It is accurate that Duo protection for Windows Logon protects the system where it is installed, and Duo does not have an offering that you would apply to a domain controller or install in your AD schema to apply 2FA to user logins to AD from any source (an example product that does this is AuthLite).
You don’t have to install the Duo software on every server in the domain unless you want Duo 2FA at login for every server in your domain.