Do I REALLY need to install AuthLite on ALL my Domain Controllers?
Short answer:
YES.
Medium answer:
YES, unless you ONLY need to use AuthLite for RADIUS authentication for a VPN, and you have installed NPS on DCs. In that case, only the NPS DCs need AuthLite. This is because NPS will always loop back to the domain services installed locally.
Longer answer:
You may consider authentication to be occurring on your workstation or your member servers, but in a domain environment all authentications ultimately involve a Domain Controller.
AuthLite is not a client-only component that prevents logons after checking the OTP with some other authority. Instead, it uses your Domain Controllers to validate the OTP as well as the password. This is very important for "zero client" use cases. AuthLite works by modifying the login request so that the Domain Controller sees the OTP in the username property. Even if you use a client that allows you to enter the OTP in the password field, it gets internally rewritten to send the OTP in the username field. This is because the password is never sent to the DC, only a hash (irrelevant exception: password changes)
There is no API or method provided to restrict what DCs a client may reach. Microsoft has a black-box protocol that makes clients favor the DCs in their local site. Even so, if all nearby DCs are unresponsive, a client WILL reach out across site links.
If a client reaches a DC that is not AuthLite aware, your 2-factor authentications will fail, and 1-factor authentications that should be blocked will be allowed.
But I still want to do it because (X)
If you want to avoid installing AuthLite on some DCs, the only secure approach is the following:
You MUST create firewall rules such that clients and member servers that participate in 2-factor authentication CANNOT REACH any DCs that lack AuthLite awareness. In other words, to these systems it should appear that every DC in your org is always down and unreachable, except for DCs that you've installed AuthLite on.