I have three remote dedicated web servers at different webhosts. Adding them to a common domain would make a lot of administration tasks much easier. Since two of the servers are running Windows 2008 R2 Standard, I thought about promoting them to Domain Controllers in order to set up the windows domain. There's another thread at Serverfault that recommends this.
At the same time I've read a lot of times on different websites that this is not a good idea because an domain controller should always be behind a firewall LAN. But I can't set up something like this because I don't have a LAN with a static IP accessible from the internet. In fact I don't even have a windows server in my LAN.
What I have not found out is why exposing a DC to the Internet would be bad idea.
The only risk I can see is that if someone penetrates one of my webservers, it should be much easier to penetrate the others as well. But as far as I can see that's the worst case scenario since I am only going my web servers to that domain, not any computers from my local network.
Is this the only downside or does it also make it easier to penetrate one of my web servers in the first place?
Edit: What if I added a firewall rule to the DC so that incoming connections to the AD Server are only accepted if originating from the other two webservers? I mean a setup similar to the one described at http://support.microsoft.com/kb/555381/en-us but with additional ip-based rules to ensure that the DC is only reachable for the other webservers in my domain on the relevant ports.
The more things you open to the net, the greater your chances of something/someone nasty getting in to your network and doing undesired things. I personally like the policy of not opening up any more than I must. If you want other networks to see your DC, I'd take a look at remotely bridging your networks through some kind of VPN rig. I believe if you have a nice router you can set that up. I've never tried, but I'd start by taking a look at pfsense.
Doc has already covered the key point of keeping your attack surface area to a minimum, so I won't repeat that. In regard to why you shouldn't expose a DC to the Internet, the DC contains all manner of information that should not be made available to the public. By design a DC can be queried by anyone. Even without directly compromising the DC itself, just having a list of valid user accounts gives an attacker a great head start, making the answer to the last part of your question a definite yes.