This document outlines which machine the Windows Password Synchronization Agent (PSA) should be installed on. 

Identity Manager 
Password Sync Agent

The CA Identity Manager Windows Password Synchronization Agent (PSA) is a component that implements the Windows Password Filter interface. This allows it to intercept Windows password changes that occur natively on the system.

Generally, the PSA must to be installed on Windows machines containing accounts that are managed by IM.

If the PSA is used for a Windows NT endpoint, then the PSA must be installed on the Windows machine that is the target endpoint for provisioning.

If the PSA is used for an Active Directory endpoint, then the PSA must be installed on all Domain Controllers for the target domain.

In a multi-master AD setup, the PSA must be installed on all Domain Controllers. The PSA will only be invoked on the Domain Controller where the originating write occurs for password changes. Other Domain Controllers receiving replications will not invoke the PSA, even if it is installed. The only exception is Read-Only Domain Controller where installation of the PSA is not required.

In a parent-child AD setup, the PSA must to be installed on the Domain Controller that is the target endpoint for provisioning.

See also : "Installing and Registering a Password Filter DLL" on MSDN website Microsoft Documentation - Installing and Registering a Password Filter DLL.