Thank you for reaching out to us.
Usually there is no specific best practice to place AD connect server. You can place the AD connect server anywhere in your on-premise environment.
However, if you want to harden your Azure AD connect server, you can follow below article,
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#harden-your-azure-ad-connect-server
Apart from this if you are not looking for hardening the server then you can get below statements in place,
Make sure that the server running the Azure AD Connect agent is properly secured. Limit which accounts are able to logon to the server, specifically those with local administrative rights. You will also need to control physical access to the server and enforce a strong password policy. If you need to allow other uses to access the Azure AD Connect Sync tool, you can add them to the ADSyncAdmins group on the local server.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.