The first portion that comes to mind is the access control security on the servers, sure they have 2 servers dedicated for separate values, but I would rather have the AD all on one computer with the permissions sorted out, and have the secondary computer to host the student information and patch management software since that will be a heavier load. If the school is looking into how much money in saving, purchasing a stronger server with VMWare Workstation will give the school multiple servers in one build that can save them much money on one unit.
As for the wireless access given to anonymous laptops, the students should be placed on a separate domain or at least given access with limited access. Limited access in a school seems so small, but this is because the school should filter out what needs and does not need access while the students are in session. If there is a breach in the network, tracking the students may be a bit difficult, unless we can provide the wireless access like how ITT does their network. Even though the students can only log into the computers within school grounds using their ID, they can also use their ID to access the wireless network.
In another portion of a risk, the staff only has the given amount of computers for them to share. The security risk for this is that some teachers may leave their user ID logged in which may pose as a threat for privacy. Having some sort of rule for a timeout when the computer is not use would decrease the issue of invasion of privacy and would increase security to where another person should log in with a different identity.