit you.

As already noted, everything is very individual and depends on the available resources, tasks, plans for the future and other things.
If we assume a small office, severely limited in money and other resources, then I would do something like this:

(1) Внешний роутер -> (2) Управляемый коммутатор -> (3) Компьютеры
                                     |
                        (4) Сервер AD + DHCP + ...

Exposing a server with two network ports to the Internet with one of the ports is bad, because a potential attacker gains access to many internal resources by hacking only one server, which, apparently, is on Windows.
Let the external router do what it does best - it routes. That is, balancing by two providers, for example, dynamic routing, etc. At a minimum, broad simple firewall rules (ACLs) are configured.
Several vlans are configured on the switch and it is also desirable to have ACLs. Distribution by vlan based on the functions performed. Servers separately, of course.
The functions of internal services are best divided into several servers. For example, if you need a proxy server, and if there is such an opportunity, then it is better to use a separate server. Throw it into a separate vlan, with clear ACLs, you get some kind of DMZ.
Well, then we buy another good firewall ...

IMHO, no matter what the cool experts say, but first of all, everything depends on resources: money for hardware and licenses, a place to place all the equipment. If there is available or the ability to purchase only one server + one license for the OS, then naturally everything will have to be installed on one, if there are resources, then there are many options.
DHCP service is undemanding, especially for small networks. The Windows one next to AD/DNS has never let me down, but it has never let down DHCP based on pfSense or home routers (Zyxell/Asus).
If the mail server is located on the local network, then I would advise allocating a separate machine (at least a virtual one) and a separate IP address for it, so that an infected client computer or an employee’s personal smartphone on the local network does not substitute the address for antispam filters. An additional address for many providers costs a penny.
In order to save money, the file server can be screwed on the controller, but an unpleasant situation may arise with running out of free space, backups, or malware from the user folder. If possible: on a virtual machine or on a separate piece of iron.

My option: the provider comes to a weak server on which Linux lives quietly (it certainly won’t hurt to master it), normally configured iptables and fail2ban, which will give an idea of ​​​​the operation of the router, dhcp + dns + vpn in the same place, you can also raise some proxy thread. Squid is quite functional. A couple of uplinks for the internal network go from it to the switch. Now AD is already quite good friends with Linux, so authorization in the same squid is not a problem. Well, it’s also easy to set up plshki like vlans, which again will give practical experience. By the way, in Mikrotik the same embedded-linux, not even very embedded. Ready-made builds like pfsense are a strange solution, because in order for it to work properly, you constantly need to patch, installing a new package, as a rule, will cause the need to update, again patches, perverted necrophilia in general. The web interface is eye-catching. Well, for a small organization, exchange is an overhead. IMHO.