Hi,
I think what you suggest is perfectly fine. As you said you are a small shop, no need to spend a fortune on a TACACS+ solution. Even with Windows NPS you can authenticate users centrally, you will get some basic accounting information.
If you want even more security, you can also configure an ACL on the vty lines, to lock down access to the devices from trusted subnets. In addition you can configure syslog and send success/failed authentication attempts to a syslog server.
Having separate NPS servers might be over kill in a small environment, but I don't know the load on your current DCs. I cannot imagine adding the additional role to the server and the odd radius authentication would add a considerable amount of load to the server. This question maybe better answer in a Microsoft forum though.
HTH