Responses inline.

Of course! Else risk having 100 users-200 users without authentication and
email for as long as your DC is down - single point of failure. Adding a DC
would be cheaper than potential downtime, imo, and you could also consider
running the second DC in a virtual machine (Virtual Server 2005 is
free... ).

- What type of drives? SCSI, SATA, drive speed. When planning Storage you're
trying to figure out :
For performance:
a) What type of users you have, and disk IOPS (Input/Output Operations Per
Second) they consume on your Store volume
b) IOPS provided by your storage configuration - which would be different
for SCSI, SATA, FC disks
For sizing:
c) Mailbox quotas
d) Deleted Item retention

Optimizing Storage for Exchange Server 2003
http://www.microsoft.com/technet/prodtechnol/exchange/guides/StoragePerformance/
43a270e5-3a0b-4fe5-8c74-505d5c4a293b.mspx?mfr=true

Yes, doesn't look like you really need a FE in your case.

Best is a subjective term - what's the criteria? Cost? Speed of backup &
recovery? Life of backup media?

Trend Micro Scanmail, Sybari Antigen (now Microsoft ForeFront)

First, on disk:

1.  The minimal recommendation for an Exchange server is 3 mirrors - one for
the OS, one for the transaction logs, and one for the databases.  Depending
on IO, you could move to RAID 10 for the databases.  You don't state your
observed IOPS/user, however you do state that you have BES in the
envoironment.  If you take the IO load of a non-BES user, multiply that by
3.64 to determine the load BES will place on your server for that same user
once BES enabled.  A quick read of "Optimizing Storage for Exchange Server
2003" will go a long way toward helping you determine what your IO
requirement is.  Once you know that, determining what it will take to scale
is simple math.

2.  One of the major advantages of a FE/BE design is the the FE server can
sit in the DMZ while the BE server sits on the protected network.  In your
case, you state that OWA will not be accessible from the internet and you
will be using a VPN solution instead.  Does this mean the the VPN solution
will allow remote access to the protected network, or to an isolated network
or DMZ?  As you scale, another advantage of the FE/BE design is
specialization of function.  The provisioning and security needs for a
bridgehead or OWA server are not the same as a dedicated mailbox server.
What are the business drivers?  Does your organization have different
security needs for different roles of servers?  Is it Ok to allow VPN access
to the protected network?  From the sizes you mention, one server is
technically capable of handling everything, so the decision really comes
down to the business drivers.

3.  What is your organization's tolerence for data loss?  Down time?  The
choice of backup really comes down to RPO and RTO.  Match these criteria
with available options to determine what backup solution is right for you.
If it's ok to lose 8 hours of data, and to be down for 24 hours, then maybe
a full tabe backup every day and an incremental every 8 hours would work.
If your RPO is under an hour and your RTO is under 8 hours, then you'll
probably want to look at a snapshots and a disk to disk solution.  If yor
RPO falls under 5 minutes, then you're probably looking at synchrounous
replication.  You have to define what the requirement is before you can
determine what the right solution is.

John