Description:

Password Sync Agents are required to be installed only on DCs where passwords are allowed to be set/reset.

Solution:

A Password Sync Agent is CA's agent that intercepts password changes as they take place on a target endpoint Domain Controller and synchronizes them back to the Provisioning Server and Identity Manager. These servers will then be able to figure out if to accept this change and if it needs to be propagated to other provisioned end points.

You might have read-only domain controllers in your farm. Such domain controllers are 'slaves' and will not allow direct updates but only be replicated through other domain controllers that do accept updates.

Therefore, you really do not need to install the Password Sync Agent software on any domain controller that isn't allowing direct password resets. There simply no point in doing that and you are better off not doing that. You should install the Password Sync Agents only on specific machines (in this case domain controllers) that necessarily allow passwords to be set and/or reset. The installed agent will be able to intercept these sets/resets as explained above.