Basically, this is based on some security considerations.
Because Domain Controller (DC) does not have a local account, we cannot use a common domain account to configure databases and applications.ProgramPool, and then add it to the local administrator group. therefore, any account we use to configure the SPS (they should all belong to the local administrator group) will become the domain administrator. this account runs several services, serves as the identification account of the IIS application pool, and has the owner permission on the database on the SQL server. this account has so many functions and has many responsibilities, which means that there are a lot of opportunities for external exposure. Once this account is cracked, it is also the domain administrator (domain admin) the permissions will be obtained by hackers or bad people, and the security of the entire domain will be seriously threatened.
When troubleshooting errors, failure to use a local account may cause a lot of trouble. For example, you may suspect that an account that identifies the application pool has a problem, and you need to use network service to try to use it to start the application pool.
The combination of DC and SharePoint will adversely affect the performance of SharePoint, especially if you put SQL on this machine, the performance will be very poor!
In addition, the operating system can be reinstalled in Sharepoint, but the DC is not that easy to reinstall. you need to be very careful when reinstalling the DC. At the same time, you need to ensure that many other DC functions properly to avoid the failure of the entire domain.
More information
Issues to consider when you install Windows SharePoint Services 3.0 or Microsoft Office Sharepoint Server 2007 on a domain controller
Http://support.microsoft.com/kb/2013998