The domain controller agent may help to resolve users from IPs and other parameters. Is it mandatory?
When is it necessary to have a domain controller agent? Should it be installed on a specific VM (e.g. Enforce VM)?
Does the Endpoint Agent solution work without the DC agent, based only on AD groups (for coverage) and AD connections?
Versions: 15.8, 16.0, 16.1
The domain controller agent usage is specific to the Network Prevent for Web (HTTP/HTTPS) incidents, as mentioned its purpose is to resolve IP addresses found in incidents to their corresponding username where a proxy does not supply this information.
You do not have to use it, it's not a requirement, and it's not used by the Endpoint Prevent detection servers or Endpoint Agents, it is independent of them. Yes, the Endpoint Prevent detection servers and Endpoint Agents will work without it.
It does not have to be installed on a specific VM, when installed it does however have some requirements as noted here: Domain Controller Agent Installation Prerequisites (16.1 - techdocs.broadcom.com)
We would recommend reading About the domain controller agent (16.1 - techdocs.broadcom.com)