Password Sync Service Question (IdM to Active Directory)

i would like some validation whether you actually need to install the Password Sync Service on "every" domain controller.  Or whether it actually needs to be installed on a DC, at all - I.E. can it simply be another Windows 2008 Server.

This will be my first attempt at installing IdM to work with Active Directory and the customer is fairly adament about limiting the impact on their exisitng AD (and rightfully so).  So far I have identified the only modification to AD to include importing the IdM cert and creating the AD user with the correct AD permissions.

Thanks in advance!

Section 8.5.2 of the identity management document explains the requirement.

Install the Password Sync Service on every domain controller in the Active Directory domain in order to synchronize Windows passwords.
1. Download the PassSync.msi file from the Red Hat Enterprise Linux channels, and save it to the Active Directory machine.