[czech12]

First of all, there are two different core modules to a Check Point VPN-1 Pro/Express installation. There is a Management Module (SmartCenter Server) and the Enforcement Module. You can install both modules on the same server or different servers. For a small network like you described, it is fine to put both modules on the same box, known as a "Stand Alone Installation."

Now to answer your question, it is not advisable to install Check Point on an existing server, especially on a Domain Controller. I wouldn't use the DC as an Enforcement Module because you will need to route traffic through it, and one of those interfaces will most likely be internet facing. I wouldn't want my DC directly connected to the internet.

I wouldn't install a management module on a DC either, more so because of the sensitive data that the management module holds. Having the server as a DC and a management module exposes it to more security vulnerabilities.

My recommendation would be to buy a new server and install Check Point as a Stand Alone Installation. SecurePlatform or SPLAT would probably fit your needs. If you really don't have the money for another server, I guess you could put the Management Module on the DC, but I do not advise this.