Azure AD Connect Cloud Sync uses a lightweight agent that is deployed on a Windows Server that requires line of sight to a domain controller –Windows Server 2016 or later. Alternatively, the agent can be deployed on a Domain Controller. However, to keep role separation of domain controllers and the cloud sync agent server, it’s recommended to keep the agent separate in production environments. Note, that installing the cloud sync agent on Windows Server Core is not supported currently.

