In general it is easier to secure servers if you segregate
their roles. You should see the better reliability from
your servers, and easier troubleshooting as well.
Terminal servers require a fair amount of administration
in the form of application updates, reboots, etc.
Generally I try to keep my domain controllers up except
for application of service packs and hotfixes. However,
if your needs dictate it, it is possible to run a DC as a
terminal server.
As for access to other applications there are many
different ways to restrict access to applications.
Modification of permissions, using Citrix to publish
applications, or THOR from
http://www.tricerat.com/ are
just a few.
Paul