Are there any risks besides downtimes, if there is only a single domain controller for a small company?
I did some research and everyone recommends at least two domain controllers, but I can't find a real reason why it is so important to have more than one.
Downtimes are no real argument. What is earned, if the second server will allow users to connect to the domain, but the main server hosting files and Exchange is down. The users will not be able to work anyway. This may be interessting if you have more than one Exchange server with DAG, cluster, etc. but not if everything else is not redundant.
On the contrary, it seems to me that a second domain controller will make restore procedures more complicated, because you have to seize FSMO roles, use system state restores, replicate data, etc., while a single domain controller would allow to simply restore a full system backup, created with a backup software that allows creation of online images, because I don't have to care about consistency between two domain controllers.
Can anyone provide me with real risks that could arise from a single domain controller? I won't be able to convince my boss to buy a second server only be telling him "everyone recommends a second domain controller". He will ask the same question as I did: " What are the risks, if we don't have one?"
First of all, you're looking at things wrong. You're running Exchange and other services on your server as well as Active Directory and DNS. You're doing it wrong. You really want Domain Controllers to only run Active Directory and DNS. You'll run into serious performance issues down the road if you get a medium number of mailboxes in Exchange and it runs on a DC.
That being said, downtime is a real issue. Is your boss OK with users not being able to log in, access file shares, access other SSO technologies that you might leverage for the hours that it will take to do a restore? If you have two DCs (or more) and you have exchange and file services running on separate servers like you should be, then this becomes a very real problem.
As it is, it seems like you already have all of your eggs in one basket, which is a really really bad position to be in. You should be pushing for a dedicated Exchange server, a 2nd DC, and possibly a file/print server. This, of course, depends on the number of users that you have. Even if you do keep Exchange and any file\print services on your existing DC, if it goes down, your network users won't even be able to log in to their machines to even have basic Internet access.
Finally, seizing the FSMO roles is trivial. As long as both DCs are Global Catalogs, you don't even really have to transfer the roles if you're going to be fixing the downed server immediately anyway.
You're already in a bad position. You should be working towards rectifying it by adding the additional infrastructure that you need to eliminate all-or-nothing downtime, not throwing your hands in the air and saying "well we're pretty much screwed anyway."
The risks are as you stated, but I don't think your Exchange server should have a Single Point of Failure either. With two DC's you add in secondary DHCP, DNS, NTP, and authentication. Likewise, load balancing.
My thinking would also be that you're not always thinking of worst case - say you lose DC1 for a few hours thanks to some bad hardware. You may be back up and running very quickly and in the meantime, DC2 is taking on its tasks quite happily.
Likewise, network outages. If you have a cable or port die, then you're not going to be down long but it's long enough for the users to notice.
You don't need to worry too much about FSMO until it's becoming more serious.
Most people don't seem to understand the issue here. If you have an imaged based backup solution you can restore your single DC within 10 minutes - muc faster the any other method with 2 DCs having to start replicating again. Tombstone and USN issues don't apply as you only have a single DC. Why would a small company purchase 3 servers (2 dedicated Dcs and 1 Fileserver? - that is total overkill.
As with everything, it depends on what you are doing. My development lab only has one DC. So...the answer is if it isn't important, then it isn't important. BUT! You really need to make sure you understand the risks of having to recreate everyone's user accounts. If you are supporting more than 5 people this can get very very painful.